Certified in Risk and Information Systems Control (CRISC) — Question 1010

If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?

Answer options

• A. Redefine the business process to reduce the risk
• B. Evaluate alternative controls
• C. Develop a plan to upgrade technology
• D. Define a process for monitoring risk

Correct answer: B

Explanation

The first action should be to evaluate alternative controls, as this allows for immediate risk reduction options without waiting for technology upgrades. Redefining the business process may help, but it does not directly address the lack of preventive controls. Developing a plan to upgrade technology is important but should follow after assessing current alternative controls. Defining a monitoring process is beneficial but does not reduce the existing risk directly.