Certified in Risk and Information Systems Control (CRISC) — Question 558

Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Answer options

• A. Risk mitigation policies
• B. Risk appetite
• C. Risk analysis techniques
• D. Risk management budget

Correct answer: B

Explanation

The correct answer is B, as understanding the organization's risk appetite is essential for determining how much risk is acceptable and guiding subsequent risk management processes. Options A, C, and D are important considerations but should follow the establishment of the risk appetite to ensure alignment with organizational goals.