Certified in Risk and Information Systems Control (CRISC) — Question 496

Which of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Answer options

• A. Remove risk that management has decided to accept.
• B. Remove risk only following a significant change in the risk environment.
• C. Remove risk when mitigation results in residual risk within tolerance levels.
• D. Remove risk that has been mitigated by third-party transfer.

Correct answer: B

Explanation

The correct answer is B because it emphasizes the importance of monitoring the risk environment before making changes to the risk register. Options A and D suggest removal based on management decisions or third-party actions, which may not account for the ongoing nature of risk assessment. Option C focuses on residual risk but does not consider the broader context of the risk environment changes.