A risk assessment should be conducted:
A . once a year for each business process and subprocess.
B . every three to six months for critical business processes.
C . by external parties to maintain objectivity.
D . annually or whenever there is a significant change.
Answer: D
Explanation:
Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.