A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern?
A.
Recommend implementation of additional compensating controls.
B.
Review the organization’s risk appetite and tolerance.
C.
Assess the residual risk against the organization’s risk appetite.
D.
Prepare a risk acceptance proposal for senior management's consideration
My understanding of this question is that the risk has already been determined to be above acceptable levels/risk appetite, hence the statement "still too high". So no need assessing the residual risk. Recommend implementing additional compensating controls to reduce d risk to acceptable levels.
C. Assess the residual risk against the organization’s risk appetite.
By assessing the residual risk in relation to the organization's risk appetite, the practitioner can determine if the remaining level of risk is acceptable within the organization's established thresholds. This approach is data-driven and aligns with standard risk management practices. It provides a clear basis for decision-making and can inform whether additional actions are required, such as implementing more controls or seeking formal risk acceptance from senior management.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
tomiabiodun
3 months agoK5000ism
8 months, 1 week agoKennethlim79
9 months, 1 week agoeblue
11 months, 1 week ago