Certified in Risk and Information Systems Control (CRISC) — Question 18

Which of the following is the BEST indication of an effective risk management program?

Answer options

• A. Risk action plans are approved by senior management
• B. Mitigating controls are designed and implemented
• C. Residual risk is within the organizational risk appetite
• D. Risk is recorded and tracked in the risk register

Correct answer: C

Explanation

The correct answer, C, indicates that the remaining risk is acceptable for the organization, aligning with its risk appetite. While options A, B, and D are important components of risk management, they do not necessarily reflect the overall effectiveness of the program in managing and accepting risk.