A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern?
A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern?
When faced with a control deficiency where the risk level is still considered too high, the best course of action is to assess the residual risk against the organization’s risk appetite. This involves measuring the remaining risk after existing controls have been applied and comparing it to the levels acceptable to the organization. This ensures that any decision to mark the deficiency as remediated is data-driven and aligned with the organization's established risk thresholds. If the residual risk is still above acceptable levels, further actions such as implementing additional controls or preparing a risk acceptance proposal can be considered based on this assessment.
My understanding of this question is that the risk has already been determined to be above acceptable levels/risk appetite, hence the statement "still too high". So no need assessing the residual risk. Recommend implementing additional compensating controls to reduce d risk to acceptable levels.
C is the best initial action before implementing A and D. B is not relevant
C. Assess the residual risk against the organization’s risk appetite. By assessing the residual risk in relation to the organization's risk appetite, the practitioner can determine if the remaining level of risk is acceptable within the organization's established thresholds. This approach is data-driven and aligns with standard risk management practices. It provides a clear basis for decision-making and can inform whether additional actions are required, such as implementing more controls or seeking formal risk acceptance from senior management.
D seems best answer