Certified in Risk and Information Systems Control (CRISC) — Question 610

To define the risk management strategy, which of the following MUST be set by the board of directors?

Answer options

• A. Risk governance
• B. Annualized loss expectancy (ALE)
• C. Risk appetite
• D. Operational strategies

Correct answer: C

Explanation

The correct answer is C, as the board of directors is responsible for establishing the organization's risk appetite, which guides how much risk the organization is willing to accept. Options A, B, and D, while important, are typically managed by other levels of the organization and do not require direct approval from the board.