Certified in Risk and Information Systems Control (CRISC) — Question 1383

Which of the following should be the PRIMARY input to determine risk tolerance?

Answer options

• A. Risk management costs
• B. Annual loss expectancy (ALE)
• C. Regulatory requirements
• D. Organizational objectives

Correct answer: D

Explanation

The correct answer is D, as organizational objectives directly impact the level of risk an organization is willing to accept. While risk management costs, annual loss expectancy, and regulatory requirements are important, they are secondary to aligning risk tolerance with the strategic goals of the organization.