CGEIT Question #442: Real Exam Question with Answer & Explanation

Question

A newly hired IT director of a large international enterprise has been asked to provide periodic updates regarding IT risk to the board. Which of the following is the MOST effective way to initially address this request?

Options

• AInclude a complete IT risk register in the monthly letter given to each board member.
• BInclude key IT risks in a dashboard submitted to the board quarterly.
• CSubmit a register of all IT audit findings to board members monthly.
• DSchedule quarterly meetings to discuss all open IT risks.

Explanation

To effectively address the board's request for IT risk updates, the IT director should initially provide a concise dashboard of key IT risks quarterly.

Common mistakes.

• A. Providing a complete IT risk register monthly would be too detailed and frequent for board members, who typically require summarized, strategic information, not operational level data.
• C. Submitting only IT audit findings is too narrow, as it covers past issues and not the broader ongoing IT risk landscape that the board needs to understand for proactive governance.
• D. Scheduling quarterly meetings to discuss all open IT risks could be overly time-consuming and inefficient; a summarized dashboard allows for focused discussion on the most critical items, with the option to deep dive if needed.

Concept tested. IT risk reporting and governance communication

Reference. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/security-baseline/security-reporting

No community discussion yet for this question.