Certified in Risk and Information Systems Control (CRISC) — Question 894

During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process.
Which of the following would enable the MOST effective management of the residual risk?

Answer options

• A. Recommend additional IT controls to further reduce residual risk.
• B. Request that ownership of the compensating controls is reassigned to IT.
• C. Schedule periodic reviews of the compensating controls' effectiveness.
• D. Report the use of compensating controls to senior management.

Correct answer: C

Explanation

Option C is correct because scheduling periodic reviews ensures that the effectiveness of the compensating controls is continuously assessed, allowing for timely adjustments if necessary. Options A and B do not directly address the management of residual risk, while D, although informative, does not actively manage or mitigate the residual risk.