Certified in Risk and Information Systems Control (CRISC) — Question 645

An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Answer options

• A. validate the CTO's decision wish the business process owner.
• B. recommend that the CTO revisit the risk acceptance decision.
• C. identify key risk indicators (KRIs) for ongoing monitoring.
• D. update the risk register with the selected risk response.

Correct answer: A

Explanation

The best action for the risk practitioner is to validate the CTO's decision with the business process owner, ensuring alignment and understanding of the risk acceptance. Recommending a revisit of the decision (B) could undermine the CTO's authority, while identifying KRIs (C) and updating the risk register (D) are important but secondary actions that should follow the validation of the acceptance.