Certified in Risk and Information Systems Control (CRISC) — Question 1298

Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Answer options

• A. Risk management budget
• B. Risk tolerance
• C. Risk capacity
• D. Risk management industry trends

Correct answer: C

Explanation

Risk capacity is crucial for management to determine if they can absorb the potential negative consequences of an IT initiative that exceeds their risk appetite. While risk tolerance and risk management budget are important, they do not fully address the organization's ability to handle the risks involved. Industry trends may provide context but do not directly affect the organization's specific risk capacity.