Which of the following is true for risk evaluation?
A.
Risk evaluation is done only when there is significant change.
B.
Risk evaluation is done once a year for every business processes.
C.
Risk evaluation is done annually or when there is significant change.
D.
Risk evaluation is done every four to six months for critical business processes.
Explanation:
Due to the reason that risk is constantly changing, it is being evaluated annually or when there is
significant change. This gives best alternative as it takes into consideration a reasonable time
frame of one year, and meanwhile it also addresses significant changes (if any).
Answer A is incorrect. Evaluating risk only when there is significant changes do not take into
consideration the effect of time. As the risk is changing constantly, small changes do occur with
time that would affect the overall risk. Hence risk evaluation should be done annually too.Answer D is incorrect. Risk evaluation need not to be done every four to six months for critical
processes, as it does not addresses important changes in timely manner.
Answer B is incorrect. Evaluating risk once a year is not sufficient in the case when some
significant change takes place. This significant change should be taken into account as it affects
the overall risk.