CRISC Question #299: Real Exam Question with Answer & Explanation

The correct answer is B: To ensure IT risk impact can be compared to the IT risk appetite. The primary objective of aggregating IT risk scenarios in the enterprise risk register is to enable comparison of the overall IT risk impact to the defined IT risk appetite.

Submitted by takeshi77· Apr 18, 2026Risk Response and Reporting

Question

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Options

ATo ensure IT risk appetite is communicated across the organization
BTo ensure IT risk impact can be compared to the IT risk appetite
CTo ensure IT risk ownership is assigned at the appropriate organizational level
DTo ensure IT risk scenarios are consistently assessed within the organization

Explanation

The primary objective of aggregating IT risk scenarios in the enterprise risk register is to enable comparison of the overall IT risk impact to the defined IT risk appetite.

Common mistakes.

A. While risk appetite communication is important, aggregation itself primarily serves for comparison, not direct communication.
C. Risk ownership is assigned at the individual scenario level, and while important, it's not the primary objective of aggregating impacts.
D. Consistent assessment is a prerequisite for meaningful aggregation, not the primary objective of aggregation itself.

Concept tested. Enterprise Risk Register Aggregation

Reference. https://learn.microsoft.com/en-us/compliance/regulatory/regulatory-compliance-dashboard-risk-assessment

Topics

#Risk aggregation#Enterprise risk register#Risk appetite#Risk impact comparison

Community Discussion

No community discussion yet for this question.

Full CRISC Practice Browse All CRISC Questions