Certified in Risk and Information Systems Control (CRISC) — Question 720
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?
Answer options
- A. Record the risk as accepted in the risk register.
- B. Obtain the risk owner's approval.
- C. Inform senior management.
- D. Update the risk response plan.
Correct answer: B
Explanation
The best course of action is to obtain the risk owner's approval (B) because they are responsible for the risk and must agree on the compensating control. Recording the risk as accepted (A) does not address the need for immediate action, informing senior management (C) is not as critical as getting the risk owner's consent, and updating the risk response plan (D) may be premature without the owner's approval.