Certified in Risk and Information Systems Control (CRISC) — Question 375

Which of the following provides the BEST evidence that risk responses are effective?

Answer options

• A. Compliance breaches are addressed in a timely manner
• B. Risk with low impact is accepted
• C. Risk ownership is identified and assigned
• D. Residual risk is within risk tolerance

Correct answer: D

Explanation

The correct answer is D because having residual risk within risk tolerance indicates that the risk management strategies are effective and align with the organization's risk appetite. Option A, while important, does not necessarily reflect the overall effectiveness of risk responses. Option B suggests acceptance of risk rather than management, and option C focuses on assigning responsibility rather than measuring effectiveness.