To effectively mitigate and manage risks during a crisis, organizations must implement a combination of preventive and reactive measures:
Preventive measures: These are proactive steps taken before a crisis to reduce the likelihood of occurrence (e.g., risk assessments, internal controls, security protocols).
Reactive measures: These are actions taken after a crisis occurs to minimize damage, restore operations, and recover from the event (e.g., business continuity plans, incident response strategies).
(A) Incorrect – Only preventive measures.
While prevention is essential, not all crises can be avoided. Organizations also need response mechanisms.
(B) Incorrect – Alternative and reactive measures.
Alternative measures (e.g., backup systems) are part of risk management, but without prevention, risks may escalate.
(C) Incorrect – Preventive and alternative measures.
Alternative measures (e.g., backup resources) help maintain operations but do not directly address crisis response.
(D) Correct – Preventive and reactive measures.
Best practice in risk management includes both preventing crises and responding effectively when they occur.
IIA’s Global Internal Audit Standards – Crisis Management and Business Resilience
Emphasizes the need for both prevention and response strategies.
COSO’s ERM Framework – Risk Management in Crisis Situations
Recommends a combination of risk avoidance, mitigation, and crisis response.
ISO 22301 – Business Continuity Management
Highlights the importance of preventive controls and reactive response planning.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit