Certified in Risk and Information Systems Control (CRISC) — Question 289

Which of the following should be management's PRIMARY consideration when approving risk response action plans?

Answer options

• A. Prioritization for implementing the action plans
• B. Ability of the action plans to address multiple risk scenarios
• C. Ease of implementing the risk treatment solution
• D. Changes in residual risk after implementing the plans

Correct answer: D

Explanation

The primary focus of management should be on changes in residual risk after implementing the plans, as this directly reflects the effectiveness of the risk response. The other options, while important, do not capture the ultimate goal of risk management, which is to reduce the residual risk to an acceptable level.