Certified in Risk and Information Systems Control (CRISC) — Question 1454

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Answer options

• A. Aggregate risk approaching the tolerance threshold
• B. Vulnerabilities are not being mitigated
• C. Security policies are not being reviewed periodically
• D. Risk owners are focusing more on efficiency

Correct answer: A

Explanation

The greatest concern is the aggregate risk nearing the tolerance threshold, as this indicates that the overall risk exposure could exceed acceptable levels. While unmitigated vulnerabilities (B) and lack of policy reviews (C) are issues, they are secondary to the critical threshold risk. Additionally, the focus on efficiency (D) may lead to shortcuts but is not as pressing as the potential for exceeding risk tolerance.