The correct answer isBbecause changes inIT risk tolerancehave the strongest influence on organizational strategy. Risk tolerance affects how much uncertainty the enterprise is willing to accept in pursuing objectives, and this directly shapes strategic decisions, priorities, investments, and response choices. In CRISC terms, governance and risk management must align with enterprise goals, objectives, and business requirements; therefore, when risk tolerance changes, organizational strategy is impacted at the highest level.
The other options are less significant from a strategic perspective:
A. Complexity of IT architecturemainly affects implementation and operational management.
C. Complexity of recovery plansis important for resilience and continuity, but it is not the primary strategic driver.
D. Methodology for IT risk identificationis a process consideration and does not influence enterprise strategy as much as a change in tolerance levels.
Exact Extracts supporting the answer:
“When selecting a risk response technique the foremost consideration should be the enterprise goals and objectives.”
“The most important aspect for an effective IT risk management process is aligning with enterprise risk management.”
“The primary goal of an enterprise’s IT risk management process is to protect the enterprise and its ability to perform its mission.”
“For successful IT delivery against business requirements it ' s crucial that risk appetite be aligned with business objectives.”
“Risk tolerance is the permissible deviation from declared risk appetite levels in an enterprise.”
Taken together, these extracts show that risk tolerance and risk appetite are directly linked to business objectives and enterprise decision-making. Because strategy is driven by those objectives, a change in risk tolerance has the greatest impact on organizational strategy.
