Certified in Risk and Information Systems Control (CRISC) — Question 223

When evaluating enterprise IT risk management, it is MOST important to:

Answer options

• A. create new control processes to reduce identified IT risk scenarios
• B. review alignment with the organization's investment plan
• C. report identified IT risk scenarios to senior management
• D. confirm the organization's risk appetite and tolerance

Correct answer: D

Explanation

Confirming the organization's risk appetite and tolerance is essential because it establishes the boundaries within which risks can be accepted. While creating control processes, reviewing alignment with investment plans, and reporting to management are important, they are secondary to understanding the organization's capacity for risk.