Question 11 - ISACA CRISC Real Exam Questions [Jan 2026 Update]

Q: 11

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Options

Correct Answer:

Explanation

The level of risk in the IT risk profile is the aggregate measure of the likelihood and impact of IT-

related risks that may affect the enterprise’s objectives and operations.

The risk appetite is the amount and type of risk that the enterprise is willing to accept in pursuit of its

goals. It is usually expressed as a range or a threshold, and it is aligned with the enterprise’s strategy

and culture.

If the level of risk in the IT risk profile has decreased and is now below management’s risk appetite, it

means that the enterprise has more capacity and opportunity to take on additional risks that may

offer higher rewards or benefits.

The best recommendation in this situation is to optimize the control environment, which is the set of

policies, procedures, standards, and practices that provide the foundation for managing IT risks and

controls. Optimizing the control environment means enhancing the efficiency and effectiveness of

the controls, reducing the costs and complexity of compliance, and aligning the controls with the

enterprise’s objectives and values.

Optimizing the control environment can help the enterprise to achieve the optimal balance between

risk and return, and to leverage its risk management capabilities to create and protect value.

The other options are not the best recommendations, because they do not address the opportunity

to improve the enterprise’s performance and resilience.

Realigning risk appetite to the current risk level may result in missing out on potential gains or

advantages that could be obtained by taking more risks within the acceptable range.

Decreasing the number of related risk scenarios may reduce the scope and depth of risk analysis and

reporting, and impair the enterprise’s ability to identify and respond to emerging or changing risks.

Reducing the risk management budget may compromise the quality and reliability of the risk

management process and activities, and weaken the enterprise’s risk culture and

governance. Reference =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 29-30, 34-35, 38-39, 44-45

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 145

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE