I agree. I think D (Risk Register) is a better answer

D. Information from the risk register A risk register is a comprehensive tool used in risk management that contains detailed information about identified risks, their assessment, and the measures planned or taken to address them. It typically includes information on the likelihood and impact of risks, as well as the status of any mitigation efforts. Using the risk register to generate department-specific IT risk profiles will provide a current and detailed view of the risks each department faces, along with the status of mitigation efforts. This information is crucial for making informed decisions about where to allocate resources effectively.

B. Key risk indicators (KRIs) The best way to address the IT stakeholders' request for IT risk profile reports associated with specific departments to allocate resources for risk mitigation is to use key risk indicators (KRIs). KRIs are specific metrics or indicators that provide insight into the current level of risk exposure and the effectiveness of controls in place. By using KRIs, you can present quantifiable and measurable data that highlight the risk landscape of each department. This approach provides a more tangible and actionable basis for allocating resources and focusing mitigation efforts effectively.

Answer is D

Information from the risk register would be the best way to address this request. The risk register contains the most up-to-date and comprehensive overview of an organization's risk profile, including risks associated with specific departments. This information can be used to determine the departments' risk levels and, subsequently, how to allocate resources for risk mitigation.

I am not sure of option "D". KRI's (option B) provides more insight on critical risks for each department. The question is tricky . if it is straight forward then option "D" . Otherwise option "B"

should be D

Agree.

Its D,the risk register provides the holistic view

D: Risk register seems the best answer. It is also the answer found in 3 other sites that I located.

the correct answer is a rip register. the risk register contains all the information including scenarios of the entire enterprise.

i think ISACA wants us to start with Historical risk to remove bias

Shouldn’t the answer be D as the Risk Register may already have all the requested resources / cost info?