Risk ratings must be maintained as current assessments of organizational risk exposure. Events that materially change the risk profile—particularly those indicating active harm or regulatory violations—require immediate risk rating updates to ensure governance responses are calibrated to the current risk reality.
Why A is Correct: According to ISACA AAIR risk monitoring and review guidance, the discovery of discriminatory outputs from an AI system represents a material change in risk exposure that requires immediate risk rating updates. Discriminatory outputs indicate active harm to individuals, regulatory violations, and significant legal and reputational exposure. This event fundamentally changes the risk profile from a potential to an actual harm, requiring escalated risk ratings and treatment responses.
Why B is Wrong: Adding new monitoring metrics improves risk detection capability but does not change the underlying risk levels. New metrics may subsequently detect risks requiring rating updates, but their addition alone is an operational change, not a risk level change.
Why C is Wrong: Vulnerability patch deployment reduces risk by closing specific security gaps, which may lower risk ratings but is less urgent than updating ratings to reflect active harm discovery. Patching is a remediation activity; discriminatory outputs represent ongoing harm requiring immediate escalation.
Why D is Wrong: Creating an oversight committee improves governance capability but does not change the risk profile of AI systems. Governance structure changes affect the organization's ability to manage risk; they do not affect the risk levels themselves.
