CRISC Question #421: Real Exam Question with Answer & Explanation

The correct answer is C: Transfer. The organization's adoption of contractual penalties for loss of availability with a vendor represents a strategy to shift the financial consequences of risk.

Submitted by krish.m· Apr 18, 2026Risk Response and Reporting

Question

An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?

Options

AAcceptance
BAvoidance
CTransfer
DReduction

Explanation

The organization's adoption of contractual penalties for loss of availability with a vendor represents a strategy to shift the financial consequences of risk.

Common mistakes.

A. Acceptance means acknowledging a risk and taking no action to reduce or mitigate its impact or likelihood, which is not the case when contractual penalties are established.
B. Avoidance means eliminating the risk by choosing not to engage in the activity that creates it, which is contrary to establishing a contract with a vendor.
D. Reduction involves implementing controls to lessen the likelihood or impact of a risk event, whereas contractual penalties deal with the financial consequence after an event occurs.

Concept tested. Risk treatment strategy (transfer)

Reference. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy-risk-management#gv-1-establish-and-implement-an-enterprise-wide-risk-management-strategy

Topics

#Risk Treatment#Risk Transfer#Vendor Management#Contract Management

Community Discussion

No community discussion yet for this question.

Full CRISC Practice Browse All CRISC Questions