Certified in Risk and Information Systems Control (CRISC) — Question 318

Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Answer options

• A. Inherent risk is increased.
• B. Risk tolerance is decreased.
• C. Risk appetite is decreased.
• D. Residual risk is increased.

Correct answer: D

Explanation

The correct answer is D because when a critical patch fails, it leaves vulnerabilities unaddressed, which raises the residual risk. Options A, B, and C do not accurately reflect the immediate implications of a patch failure; inherent risk may remain the same, and risk tolerance and appetite are more related to organizational policy rather than direct outcomes of a single event.