Certified in Risk and Information Systems Control (CRISC) — Question 996

What should be PRIMARILY responsible for establishing an organization's IT risk culture?

Answer options

• A. Risk management
• B. IT management
• C. Business process owner
• D. Executive management

Correct answer: D

Explanation

Executive management is crucial in setting the tone and direction for an organization's IT risk culture, as they have the authority to allocate resources and define priorities. While Risk management, IT management, and Business process owners play roles in risk management, they do not have the overarching influence necessary to shape the entire organizational culture.