Certified in Risk and Information Systems Control (CRISC) — Question 1047

A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern?

Answer options

• A. Recommend implementation of additional compensating controls.
• B. Review the organization’s risk appetite and tolerance.
• C. Assess the residual risk against the organization’s risk appetite.
• D. Prepare a risk acceptance proposal for senior management's consideration

Correct answer: C

Explanation

The correct answer, C, focuses on evaluating the residual risk to ensure it aligns with the organization's risk appetite, which is crucial for informed decision-making. Options A and D do not directly address the concern about the remaining risk, while option B merely reviews the appetite without assessing the current risk situation.