Certified in Risk and Information Systems Control (CRISC) — Question 511

In order to determine if a risk is under-controlled, the risk practitioner will need to:

Answer options

• A. determine the sufficiency of the IT risk budget
• B. monitor and evaluate IT performance
• C. identify risk management best practices
• D. understand the risk tolerance

Correct answer: D

Explanation

The correct answer is D because understanding the risk tolerance is essential for determining if the measures in place are sufficient for managing the risk. Options A, B, and C, while important in their own right, do not directly address the evaluation of whether the risk is adequately controlled.