In order to determining a risk is under-controlled the risk practitioner will need to

 To determine if a risk is under-controlled, the risk practitioner will need to understand the risk tolerance. Risk tolerance is the acceptable or allowable level of variation or deviation from the expected or desired outcomes or objectives. Risk tolerance reflects the amount and type of risk that the organization is willing and able to take. A risk is under-controlled when the risk exposure exceeds the risk tolerance, meaning that the organization is taking on more risk than it can handle or afford. Therefore, the risk practitioner will need to understand the risk tolerance to compare it with the risk exposure and identify the gap or difference. The other options are not as relevant as understanding the risk tolerance, as they are related to the monitoring, identification, or determination of the risk or the IT performance, not the comparison or evaluation of therisk. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Response, page 87.