Certified in Risk and Information Systems Control (CRISC) — Question 1391

A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?

Answer options

• A. Risk mitigation
• B. Risk transfer
• C. Risk avoidance
• D. Risk acceptance

Correct answer: D

Explanation

The correct answer is D, Risk acceptance, because the organization has acknowledged the existence of privacy risks but has chosen to proceed without making changes to the application. The other options, such as risk mitigation, transfer, and avoidance, imply taking actions to reduce, shift, or eliminate the risks, which the organization is not doing in this case.