Certified in Risk and Information Systems Control (CRISC) — Question 1418

During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?

Answer options

• A. Communicate the decision to the risk owner for approval
• B. Identify an owner for the new control
• C. Modify the action plan in the risk register
• D. Seek approval from the previous action plan manager

Correct answer: A

Explanation

The best course of action is to communicate the decision to the risk owner for approval because they need to be informed and agree to the new control. Identifying an owner for the new control and modifying the action plan are important but come after obtaining approval. Seeking approval from the previous action plan manager is not relevant, as they are no longer in charge.