Which indicator reflects a successful risk management practice?

A successful risk management practice is reflected by minimizing residual risk. Residual risk is the amount of risk that remains after risk treatment has been applied. This acknowledges that while it's ideal to address as many risks as possible through controls and risk mitigation strategies, it is not always feasible or practical to eliminate all risks.

Minimizing residual risk means that the organization has implemented effective controls to manage risks to an acceptable level, ensuring that the remaining risk is understood, accepted, and monitored. This is a key aspect of a mature risk management framework, as it balances operational needs with security concerns, thereby fostering a proactive approach to risk management.

In contrast, tying control risk to business units (the first choice) does not inherently indicate successful risk management; it simply shows an alignment of risk management with business processes. Quantifying overall risk (the second choice) is a useful practice, but on its own doesn’t imply success in managing that risk effectively. Eliminating inherent risk (the fourth choice) is unrealistic because some level of inherent risk is always present in any business activity. Therefore, the focus should be on understanding and managing residual risk to achieve effective risk management.