Risk appetite is the best criterion to determine whether higher residual risk ratings in the risk register should be accepted, as it reflects the amount and type of risk that an organization is willing to take in pursuit of its objectives. Residual risk is the level of risk that remains after applying controls or other risk treatments. By comparing the residual risk ratings against the risk appetite, an organization can decide whether to accept, reduce, transfer, or avoid the risk. If the residual risk is within or below the risk appetite, the organization may accept the risk as tolerable. If the residual risk is above the risk appetite, the organization may not accept the risk as acceptable, and may seek further risk treatments or escalation.
[References:, •ISACA, Risk IT Framework, 2nd Edition, 2019, p. 751, •ISACA, Risk and Information Systems Control Review Manual, 7th Edition, 2020, p. 2112, , , , , , , , , , , ]
Submit