Exam CRISC topic 1 question 713 discussion

The correct answer is C. The Auditors, regulators, and standards organizations does not set the risk tolerance.

C. The business process owner of the exposed assets. The risk tolerance of the business process owner of the exposed assets matters most when making a risk decision. This is because the business process owner is responsible for the day-to-day operations and outcomes of the processes and assets in question. They have the most intimate knowledge of the business context, objectives, and the potential impact of the risks on the organization's operations.

C. The business process owner of the exposed assets When making a risk decision, the risk tolerance of the business process owner of the exposed assets matters most. Here's why: Ownership and Accountability: The business process owner is responsible for the assets and operations related to the specific business process. They are directly accountable for the outcomes and risks associated with that process. Contextual Understanding: The business process owner has a deep understanding of the specific business operations, objectives, and priorities. They can evaluate risks in the context of how they impact the achievement of business goals. Risk-Benefit Trade-offs: Business process owners are in the best position to assess the trade-offs between risk and potential benefits. They can weigh the impact of risks against the potential advantages of pursuing a particular course of action.

Agree it is C.

Clearly 'C'.

Because the business process owner is responsible for the assets and the processes that use them. They understand the potential impact of a security breach on the business operations, and therefore have the most relevant information and insight on the acceptable level of risk. The business process owner's risk tolerance will impact the decisions they make regarding the allocation of resources to mitigate risk, as well as their willingness to accept certain risks in order to achieve business goals. The views and concerns of customers, information security managers, auditors, regulators, and standards organizations are important, but the business process owner's risk tolerance is the most relevant when making a risk decision.

Risk tolerance associated with management. so will go with C

I think D is correct because regulators and standards orgs have certain requirements. And Audit will be relying on the business tolerance, yes? I guess I see it.

I dont think standards or audit set risk tolerance

I think the answer should be either A or C.