Organizations are facing different types of risks that hinder the pursuit of organizational objectives. As a security professional, you are a member of the risk management program. Which of the following is the least likely to conduct when establishing the risk context?
A. Determine risk tolerance
B. Provide a reference risk model
C. Build enterprise architecture
D. Assign a risk executive

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Build enterprise architecture.

Establishing a risk context is the first step in risk management. It may involve activities such as organization analysis, defining scope, assigning a risk executive (function), determining risk tolerance and risk criteria, providing a reference risk model, etc.

Building enterprise architecture may initiate a standalone project or program and not be included in the process of establishing a risk context.