CISSP · Question #988
What is the BEST reason to include supply chain risks in a corporate risk register?
The correct answer is B. Risk registers classify and categorize risk and allow risks to be compared to corporate risk. A risk register is a governance tool used to document, classify, and compare risks across an organization, making it the ideal place to record supply chain risks alongside other corporate risks.
Question
Options
- ARisk registers help fund corporate supply chain risk management (SCRM) systems.
- BRisk registers classify and categorize risk and allow risks to be compared to corporate risk
- CRisk registers can be used to illustrate residual risk across the company.
- DRisk registers allow for the transfer of risk to third parties.
How the community answered
(45 responses)- A7% (3)
- B56% (25)
- C11% (5)
- D27% (12)
Why each option
A risk register is a governance tool used to document, classify, and compare risks across an organization, making it the ideal place to record supply chain risks alongside other corporate risks.
Risk registers are documentation and governance tools used to track and manage risk, not financial instruments or funding mechanisms for procuring SCRM systems.
A risk register serves as a centralized repository that classifies and categorizes all organizational risks, including supply chain risks, enabling consistent scoring (e.g., likelihood and impact ratings) so that SCRM risks can be directly compared against other enterprise risks for prioritization and decision-making. This allows leadership to weigh supply chain threats relative to financial, operational, or regulatory risks using a common framework.
While risk registers can reference residual risk for individual items, their primary and best purpose is the classification, categorization, and comparison of risks - not solely illustrating residual risk across the company.
Risk transference (e.g., via insurance or contracts) is a risk response strategy, not a function of a risk register itself; the register documents risks and responses but does not itself transfer risk to third parties.
Concept tested: Purpose and function of a corporate risk register
Source: https://csrc.nist.gov/glossary/term/risk_register
Topics
Community Discussion
No community discussion yet for this question.