Question 25
Domain 2 — Risk Identification, Assessment, and AnalysisWhat should the board receive in terms of risk reporting?
Correct answer: B
Explanation
The board should receive information that supports oversight, not operational detail, so risk reporting is typically limited to "high-level summaries of risk exposure and emerging risks." This gives directors a concise view of the organization’s major risk profile and new threats so they can monitor governance and strategy.
Why each option is right or wrong
A. Detailed technical vulnerability scans
B. High-level summaries of risk exposure and emerging risks
Under standard board-governance practice, directors are expected to oversee the organization’s overall risk profile rather than manage day-to-day controls, so reporting should be concise and strategic. The board should therefore be given aggregated information on major exposures and newly developing threats, not detailed operational metrics, because its role is to monitor whether risk remains within the approved appetite and whether any emerging issue requires escalation.
C. Individual employee performance reviews
D. Source code for all applications