Exam CRISC topic 1 question 471 discussion

C. Accept Accepting the risk is often the most appropriate response when the cost of implementing controls to mitigate the risk is greater than the potential loss from the risk itself. In this case, it would not be cost-effective to spend more on controls than the expected loss due to the risk. Risk acceptance means that the organization acknowledges the risk and decides to bear any potential losses or impacts without taking further action to control or mitigate the risk.

Selected Answer: C Can you avoid "a critical, proprietary business function"? I don't think so. If you transfer the risk, the annualized control cost will still be higher than the annual loss expectancy. Therefore, accepting.

A. Avoid The BEST risk response in the described scenario where an identified high-probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy (ALE) is "A. Avoid." Avoiding the risk means taking actions to eliminate the risk scenario altogether. Given that the cost of control is higher than the potential loss, it might be more cost-effective to avoid engaging in the risky activity or scenario.

B. Transfer If the annualized cost of control (the cost of implementing and maintaining the control over a year) is higher than the annual loss expectancy (the financial impact the organization would experience if the risk occurred over the course of a year), then it might not be cost-effective to mitigate the risk directly. Instead, it may be more efficient to transfer the risk, which could involve buying insurance or outsourcing the risky operation to another entity. Remember, risk transfer does not eliminate the risk; it merely transfers the financial impact to another entity.

I am not sure if there is a tricky in this question. The default risk response when the cost of control exceed the cost of the risk is to accept. However, this is normally for low probability/low impact risks. The scenario in the question talks about high probability risk and does not mention the impact !. I believe if the organization could avoid the risk, this will be the best answer.

What's the answer for this one guys?