Certified in Risk and Information Systems Control (CRISC) — Question 557

Which of the following should be the FIRST consideration when establishing a new risk governance program?

Answer options

• A. Creating policies and standards that are easy to comprehend
• B. Developing an ongoing awareness and training program
• C. Completing annual risk assessments on critical resources
• D. Embedding risk management into the organization

Correct answer: D

Explanation

The correct answer, D, emphasizes the importance of integrating risk management into the organization as a foundational step for effective governance. This approach ensures that risk considerations are woven into the fabric of the organization, making it easier to implement policies and training effectively. The other options, while important, are secondary to establishing this foundational integration.