The primary reason to report the information about the new risk scenarios identified after the
implementation of Internet of Things (IoT) devices to risk owners is to confirm the impact to the risk
profile. The risk profile is a summary of the level and nature of the risks that the organization faces or
may face in the future. The risk profile reflects the risk appetite, tolerance, and capacity of the
organization, and guides the risk management decisions and actions. The implementation of IoT
devices may introduce new risks or increase the likelihood or impact of existing risks, such as data
privacy, security, or interoperability issues. Therefore, the information about the new risk scenarios
should be reported to the risk owners, who have the authority and responsibility for managing the
risks and their responses, to confirm the impact to the risk profile and to determine the appropriate
risk treatment plans. The other options are not asprimary as confirming the impact to the risk profile,
as they are related to the reevaluation, mitigation, or recommendation of the IoT devices, not the
confirmation or assessment of the risk profile. Reference = Risk and Information Systems Control
Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Register, page 19.
