Inherent risk reflects exposure before controls. Whenregulatory requirementschange, they can alter compliance obligations, legal exposure, and the baseline inherent risk of processes.
ISACA’s CRISC framework specifies:
“Significant changes to regulatory or legal environments are triggers for reassessing inherent and residual risk.”
A(risk tolerance) affects acceptance, not inherent risk itself.
C(KRIs) andD(benchmarks) measure and compare risk but do not trigger reassessment directly.
Hence,Bis correct.
CRISC Reference:Domain 2 – IT Risk Assessment, Topic: Risk Triggers and Environmental Changes.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit