Certified in Risk and Information Systems Control (CRISC) — Question 1315

A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?

Answer options

• A. Reassess the risk and review the underlying controls.
• B. Initiate disciplinary action against the risk owner.
• C. Report the activity to the supervisor.
• D. Review organizational ethics policies.

Correct answer: C

Explanation

The correct action is to report the activity to the supervisor, as it is essential to escalate potential conflicts of interest or ethical concerns. Initiating disciplinary action may be premature without further investigation, reassessing the risk should come after reporting, and reviewing ethics policies is a secondary step that does not address the immediate concern.