(ISC)2 Certified in Cybersecurity Practice Exam

Which approach involves not performing a business function due to the excessive impact or likelihood of a specific risk?

• A. Risk Mitigation
• B. Risk Acceptance
• C. Risk Avoidance
• D. Risk Transference

The correct answer is: Risk Avoidance

The approach of not performing a business function due to the excessive impact or likelihood of a specific risk is known as risk avoidance. This strategy entails fundamentally changing plans or processes to sidestep risks entirely, rather than mitigating or accepting them. In practice, risk avoidance is applied when a potential risk poses too high a threat to the organization’s operations, reputation, or assets. By deciding against engaging in certain activities or adopting specific practices that would expose the organization to unacceptable levels of risk, businesses can protect themselves from possible negative outcomes. For example, a company might choose not to launch a particular product if there is a significant risk of failure in the market that could lead to considerable financial loss. This contrasts with other strategies, such as risk mitigation, where efforts are made to reduce the impact of the risk, or risk acceptance, where the organization acknowledges the risk but decides to move forward anyway, usually because the impact is tolerable or manageable. Risk transference involves shifting the risk to another party, such as through insurance, which does not eliminate the risk but rather reallocates it. Choosing risk avoidance is a proactive measure to eliminate potential threats altogether, ensuring that the organization maintains control over its operations and minimizes exposure to high-risk situations.