Certified in Risk and Information Systems Control (CRISC) — Question 97

A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the
GREATEST concern with this approach?

Answer options

• A. Risk scenarios in the generic list may not help in building risk awareness
• B. Risk scenarios that are not relevant to the organization may be assessed
• C. Developing complex risk scenarios using the generic list will be difficult
• D. Relevant risk scenarios that do not appear in the generic list may not be assessed

Correct answer: D

Explanation

The primary concern is that relevant risk scenarios that are not included in the generic list may be overlooked, which can lead to unaddressed risks. While the other options highlight potential issues, they do not pose as significant a risk as failing to assess critical scenarios that are specific to the organization.