Certified in Risk and Information Systems Control (CRISC) — Question 575

What is the PRIMARY reason to categorize risk scenarios by business process?

Answer options

• A. To determine aggregated risk levels by risk owner
• B. To identify situations that result in over-control
• C. To enable management to implement cost-effective risk mitigation
• D. To show business activity deficiencies that need to be improved

Correct answer: C

Explanation

The correct answer, C, highlights the importance of making risk mitigation efforts cost-effective for management. Option A focuses on aggregated risk levels but does not address mitigation. Option B discusses over-control, which is less relevant to the primary goal. Option D points out deficiencies, but it does not emphasize the need for cost-effective measures.