CRISC Certified in Risk and Information Systems Control – Question151
Which of the following is true for risk evaluation? A. Risk evaluation is done only when there is significant change. B. Risk evaluation is done once a year for every business processes. C. Risk evaluation is done annually or when there is significant change. D. Risk evaluation is done every four to six months for critical business processes.
Correct Answer: C
Explanation:
Explanation:
Due to the reason that risk is constantly changing, it is being evaluated annually or when there is significant change. This gives best alternative as it takes into consideration a reasonable time frame of one year, and meanwhile it also addresses significant changes (if any).
Incorrect Answers:
A: Evaluating risk only when there are significant changes do not take into consideration the effect of time. As the risk is changing constantly, small changes do occur with time that would affect the overall risk. Hence risk evaluation should be done annually too.
B: Evaluating risk once a year is not sufficient in the case when some significant change takes place. This significant change should be taken into account as it affects the overall risk.
D: Risk evaluation need not to be done every four to six months for critical processes, as it does not address important changes in timely manner.
Please disable your adblocker or whitelist this site!