The primary goal of an IT risk optimization process from a governance perspective is to ensure that the impact of IT risk to the enterprise is managed in alignment with the enterprise risk management (ERM) framework and the enterprise objectives. IT risk optimization is not only about defining thresholds, approving strategies or mapping metrics, but about ensuring that IT risk is effectively mitigated, monitored and communicated to support the achievement of enterprise goals. Reference := CGEIT Exam Content Outline, Domain 4: Risk Optimization1; Certified in Governance of Enterprise IT (CGEIT) Course, Learning Tree2

Compliance issues should be the primary consideration for the ERM committee because using a cloud-based CRM system in a multi-national context may involve different legal and regulatory requirements regarding data privacy, protection, localization, and transfer. The ERM committee should ensure that the company and the cloud service provider comply with the applicable laws and standards of each country where they operate, as well as the industry-specific regulations such as PCI DSS or GDPR. Compliance issues may also affect the security, vendor capability, and ROI of the cloud-based CRM system, as non-compliance may result in fines, penalties, reputational damage, or loss of customers. References:
CGEIT Review Manual 2021, Chapter 2: IT Risk Management, Section 2.3: Risk Response, page 751 CGEIT Review Questions, Answers & Explanations Manual 2021, Question 4, page 162 Cloud Compliance: What It Is + 8 Best Practices for Improving It2 Overcoming Compliance Issues in Cloud Computing | Tripwire3

Loss of data confidentiality represents the greatest risk for a large financial institution that is considering outsourcing customer call center operations, as it would expose sensitive customer and business information to unauthorized access, disclosure, or misuse by the chosen vendor or other third parties. Data confidentiality is especially important for financial institutions, as they deal with personal, financial, and transactional data that are subject to strict regulatory and legal requirements, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). A breach of data confidentiality could result in reputational damage, customer dissatisfaction, legal liability, and financial loss for the financial institution. The other options are not as great, as they are more related to the operational or performance aspects of outsourcing, rather than the security or compliance aspects of it. Reference: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 5: Resource Optimization, Section 5.3: Security Resource Management, Subsection 5.3.1: Security Resource Management Overview, Page 192 : Offshore bank call centers face risks around privacy, resilience amid COVID-191 : Call Center Outsourcing Risks and How to Mitigate Them

Discretionary investments are those that are not mandatory or essential for the business, but may provide some benefits or opportunities. The IT strategy committee should evaluate whether the discretionary investment supports the corporate goals and aligns with the business strategy, as this is the most important criterion for IT governance and value creation. The technical feasibility, the business and technical scope, and the alignment with the EA are also important factors, but they are secondary to the strategic alignment and value proposition of the investment. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, p. 92-
93; Rethinking traditional technology budgeting processes; Discretionary Investment Management Definition, Benefits & Risks.