Governance of Enterprise IT (CGEIT) Certification Practice Exam

What is the primary reason for reporting significant changes in information risk to senior management?

• A. To revise key risk indicators
• B. To gain support for new countermeasures
• C. To enable informed decision making
• D. To recalculate the value of existing information assets

The correct answer is: To enable informed decision making

The primary reason for reporting significant changes in information risk to senior management is to enable informed decision-making. When information risk evolves—whether due to internal changes like new technologies or external factors like regulatory updates—senior management needs a clear understanding of the current risk landscape. This knowledge allows them to make well-informed choices regarding strategic directions, investment priorities, resource allocation, and risk mitigation strategies. In the context of governance of enterprise IT, informed decision-making is critical because it directly affects the organization's overall risk posture and its capability to protect sensitive information and assets. Senior executives must be equipped with accurate, timely data to guide their decisions on risk management and to align risk tolerance with business objectives effectively. The other options, while potentially relevant in specific contexts, do not capture the primary purpose. Revising key risk indicators may be a subsequent action after risks are reported, gaining support for new countermeasures is a tactical step that follows understanding the risks, and recalculating the value of existing information assets is an analytical task that supports decision-making but is not the main intent of reporting risk changes. The core goal remains ensuring that senior management can navigate the organization's risk landscape effectively.