Certified in Risk and Information Systems Control (CRISC) — Question 109

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Answer options

• A. Develop a compensating control
• B. Identify risk responses
• C. Allocate remediation resources
• D. Perform a cost-benefit analysis

Correct answer: B

Explanation

Identifying risk responses is crucial as it allows the organization to evaluate and select appropriate strategies to manage the risk that exceeds tolerance levels. Developing a compensating control, allocating resources, or performing a cost-benefit analysis might come later in the process but first, the organization must decide how to respond to the identified risk.