Certified in Risk and Information Systems Control (CRISC) — Question 425

Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives?

Answer options

• A. If the risk owner has accepted the risk
• B. If compensating controls have been implemented
• C. If insurance coverage has been obtained
• D. If business objectives continue to align with organizational goals

Correct answer: B

Explanation

The correct answer is B because validating the implementation of compensating controls is crucial when a primary mitigating control is not fully actionable. Options A, C, and D may be important considerations, but they do not directly address the immediate need to ensure adequate compensating measures are in place.