Certified in Risk and Information Systems Control (CRISC) — Question 255

Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?

Answer options

• A. Assess the likelihood and magnitude of the associated risk.
• B. Identify mitigation activities and compensating controls.
• C. Notify senior compliance executives of the associated risk.
• D. Determine the penalties for lack of compliance.

Correct answer: A

Explanation

The correct answer is A because assessing the likelihood and magnitude of the risk is crucial to understand the potential impact on the organization. Options B, C, and D, while important, are subsequent steps that depend on the initial risk assessment to inform appropriate actions.