Certified in Risk and Information Systems Control (CRISC) — Question 1152

A control owner has decided to implement a compensating control instead of the control selected in the risk action plan. Which of the following is the risk practitioner's MOST important action after reassessing the risk?

Answer options

• A. Notify senior management of the control owner's decision.
• B. Seek approval of the change from the risk owner.
• C. Update control ownership in the risk register.
• D. Update policies relevant to the risk.

Correct answer: B

Explanation

The correct answer is B because obtaining the risk owner's approval is crucial to ensure that the changes made are acceptable and align with the risk management strategy. Option A is less critical since senior management may not need to be involved in every decision. Option C is not the priority immediately after reassessing the risk, and option D, while important for aligning policies, comes after ensuring that the risk owner is on board with the changes.