Certified in Risk and Information Systems Control (CRISC) — Question 929

Risk appetite should be PRIMARILY driven by which of the following?

Answer options

• A. Stakeholder requirements
• B. Enterprise security architecture roadmap
• C. Business impact analysis (BIA)
• D. Legal and regulatory requirements

Correct answer: A

Explanation

The correct answer is A, as stakeholder requirements are crucial in determining an organization's risk appetite since they reflect the needs and expectations of those with a vested interest. Options B, C, and D are important considerations but do not primarily drive risk appetite; they support the overall risk management strategy.