A board of directors is concerned that a major IT implementation has the potential to significantly disrupt enterprise operations. Which of the following would be MOST helpful in identifying the extent of the potential impact of the disruption?
Correct Answer: D
Question 142
Which of the following BEST supports the implementation of an effective data classification policy?
Correct Answer: A
Question 143
Which of the following functions are performed by the Future Orientation measure of the IT BSC management tool? Each correct answer represents a complete solution. Choose all that apply.
Correct Answer: A,B,C
Question 144
An enterprise has identified a number of plausible risk scenarios that could result in economic loss associated with major IT investments. Which of the following is the BEST method to assess the risk?
Correct Answer: C
Question 145
An enterprise wants to establish key risk indicators (KRIs) in an effort to better manage IT risk. Which of the following should be identified FIRST?
Correct Answer: A
Comprehensive and Detailed Explanation: The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, emphasizes the importance of aligning IT risk management with the enterprise's overall risk management strategy. Key risk indicators (KRIs) are metrics used to monitor potential risks and provide early warnings. To establish effective KRIs, the enterprise must first understand its risk tolerance and priorities. Option A: The enterprise risk appetite should be identified first. Risk appetite defines the level of risk the enterprise is willing to accept in pursuit of its objectives, guiding the selection of KRIs. For example, if the enterprise has a low risk appetite for data breaches, KRIs might focus on metrics like unauthorized access attempts. Identifying risk appetite ensures KRIs are relevant and aligned with strategic goals. The manual likely references COBIT 2019's APO12-Managed Risk, which highlights risk appetite as a foundational element of risk management. * Option B: Key performance metrics relate to performance, not risk, and are not directly relevant to KRIs. * Option C: Risk mitigation strategies are developed after identifying risks and KRIs, not before. * Option D: Enterprise architecture (EA) components may inform risk identification but are secondary to defining risk appetite. Double Verification: The answer aligns with COBIT's APO12 and the CGEIT domain's focus on risk management foundations. Risk appetite is a prerequisite for KRI development in ISACA's frameworks. ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on risk management and KRIs). COBIT 2019, APO12-Managed Risk. ISACA Glossary (for definitions of risk appetite and KRIs), available at https://www.isaca.org/resources /glossary.
