Certified in Risk and Information Systems Control (CRISC) — Question 332

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Answer options

• A. Time between when IT risk scenarios are identified and the enterprise's response.
• B. Percentage of business users completing risk training.
• C. Percentage of high-risk scenarios for which risk action plans have been developed.
• D. Number of key risk indicators (KRIs) defined.

Correct answer: C

Explanation

Option C is correct because having risk action plans for high-risk scenarios directly measures the organization’s proactive approach to managing those risks. The other options, while important, do not provide as clear a measure of the effectiveness of risk management processes in addressing significant risks.