B, and C are incorrect. Auditing of compliance by external organization is done annually, not quarterly or every three year.

The primary objective of a risk awareness training program is to enable risk-based decision making, which means making decisions that take into account the potential risks and opportunities associated with each option. A risk awareness training program should aim to develop a common understanding of risk across multiple functions and business units, achieve a better understanding of risk for competitive advantage, and build safeguards against earnings-related surprises1. A risk awareness training program should also cover the basics of risk management, such as the risk management process, the roles and responsibilities of different stakeholders, the risk appetite and tolerance of the organization, and the tools and techniques for identifying, analyzing, evaluating, and treating risks234. A risk awareness training program should also include practical examples and case studies to illustrate how risk management can be applied in different scenarios and contexts5. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.11: Risk Awareness, pp. 34-354

A RACI matrix is a tool that assigns the roles and responsibilities for each risk, such as who is responsible, accountable, consulted, and informed. A RACI matrix helps to clarify the expectations and accountabilities for each risk owner and stakeholder, and to ensure that the risk is managed and monitored effectively and efficiently.
A risk register is a document that records and tracks the identified risks, their likelihood, impact, and mitigation strategies. A risk register does not assign the accountability for each risk, but rather the ownership and response.
A risk catalog is a collection of risks that have been identified and categorized based on common attributes, such as source, type, or impact. A risk catalog does not assign the accountability for each risk, but rather the classification and description.
A risk scenario is a technique that simulates the possible outcomes of different risk events and assesses their impact on the enterprise's objectives and operations. A risk scenario does not assign the accountability for each risk, but rather the analysis and evaluation.
References: CRISC Certified in Risk and Information Systems Control - Question216; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 216.