CRISC · Question #11
CRISC Question #11: Real Exam Question with Answer & Explanation
The correct answer is C: Document formal acceptance of the risk. When an organization decides to proceed with an activity where risk exposure exceeds appetite, the most critical action for the risk practitioner is to formally document this decision.
Question
An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?
Options
- ARecommend risk remediation
- BChange the level of risk appetite
- CDocument formal acceptance of the risk
- DReject the business initiative
Explanation
When an organization decides to proceed with an activity where risk exposure exceeds appetite, the most critical action for the risk practitioner is to formally document this decision.
Common mistakes.
- A. Recommending risk remediation would contradict the decision to commit to the activity with higher-than-appetite risk, as remediation implies reducing the risk, which the organization has implicitly decided against for this specific instance.
- B. Changing the level of risk appetite to match a specific decision retrospectively is an inappropriate practice, as risk appetite should be set proactively and consistently based on organizational strategy, not adjusted for individual risk acceptance decisions.
- D. Rejecting the business initiative would be a decision to avoid the risk, which is contrary to the premise that the organization has already decided to commit to the activity.
Concept tested. Risk Acceptance Documentation
Reference. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-39.pdf
Topics
Community Discussion
No community discussion yet for this question.