Certified in Risk and Information Systems Control (CRISC) — Question 450

Which of the following should be the risk practitioner's FIRST course of action when an organization has decided to expand into new product areas?

Answer options

• A. Review existing risk scenarios with stakeholders.
• B. Present a business case for new controls to stakeholders.
• C. Revise the organization's risk and control policy.
• D. Identify any new business objectives with stakeholders.

Correct answer: D

Explanation

The correct answer is D because identifying new business objectives is crucial for understanding the scope and potential risks associated with the expansion. Options A, B, and C may be necessary later, but they should follow the identification of new objectives to ensure that risk management aligns with the organization's strategic goals.