Certified in Risk and Information Systems Control (CRISC) — Question 1438

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Answer options

• A. Revert the implemented mitigation measures until approval is obtained.
• B. Validate the adequacy of the implemented risk mitigation measures.
• C. Report the observation to the chief risk officer (CRO).
• D. Update the risk register with the implemented risk mitigation actions.

Correct answer: B

Explanation

The correct answer is B because validating the adequacy of implemented risk mitigation measures is essential to ensure they are effective despite not aligning with the original plan. Reverting measures (A) could hinder risk management efforts, while simply reporting (C) or updating the risk register (D) does not address the immediate need to assess the effectiveness of what is already in place.