Certified in Risk and Information Systems Control (CRISC) — Question 394

An identified high-probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy (ALE). Which of the following is the BEST risk response?

Answer options

• A. Avoid
• B. Transfer
• C. Accept
• D. Mitigate

Correct answer: C

Explanation

The best risk response in this scenario is to Accept because the cost of controlling the risk is greater than the expected annual loss, indicating that it may be more economical to acknowledge and tolerate the risk rather than invest in costly control measures. Avoiding the risk may not be feasible due to its critical nature, transferring the risk may not be applicable, and mitigating it would incur higher costs than the potential losses.