Q: 11
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile
has decreased and is now below management's risk appetite?
Options
Discussion
Always feels like ISACA wants A on these even though in reality, people just look for ways to cut budget. Option A
Its A. If the risk's now below appetite, best practice is to review and tweak controls for efficiency rather than just slash budgets or change appetite. Makes operations smoother but still keeps you covered. Pretty sure that's what ISACA wants here.
Had something like this in a mock and the answer was A. When risk drops below appetite, best move is to optimize controls for efficiency, not just cut budget or scenarios. That way you keep risk managed without over-spending or missing new threats. Realigning appetite (B) isn't usually needed unless the business itself shifts strategy. Agree?
A , C looks tempting but that's the trap. Optimizing controls is what ISACA wants in this case.
A makes sense here since if risk is already below appetite, the smart move is to optimize rather than just start slashing budgets or removing scenarios. Keeps things efficient but within good governance practices. Pretty sure that's what ISACA expects but open to other views.
Wouldn’t B make more sense if management decides their risk appetite is set too high based on new business strategy? Seems like a legit move sometimes depending on external pressures or changes.
Be respectful. No spam.
