Certified in Risk and Information Systems Control (CRISC) — Question 381

Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Answer options

• A. Cost of risk mitigation options.
• B. Maturity of the risk culture.
• C. Capacity to withstand loss.
• D. Comparison against regulations.

Correct answer: C

Explanation

The correct answer is C because an organization's capacity to withstand loss directly influences its risk appetite. While the cost of mitigation, maturity of risk culture, and regulatory compliance are important, they are secondary to understanding how much risk the organization can realistically absorb.