312-50V10 · Question #705
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?
The correct answer is B. Delegate. The five standard risk responses recognized in frameworks like NIST and ISO 31000 are Accept, Avoid, Transfer, Mitigate, and Defer - Delegate is not among them.
Question
A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?
Options
- AAccept
- BDelegate
- CMitigate
- DAvoid
How the community answered
(34 responses)- A9% (3)
- B88% (30)
- D3% (1)
Why each option
The five standard risk responses recognized in frameworks like NIST and ISO 31000 are Accept, Avoid, Transfer, Mitigate, and Defer - Delegate is not among them.
Accept is a valid risk response where an organization consciously decides to live with a risk, typically when mitigation costs outweigh potential losses.
Delegate is not a defined risk response in established risk management frameworks such as NIST SP 800-30 or ISO 31000. The five recognized responses are Accept (tolerate the risk), Avoid (eliminate the risk-causing activity), Transfer (shift risk to a third party via insurance or contracts), Mitigate (reduce likelihood or impact), and sometimes Defer (postpone action). Delegation describes an organizational management task, not a risk treatment strategy.
Mitigate is a valid risk response that involves implementing controls to reduce the probability of a risk occurring or to minimize its impact if it does.
Avoid is a valid risk response where an organization eliminates the source of the risk entirely by discontinuing the activity or process that introduces it.
Concept tested: Five standard risk management response strategies
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.