Certified in Risk and Information Systems Control (CRISC) — Question 1363

Which of the following should be the PRIMARY driver for the prioritization of risk responses?

Answer options

• A. Residual risk
• B. Inherent risk
• C. Mitigation cost
• D. Risk appetite

Correct answer: D

Explanation

The primary driver for prioritizing risk responses is risk appetite, as it reflects the level of risk an organization is willing to accept. Residual risk, inherent risk, and mitigation costs are important considerations, but they do not directly dictate how risks should be managed relative to the organization’s overall risk tolerance.