Certified in Risk and Information Systems Control (CRISC) — Question 353

During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Answer options

• A. Complete a risk exception form
• B. Report the gap to senior management
• C. Consult with the business owner to update the BCP
• D. Consult with the IT department to update the RTO

Correct answer: B

Explanation

The correct answer is B because it is crucial to inform senior management about any discrepancies that may affect the organization's resilience. While consulting with the business owner or IT department may be necessary, the immediate priority is to make senior management aware of the gap in alignment with the BCP.