Certified in Risk and Information Systems Control (CRISC) — Question 670

Which of the following is MOST important to include when reporting the effectiveness of risk management to senior management?

Answer options

• A. Impact due to changes in external and internal risk factors
• B. Gaps in best practices and implemented controls across the industry
• C. Changes in the organization’s risk appetite and risk tolerance levels
• D. Changes in residual risk levels against acceptable levels

Correct answer: D

Explanation

The correct answer is D because changes in residual risk levels directly indicate how well the risk management strategies are functioning in relation to what is considered acceptable. Options A, B, and C, while relevant, do not provide the same level of direct insight into the effectiveness of the risk management process as residual risk levels do.