Certified in Risk and Information Systems Control (CRISC) — Question 1031

Which of the following is the MOST important consideration for a risk owner when deciding whether to accept IT-related risk?

Answer options

• A. Industry risk standards
• B. Opinion of external audit
• C. The likelihood that the risk will materialize
• D. The organization’s risk appetite

Correct answer: D

Explanation

The correct answer is D, as the organization’s risk appetite defines the amount and type of risk it is willing to take. Options A, B, and C, while relevant, do not directly reflect the organization's thresholds for risk acceptance, making them less critical in this decision-making process.