Certified in Risk and Information Systems Control (CRISC) — Question 952

Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

Answer options

• A. Many action plans were discontinued after senior management accepted the risk.
• B. Individuals outside IT are managing action plans for the risk scenarios.
• C. Target dates for completion are missing from some action plans.
• D. Senior management approved multiple changes to several action plans.

Correct answer: C

Explanation

The absence of target completion dates in some action plans is critical because it indicates a lack of accountability and urgency in addressing the risks. While the other options may raise concerns, they do not directly impede the ability to track and mitigate risks effectively as the missing deadlines do.