Executive management should be primarily responsible for establishing an organization's IT risk culture, as they have the authority and accountability to define and communicate the vision, mission, values, and objectives of the organization, and to set the tone and direction for the IT risk management and control processes. Executive management is the highest level of management in an organization, and it consists of the board of directors, the chief executive officer (CEO), and other senior executives. Executive management is responsible for the strategic planning and decision making of the organization, and for ensuring the alignment of the organizational strategy and objectives with the stakeholder expectations and requirements.
Executive management should be primarily responsible for establishing an organization's IT risk culture by providing the following benefits:
* It demonstrates the leadership and commitment of the executive management to the IT risk management and control processes, and to the achievement of the organizational strategy and objectives.
* It influences and motivates the behavior and attitude of the staff and managers towards IT risk management and control, and fosters a culture of risk awareness, ownership, and accountability across the organization.
* It defines and communicates the IT risk appetite and tolerance of the organization, and guides and supports the development and implementation of the IT risk policies, standards, and procedures.
* It allocates and monitors the resources and performance of the IT risk management and control processes, and ensures the effectiveness and efficiency of the IT risk governance and oversight.
The other options are not the primary choices for establishing an organization's IT risk culture. Business process owner is the person who has the responsibility and authority over the design, execution, and performance of a specific business process, and they are accountable for the risks and controls associated with their process, but they do not have the overall or strategic responsibility for the IT risk culture. Risk management is the function or department that is responsible for managing and monitoring the IT risk management and control processes, and for providing advice and guidance to the executive management and the business units, but they do not have the ultimate or final responsibility for the IT risk culture. IT management is the function or department that is responsible for managing and maintaining the IT operations and security, and for supporting the IT risk management and control processes, but they do not have the highest or broadest responsibility for the IT risk culture. References = Risk Culture - Open Risk Manual, IT Risk Resources | ISACA, The 6 key elements to creating and maintaining a good risk culture

Section: Volume D
Explanation

Explanation/Reference:
Explanation:
The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are:
The results should be reported in terms and formats that are useful to support business decisions.

Coordinate additional risk analysis activity as required by decision makers, like report rejection and

scope adjustment
Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and

confidence levels (if possible) that enable management to balance risk-return.
Identify the negative impacts of events that drive response decisions as well as positive impacts of

events that represent opportunities which should channel back into the strategy and objective setting process.
Provide decision makers with an understanding of worst-case and most probable scenarios, due

diligence exposures and significant reputation, legal or regulatory considerations.
Incorrect Answers:
C: Communicate the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process, for effective communication. Only negative impacts are not considered alone.

Section: Volume D
Explanation/Reference: