Certified in Risk and Information Systems Control (CRISC) — Question 397

Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Answer options

• A. Monitor the residual risk level of the accepted risk.
• B. Escalate the risk decision to the project sponsor for review.
• C. Document the risk decision in the project risk register.
• D. Reject the risk acceptance and require mitigating controls.

Correct answer: B

Explanation

The best action is to escalate the risk decision to the project sponsor for review since they have the authority to make decisions that align with the organization's risk appetite. Monitoring residual risk or documenting the decision may not address the fundamental issue of risk acceptance, while rejecting the risk acceptance may not be feasible if the project team has already agreed to it.