Certified in Risk and Information Systems Control (CRISC) — Question 569

A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner’s BEST course of action?

Answer options

• A. Collaborate with the risk owner to determine the risk response plan.
• B. Include a right to audit clause in the service provider contract.
• C. Advise the risk owner to accept the risk.
• D. Document the gap in the risk register and report to senior management.

Correct answer: A

Explanation

The best action is to collaborate with the risk owner to create a risk response plan, as this allows for a proactive approach to address the misalignment of the RTO with business expectations. Simply including an audit clause, advising acceptance of the risk, or documenting the issue without action will not effectively mitigate the identified risk.