Certified in Risk and Information Systems Control (CRISC) — Question 903

Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Answer options

• A. Develop risk scenarios.
• B. Implement compensating controls.
• C. Activate the incident response plan.
• D. Update the risk register.

Correct answer: A

Explanation

The next step for a risk practitioner is to develop risk scenarios to understand potential vulnerabilities and consequences that could affect their own organization. Implementing compensating controls, activating the incident response plan, or updating the risk register are actions that may follow, but the immediate focus should be on assessing and anticipating risks based on the incident.