{
  "query": "Which statement best describes an organization's risk appetite?",
  "options": [
    {
      "text": "The acceptable degree of deviation when pursuing objectives",
      "explanation": "This describes tolerance for variation in achieving objectives.",
      "correct": false,
      "selected": false
    },
    {
      "text": "The quantity of risk an organization is prepared to accept",
      "explanation": "This expresses the amount of risk the organization is willing to bear to achieve its objectives.",
      "correct": true,
      "selected": false
    },
    {
      "text": "The effectiveness of risk management and internal controls",
      "explanation": "This refers to how well controls identify and mitigate risks rather than the level of risk the organization will accept.",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p><b>The quantity of risk an organization is prepared to accept</b> is the correct definition of an organizations risk appetite.</p><p>Risk appetite describes the level of risk leadership is willing to pursue or retain to achieve strategic and operational objectives. It sets the overall direction for how much uncertainty the organization will accept and it informs the development of specific risk tolerances and decision making across the enterprise.</p><p><i>The acceptable degree of deviation when pursuing objectives</i> is not the best choice because that wording more closely matches the idea of a tolerance or allowable variance for performance measures rather than the broader concept of appetite. Risk tolerance is typically a more specific threshold that sits under the overall appetite.</p><p><i>The effectiveness of risk management and internal controls</i> is incorrect because that describes how well controls and processes work rather than how much risk an organization is willing to accept. Control effectiveness may influence appetite decisions but it is not the definition of risk appetite.</p>",
  "batch_id": "50",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "Which of the following statements BEST describes risk appetite?",
  "originalOptions": "A. The acceptable variation relative to the achievement of objectives a<br/>B. Acceptable variation between risk thresholds and business objectives<br/>C. The effective management of risk and internal control environments<br/>D. The amount of risk an organization is willing to accept",
  "domain": "ORGANIZATIONAL & RISK GOVERNANCE",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "423s",
  "tip": "<p>When you see wording about how much risk an organization will accept look for phrases like <i>quantity of risk</i> or <i>willingness to accept risk</i> and avoid options that describe control effectiveness or performance deviation.</p>",
  "references": [
    "<a href=\"https://www.iso.org/iso-31000-risk-management.html\">https://www.iso.org/iso-31000-risk-management.html</a>",
    "<a href=\"https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf\">https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf</a>",
    "<a href=\"https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final\">https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final</a>"
  ],
  "video_url": "https://certificationation.com/videos/others/isaca/crisc/isaca-which-of-the-following-statements-best-describes-risk-appetite-exam-423.html",
  "url": "https://certificationation.com/questions/others/isaca/crisc/isaca-which-of-the-following-statements-best-describes-risk-appetite-exam-423.html"
}