When reviewing the risk profile of an enterprise during the governance design phase, what MUST be established prior to conducting a high-level risk analysis?
In the COBIT 2019 Design Guide, when dealing with therisk profileas a design factor, it is emphasized:
"To understand and assess risk at a strategic level, the enterprise’srisk appetitemust be established. Risk appetite defines the level and type of risk that the enterprise is willing to accept in pursuit of its objectives."
This is critical because all subsequent risk assessments, including high-level risk analyses and responses, depend on knowing what level of risk is tolerable or unacceptable to the organization. Without a defined risk appetite, risk prioritization becomes speculative and misaligned with enterprise strategy.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit