Question 13
Domain 3 — Risk Response and ReportingWhat should be included in a risk report to senior management?
Correct answer: B
Explanation
A risk report to senior management should give a concise view of the organization’s most important exposures, so it includes a "summary of top risks." It should also show whether risk levels are changing and whether mitigation is working, which is why "trends" and "treatment progress" belong in the report.
Why each option is right or wrong
A. Detailed server configurations
B. Summary of top risks, trends, and treatment progress
Senior management reporting is expected to be concise and decision-focused, highlighting the organization’s most significant exposures rather than a full risk register. In practice, that means the report should identify the highest-priority risks, show whether those risks are increasing or decreasing over time, and indicate the status of mitigation actions so management can judge whether treatment is on track.
C. Individual employee performance data
D. Source code listings