Exam CGEIT topic 1 question 218 discussion

D. Align with business risk management processes. Aligning IT risk management with business risk management processes ensures that IT risks are understood within the broader context of organizational objectives and strategies. This alignment facilitates better communication and collaboration between IT and other business units, allowing for a more comprehensive understanding of risks and their potential impact on the organization as a whole. By integrating IT risk management with broader business risk management processes, organizations can prioritize risks more effectively, allocate resources efficiently, and make informed decisions that address both IT-specific concerns and broader business objectives. This approach fosters a holistic approach to risk management and enhances the organization's ability to identify, assess, mitigate, and monitor risks across all areas of operation.

IT risk management should be integrated with overall business risk management. This ensures that IT risks are considered in the broader context of the organization's objectives, and there is a unified approach to managing risks across the entire business.

B makes better sense to me than D, here's why. IT risk is different from business risk due to it's inherent nature. It makes sense to align IT risk with business risk but not the process for resolving the risk. An example - business risk regarding opportunity loss due to lack of power to a facility may be resolved through processes involving manual workarounds (customer visits arranged, manual paperwork, etc). However, IT risk regarding lack of power to a facility can only be resolved through DRP. A manual workaround will probably never be suggested for IT risks. This is why I feel the answer is "adopt risk management process" rather than "align with business risk management process".

D definitely is the answer.

should be D. IT risk is biz risk