Certified in Risk and Information Systems Control (CRISC) — Question 336

Which of the following should be an element of the risk appetite of an organization?

Answer options

• A. The enterprise's capacity to absorb loss
• B. The effectiveness of compensating controls
• C. The amount of inherent risk considered appropriate
• D. The residual risk affected be preventive controls

Correct answer: A

Explanation

The correct answer, A, addresses the organization's ability to bear losses, which is a fundamental aspect of risk appetite. Options B, C, and D focus on the effectiveness of controls and risk assessment, but do not directly relate to the organization's capacity to withstand potential losses.