An IS auditor determines that a business continuity plan has not been reviewed and approved by management.
Which of the following is the MOST significant risk associated with this situation?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The most significant risk associated with a business continuity plan that has not been reviewed and approved by management is that critical business processes may not be addressed adequately (Option C).
Business continuity planning involves identifying and managing risks to ensure that critical business functions can continue in the event of a disruption. Without management approval and oversight, the plan may not accurately reflect the organization's current risk profile, business processes, and dependencies. This can lead to critical business processes being omitted from the plan, leaving the organization vulnerable to disruptions and loss of revenue, customers, and reputation.
Option A, continuity planning may be subject to resource constraints, is a potential risk associated with any project or initiative but is not the most significant risk in this situation.
Option B, the plan may not be aligned with industry best practice, is also a risk, but it is not as significant as ensuring that critical business processes are addressed in the plan.
Option D, the plan has not been reviewed by risk management, is also a risk, but it is not the most significant risk associated with the situation. Risk management is only one aspect of ensuring that a business continuity plan is adequate and effective. Management approval and oversight are necessary to ensure that critical business processes are addressed in the plan.