Certified in Risk and Information Systems Control (CRISC) — Question 701

Which of the following is the MAIN reason to continuously monitor IT-related risk?

Answer options

• A. To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance
• B. To redefine the risk appetite and risk tolerance levels based on changes in risk factors
• C. To help identify root causes of incidents and recommend suitable long-term solutions
• D. To update the risk register to reflect changes in levels of identified and new IT-related risk

Correct answer: A

Explanation

The correct answer, A, focuses on the necessity of maintaining risk levels that align with the organization's predefined risk appetite and tolerance. While options B, C, and D address important aspects of risk management, they do not represent the primary reason for continuous monitoring, which is to ensure that risks remain within acceptable boundaries.