Certified in Risk and Information Systems Control (CRISC) — Question 386

Reviewing which of the following provides the BEST indication of an organization's risk tolerance?

Answer options

• A. Risk sharing strategy
• B. Risk assessments
• C. Risk transfer agreements
• D. Risk policies

Correct answer: D

Explanation

Risk policies outline the organization's approach to managing risk, including their tolerance levels. While risk assessments, risk sharing strategies, and risk transfer agreements are important elements of risk management, they do not directly define the organization's risk tolerance as clearly as formal risk policies do.