Certified in Risk and Information Systems Control (CRISC) — Question 284

Which of the following is MOST useful when communicating risk to management?

Answer options

• A. Risk policy
• B. Risk map
• C. Maturity model
• D. Audit report

Correct answer: B

Explanation

A Risk map visually represents the levels of risk and their potential impact, making it a powerful tool for communication with management. While a Risk policy outlines how risks should be managed, and a Maturity model assesses the current state of risk management, these do not provide the same clarity as a Risk map. An Audit report focuses on compliance and findings rather than risk communication.