Certified in Risk and Information Systems Control (CRISC) — Question 184

Which of the following should be the risk practitioner's PRIMARY focus when determining whether controls are adequate to mitigate risk?

Answer options

Correct answer: C

Explanation

The correct answer is C, as the level of residual risk directly indicates how much risk remains after controls are applied, which is crucial for evaluating their effectiveness. Options A, B, and D, while important, focus on different aspects of risk management rather than on the adequacy of controls in mitigating risk.