CISM Certified Information Security Manager – Question0424 - CISM Certified Information Security Manager

Which of the following is the PRIMARY reason for implementing a risk management program?

A. Allows the organization to eliminate risk
B. Is a necessary part of management's due diligence
C. Satisfies audit and regulatory requirements
D. Assists in incrementing the return on investment (ROD

Correct Answer: B

Explanation:

Explanation:
The key reason for performing risk management is that it is part of management’s due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance. A risk management program may or may not increase the return on investment (ROD.