Certified in Risk and Information Systems Control (CRISC) — Question 914

Which of the following BEST represents the desired risk posture for an organization?

Answer options

• A. Accepted risk is higher than risk tolerance.
• B. Operational risk is higher than risk tolerance.
• C. Inherent risk is lower than risk tolerance.
• D. Residual risk is lower than risk tolerance.

Correct answer: D

Explanation

The correct answer, D, signifies that the remaining risk after controls are implemented is acceptable and within the organization's risk tolerance. Options A and B indicate that risk levels exceed tolerance, which is undesirable. Option C suggests inherent risk is managed well, but it does not address the organization's actual risk posture effectively.