Certified in Risk and Information Systems Control (CRISC) — Question 337

A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management, the risk practitioner should explain:

Answer options

• A. the current level of risk is within tolerance.
• B. mitigation plans for threat events should be prepared in the current planning period.
• C. an increase in threat events could cause a loss sooner than anticipated.
• D. this risk scenario is equivalent to more frequent, but lower impact risk scenarios.

Correct answer: C

Explanation

Option C is correct because it highlights the potential for an increase in threat events to lead to quicker losses, which is crucial for management to understand. Option A is incorrect as it downplays the risk level, while Option B suggests a proactive approach that may not address the immediate concern. Option D incorrectly compares this risk scenario with more frequent but less impactful ones, which doesn't accurately convey the seriousness of the identified risk.