Certified in Risk and Information Systems Control (CRISC) — Question 699

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Answer options

• A. control is ineffective and should be strengthened
• B. risk is inefficiently controlled
• C. risk is efficiently controlled
• D. control is weak and should be removed

Correct answer: B

Explanation

The correct answer, B, indicates that the cost of managing the risk is greater than the expected loss, suggesting that the current risk management approach is not efficient. Options A and D imply that controls are either ineffective or weak, which is not directly indicated by the cost exceeding ALE. Option C incorrectly suggests that the risk is managed well, which contradicts the findings.