Certified in Risk and Information Systems Control (CRISC) — Question 785

A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Answer options

• A. Submit a request to change management.
• B. Report the issue to internal audit.
• C. Review the business impact assessment.
• D. Conduct a risk assessment.

Correct answer: D

Explanation

The correct answer is D because conducting a risk assessment helps to evaluate the potential impact and likelihood of the identified deficiency, which is crucial for determining the appropriate response. The other options, while important, are not the immediate actions needed to address the discovered risk effectively.