Certified in Risk and Information Systems Control (CRISC) — Question 39

Which of the following should be done FIRST when a new risk scenario has been identified?

Answer options

• A. Assess the risk awareness program
• B. Assess the risk training program
• C. Identify the risk owner
• D. Estimate the residual risk

Correct answer: C

Explanation

Identifying the risk owner is crucial because it establishes accountability for managing the risk. Without a designated owner, it becomes challenging to assess and mitigate the risk effectively. The other options, while important, are secondary steps that depend on knowing who will manage the risk.