After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner's BEST course of action?
A.
Prioritize remediation plans.
B.
Recommend the acceptance of low-level risk.
C.
Develop new risk action plans with risk owners.
Going with C. At first I thought it was A, but then realized they were saying reduce residual risk, implying the controls are in place. Nothing to establish what, if any, remediation plans are in place. You want to lower residual risk, you make a plan to do so. Then A. comes into play to produce D. How's that for overthinking the question?
option A, to prioritize remediation plans.
Residual risk is the level of risk that remains after controls have been implemented. Management's request to reduce the overall level of residual risk indicates a desire to further mitigate risks that have not been effectively controlled by the current measures. In this scenario, the risk practitioner should prioritize the remediation plans that will have the greatest impact on reducing residual risk to achieve management's objective.
The risk mitigation plans developed earlier would be tailored to meet the residual risk (that was agreed upon earlier).
If the residual risk bar need to be lowered further, the risk practitioner may have to develop new risk plan with mitigation options (after consulting the business owners and other stakeholders). Hence prioritization of remediation plans, can’t be the answer.
Any thoughts, guys?
The goal is to reduce the level of residual risk. Residual risk implies controls are in place. C and D are the more relevant answers of the four. You would not want to jump right into implementing new controls without first undertaking C Develop new risk action plans with risk owners.
The risk practitioner's best course of action, in this case, would be to prioritize remediation plans. By focusing on addressing and mitigating the highest-priority risks first, the organization can effectively reduce the overall level of residual risk. This involves identifying and implementing measures to reduce the likelihood and impact of the most significant risks in the risk register.
While implementing additional controls (option D) may be a part of the remediation plans, it's essential to prioritize and focus efforts on the most critical risks to achieve the greatest impact. Developing new risk action plans with risk owners (option C) may also be necessary, but the emphasis should be on addressing the highest-priority risks first. Recommending the acceptance of low-level risk (option B) may not align with the goal of reducing the overall level of residual risk.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CbtL
9 months agoKoulyo
9 months, 1 week agojseeker
9 months, 3 weeks agoCbtL
9 months agoBroesweelies
9 months, 3 weeks agoSuperMax
1 month, 1 week agoEbucluc
1 year, 3 months agoKozy
1 year, 3 months ago