Exam CRISC topic 1 question 515 discussion

there is a need to prove the findings

B. verify that applicable risk owners understand the risk When a control deficiency is identified, the primary responsibility of the risk practitioner is to ensure that the relevant risk owners are aware of and understand the implications of the deficiency. Only with this understanding can the risk owners make informed decisions about whether to address the risk and how to do so. Once the risk is understood, other actions such as performing follow-up assessments, implementing compensating controls, or recommending system changes can be considered.

Going with "C". Guys, we are focusing on the role of risk practitioner in Risk Management rather than How should the risk be mitigated. in similar questions here in ExamTopics, when a control is ineffective, we should look for alternative controls. If it is about the role of risk practitioner (that he/she does not implement controls) then "A" or "B". However, the word "quantify" in "A" is misleading.

A, understand the impact

Would assume internal audit notified risk owner, so going with A

voting for A

I am caught between A and B. The question asks what is most important, and communicating the risk to the risk owners seems the most important. The risk assessment would come first, but does that make it most important?

Agree 'A'.

An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to: A. perform a follow-up risk assessment to quantify the risk impact -> this is the most important step because it underpins any action that will follow. B. verify that applicable risk owners understand the risk -> this is important but is an intermediary step between analyzing/understanding the risk and taking corrective action C. implement compensating controls to address the deficiency -> the risk practitioner does not implement controls D. recommend replacement of the deficient system -> we dont know at this time that replacing the deficient system is an appropriate response

Risk manager never implement control, need to do the risk assessment to identify the impact.

echo A

Risk assessment needs to come before compensating controls are implemented. A is correct.