Exam CISM topic 1 question 667 discussion

Just because senior management is ultimately responsible and accountable does not mean they are the best to evaluate the impact since it's impossible to be aware of every detail of every process in an organization. A process owner would be the best resource to know everything about their process and hence the best to evaluate the impact to their process.

A. Senior management is in the BEST position to evaluate business impacts, as they are responsible for the overall strategy and direction of the organization, and have the authority and access to resources to make decisions that affect the entire organization.

Agree with Dravidian - senior management is ultimately responsible and accountable does not mean they are the best to evaluate the impact since it's impossible to be aware of every detail of every process in an organization.

I reckon the best answer would be a product/ process owner, who understands the business progress the most.

I'm actually gonna go ahead an point out that it is said "business impactS" (plural). So senior management is more relevant than a process manager. Yeah, I know it's a bit of a stretch, but it seems to me that's a mini-hint.

process manager will have a better visibility but the senior manager will have overall visibility to take a decision at the end

Senior Management is at the 50k ft view level. Definitely C.

A. Senior management

Senior management is in the best position to evaluate business impacts. Senior management typically has a broader perspective on the overall business operations and goals. They are responsible for making strategic decisions and have a better understanding of the potential risks and impacts on the organization as a whole. Additionally, senior management has the authority to allocate resources and make changes to mitigate any identified risks. While other roles such as the information security manager, process manager, and IT manager may have specialized knowledge and expertise in their respective areas, senior management has the overall authority and responsibility to evaluate the business impacts.

Senior management has a strategic perspective, information security managers focus on security-related impacts, process managers specialize in process-related impacts, and IT managers assess IT-related impacts. The choice of who should evaluate business impacts should be based on the specific circumstances and the expertise required to make informed assessments. Often, a collaborative approach involving multiple stakeholders may be necessary to comprehensively evaluate business impacts.

I choose A, Everybody reports to Senior Management ..including process manager. Senior management is aware or should be aware of everything going on, or affecting the org. So they can evaluate the business impacts. They have the overall picture to do that, process manager only have a partial view of his/ her process.

I agree with Dravidian that the answer is C-Process Manager. Senior management are ultimately responsible for an organization's risk, but don't evaluate business impacts . The process manger does this .

C. Process manager

A. Senior management

Evaluating business impacts involves understanding how potential incidents, disruptions, or changes can affect the organization's operations, financials, reputation, and overall business continuity. Senior management has the authority and perspective to assess these impacts holistically and make informed decisions about risk management, resource allocation, and prioritization.

A. Senior management is in the best position to evaluate business impacts because they have a holistic view of the organization and its operations. The information security manager is responsible for protecting the organization's information assets.