Certified in Risk and Information Systems Control (CRISC) — Question 985

An organization’s business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner’s PRIMARY consideration when participating in development of the new strategy?

Answer options

• A. Proposed risk budget
• B. Risk indicators
• C. Risk culture
• D. Scale of technology

Correct answer: C

Explanation

The correct answer is C, as understanding and fostering a positive risk culture is essential for the successful implementation of an IT risk strategy. While the proposed risk budget, risk indicators, and scale of technology are important, they are secondary to establishing a strong foundational culture around risk management.