You're reviewing a partner company’s risk management process. You notice no documented risk appetite or tolerance levels. What’s the most immediate concern?
A. The inability to classify incidents
B. Lack of clear thresholds for risk decisions
C. No tracking of known vulnerabilities
D. A weak encryption implementation
Answer: B. Lack of clear thresholds for risk decisions
Risk appetite and tolerance define how much risk is acceptable. Without them, risk decisions are subjective and inconsistent.