Isaca Certified in Risk and Information Systems Control CRISC Question # 171 Topic 18 Discussion

CRISC Exam Topic 18 Question 171 Discussion:

Question #: 171

Topic #: 18

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action?

Report the observation to the chief risk officer (CRO).

Validate the adequacy of the implemented risk mitigation measures.

Update the risk register with the implemented risk mitigation actions.

Revert the implemented mitigation measures until approval is obtained

Get Premium CRISC Questions

Explanation

This can help to:

Ensure that the implemented measures are effective and efficient in reducing the risk level to an acceptable level, and that they are aligned with the risk appetite and tolerance of the organization2.

Identify and address any gaps, issues, or challenges that may arise from the deviation from the approved risk action plan, and recommend and implement appropriate improvement actions or contingency plans3.

Communicate and report the results and outcomes of the validation to the relevant stakeholders, such as the risk owner, the risk committee, or the chief risk officer, and obtain their feedback and approval4.

The other options are not the best course of action, because:

Reporting the observation to the chief risk officer (CRO) is not the best course of action, as it may not provide sufficient information or evidence to support the deviation from the approved risk action plan. The CRO may not be able to evaluate or approve the implemented risk mitigation measures without knowing their adequacy or impact on the risk level5.

Updating the risk register with the implemented risk mitigation actions is not the best course of action, as it may not reflect the current or accurate risk status or performance. The risk register is a document that records and summarizes the key information and data about the identified risks and the risk responses6. Updating the risk register without validating the adequacy of the implemented risk mitigation measures may create inconsistencies or inaccuracies in the risk register.

Reverting the implemented mitigation measures until approval is obtained is not the best course of action, as it may expose the organization to higher or unacceptable levels of risk. Reverting the implemented mitigation measures may undo or negate the benefits or outcomes of the risk mitigation, and may increase the likelihood or impact of the risk events7.

References =

ISACA Risk Starter Kit provides risk management templates and policies

Risk Appetite and Tolerance - CIO Wiki

Risk Monitoring and Review - The National Academies Press

Risk Reporting - CIO Wiki

Chief Risk Officer - CIO Wiki

Risk Register - CIO Wiki

Risk Mitigation - CIO Wiki

Actual exam question for Isaca CRISC exam by Rune4177 at Nov 18, 2025, 10:39:43 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 171 Topic 18 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 171 Topic 18 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Isaca Certified in Risk and Information Systems Control CRISC Question # 171 Topic 18 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 171 Topic 18 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval