Certified in Risk and Information Systems Control (CRISC) — Question 702

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Answer options

• A. Recommend the formation of an executive risk council to oversee IT risk
• B. Provide an estimate of IT system downtime if IT risk materializes
• C. Describe IT risk scenarios in terms of business risk
• D. Educate business executives on IT risk concepts

Correct answer: C

Explanation

The correct answer is C because describing IT risk scenarios in terms of business risk helps executives understand the impact on the organization, making it more relevant to their responsibilities. Options A and D do not directly address the executives' concerns about ownership, while B focuses on a technical aspect rather than aligning IT risks with business objectives.