Question: A risk assessment should be conducted:
A.) once a year for each business process andsubprocess.
B.) every three-to-six months for critical business processes.
C.) by external parties to maintain objectivity.
D.) annually or whenever there is a significant change.

Download pdf (with explanations) edition of this exam.