Certified in Risk and Information Systems Control (CRISC) — Question 259

What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?

Answer options

• A. Revalidate the risk assessment.
• B. Escalate to senior management.
• C. Propose acceptance of the risk.
• D. Conduct a gap analysis.

Correct answer: B

Explanation

The correct answer is B because escalating to senior management ensures that the issue is addressed at the appropriate level, allowing for necessary decisions and resources to be allocated. The other options, while important, do not address the immediate need to inform leadership about a critical control failure.