Certified in Risk and Information Systems Control (CRISC) — Question 944

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Answer options

• A. Validate the risk response with internal audit.
• B. Update the risk register.
• C. Evaluate outsourcing the process.
• D. Recommend avoiding the risk.

Correct answer: B

Explanation

The correct action is to update the risk register to reflect the current status and manage the identified risk accordingly. Validating with internal audit, evaluating outsourcing, or recommending avoidance are not immediate next steps when the risk is already insured and understood.