Certified in Risk and Information Systems Control (CRISC) — Question 1444

Whose risk tolerance matters MOST when making a risk decision?

Answer options

• A. Customers who would be affected by a breach
• B. The information security manager
• C. The business process owner of the exposed assets
• D. Auditors, regulators, and standards organizations

Correct answer: C

Explanation

The business process owner of the exposed assets is the most crucial when assessing risk tolerance, as they have a direct stake in the management and protection of those assets. While customers, the information security manager, and auditors have their own concerns, their risk tolerances do not directly influence the operational impact as significantly as that of the business process owner.