Certified in Risk and Information Systems Control (CRISC) — Question 19

After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Answer options

• A. inform the IT manager of the concerns and propose measures to reduce them
• B. inform the process owner of the concerns and propose measures to reduce them
• C. inform the development team of the concerns, and together formulate risk reduction measures
• D. recommend a program that minimizes the concerns of that production system

Correct answer: B

Explanation

The correct answer is B because the process owner has the direct responsibility for the production system and can implement the necessary changes. Informing the IT manager (A) or the development team (C) may not lead to direct action on the concerns, while a general recommendation (D) lacks the specificity needed for effective risk management.