Certified in Risk and Information Systems Control (CRISC) — Question 339

During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Answer options

• A. Escalate the issue to senior management
• B. Discuss risk mitigation options with the risk owner
• C. Certify the control after documenting the concern
• D. Implement compensating controls to reduce residual risk

Correct answer: B

Explanation

The best recommendation is to discuss risk mitigation options with the risk owner, as this allows for a targeted approach to address the deterioration. Escalating the issue to senior management or certifying the control does not directly resolve the underlying risk. Implementing compensating controls may also help, but it is more effective to first explore mitigation strategies with the risk owner.