Because exceeding the capacity, means that the organization will go under.
Appetite and tolerance are different. Tolerance is appetite + a little extra. From the book:
Risk tolerance is defined as the acceptable level of variation that management is willing to allow for any particular risk as the
enterprise pursues its objectives. The interpretation of the ISACA definition is that while management has an official acceptance level of one value, they may accept a slight deviation from that level. An example of tolerance is a situation where the speed limit on a highway is 65 miles/hour, but a police officer may allow a person to travel up to 70 miles/hour before issuing a ticket.
A. risk capacity.
Prudent business practice dictates that risk appetite should not exceed an organization's risk capacity. Risk capacity is the maximum amount of risk that an organization can absorb without jeopardizing its ability to achieve its objectives. It represents the financial, operational, and strategic limits within which an organization can operate while still managing risk effectively. Risk appetite should be set below this threshold to ensure that the organization can handle the risks it takes on without exceeding its capacity to manage them.
Agree it is A. The review manual talks about appetite not exceeding capacity. I can see that appetite should not exceed tolerance, however tolerance is on a case by case basis whereas appetite and capacity are on organizational / overall basis. Also, if appetite exceeds tolerance you just stop having tolerance, it is only appetite at that point. Appetite could theoretically cancel tolerance, but could never cancel capacity.
I gotta go with A.
Risk capacity: the amount and type of risk an organisation is able to support in pursuit of its business objectives.
Risk appetite: the amount and type of risk an organisation is willing to accept in pursuit of its business objectives.
Risk tolerance: organization's or stakeholders’ readiness to bear the risk after risk “treatment” in order to achieve its objectives
PRUDENT business practice requires that risk appetite not exceed risk tolerance.
exceeding capacity has nothing to do with prudence, if not with unconsciousness
Risk Capacity > Risk Tolerance > Risk Appetite (risk acceptance) . If organization crossed risk capacity its existence will be in danger. so option A is right
This section is not available anymore. Please use the main Exam Page.CRISC Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
fvanderschmudt
Highly Voted 3 years, 9 months agoMartyMar
1 year, 4 months agoStaanlee
Most Recent 10 months, 4 weeks agoCbtL
1 year, 3 months agohelg420
1 year, 3 months agoKoulyo
1 year, 4 months agojohn_boogieman
1 year, 5 months agoRaj1510
2 years, 6 months agoJosh93
3 years, 3 months agoCalvinc
3 years, 11 months agoCalvinc
3 years, 11 months agoRooks
3 years, 10 months agoRooks
3 years, 10 months ago