Certified in Risk and Information Systems Control (CRISC) — Question 686

A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Answer options

• A. Implement a process improvement and replace the old risk register
• B. Outsource the process for updating the risk register
• C. Identify changes in risk factors and initiate risk reviews
• D. Engage an external consultant to redesign the risk management process

Correct answer: C

Explanation

The best course of action is to identify changes in risk factors and initiate risk reviews (C) as this directly addresses the outdated information. Implementing a process improvement to replace the risk register (A) may not solve the underlying issue of risk identification. Outsourcing the updating process (B) does not ensure that the risks are accurately assessed and managed internally. Engaging an external consultant (D) might be useful, but it is not the most immediate step needed to address the critical updates required in the risk register.