Certified in Risk and Information Systems Control (CRISC) — Question 1171

The implementation of automated controls is taking longer than expected. The risk owner is concerned about the materialization of risk before full implementation of the automated controls. As a result, the risk owner has established interim manual controls. Which of the following actions is MOST important for the risk practitioner to perform?

Answer options

• A. Update the risk register to reflect the change in residual risk level.
• B. Perform a cost-benefit analysis of the manual controls.
• C. Ensure the same key risk indicators (KRIs) are used for both manual and automated controls.
• D. Assess the risk associated with changes in the effectiveness of the manual and automated controls.

Correct answer: D

Explanation

The correct answer is D because assessing the risk connected to the effectiveness of both control types is crucial to understanding how well risks are being managed during the transition. Updating the risk register (A) is important but secondary to evaluating risks, while cost-benefit analysis (B) is less critical than understanding risk dynamics. Ensuring the use of the same KRIs (C) is useful but not as vital as assessing effectiveness during this interim period.