Certified in Risk and Information Systems Control (CRISC) — Question 657

A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action?

Answer options

• A. Integrate risk management into operational procedures.
• B. Engage key stakeholders in risk identification.
• C. Implement risk management controls throughout the organization.
• D. Establish an organization-wide risk taxonomy.

Correct answer: B

Explanation

The correct answer is B because engaging key stakeholders is crucial for accurately identifying risks that may not be evident otherwise. Without their input, any subsequent steps like integrating risk management or implementing controls may lack alignment with the organization's actual risk landscape. The other options are important but should follow after identifying risks with stakeholder involvement.