Exam CRISC topic 1 question 755 discussion

D is correct cause when the controls can’t bring the risk lower than risk appetite then risk is exposed that is greater than risk appetite.

The relationship between actual risk exposure and risk appetite is best illustrated by "Residual risk that exceeds appetite." Residual risk is the risk that remains after risk mitigation measures (controls) have been implemented. If the residual risk exceeds the organization's risk appetite (the level of risk it is willing to accept), it means that the organization is exposed to more risk than it finds acceptable. Option A describes a situation where the remaining risk (residual risk) is beyond what the organization is willing to tolerate (exceeds appetite), making it the best illustration of the relationship between actual risk exposure and risk appetite. It highlights a potential misalignment between the implemented controls and the organization's risk tolerance.

Agree it is A.

A seems the best option: If the residual risk exceeds the organization's risk appetite, it means that the organization is exposed to more risk than it is willing to accept, which may result in negative consequences such as financial losses, reputational damage, or regulatory sanctions. Therefore, monitoring and managing residual risk levels in relation to risk appetite is a critical aspect of effective risk management, as it helps ensure that the organization is aware of its risk exposure and takes appropriate actions to align its risk-taking activities with its strategic objectives and risk tolerance levels.

Agree.

Not sure it can be D Controls don't exceed appetite So I would go with A

Answer D is correct as explained by Rooks below. It cannot be A. Residual risk does not exist when Risk exposure is compared to appetite.

Agree with A

Should be A

The answer should be A