Isaca Certified in Risk and Information Systems Control CRISC Question # 306 Topic 31 Discussion

CRISC Exam Topic 31 Question 306 Discussion:

Question #: 306

Topic #: 31

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner ' s BEST course of action?

Report the observation to the chief risk officer (CRO).

Validate the adequacy of the implemented risk mitigation measures.

Update the risk register with the implemented risk mitigation actions.

Revert the implemented mitigation measures until approval is obtained

Get Premium CRISC Questions

Explanation

This can help to:

Ensure that the implemented measures are effective and efficient in reducing the risk level to an acceptable level, and that they are aligned with the risk appetite and tolerance of the organization2.

Identify and address any gaps, issues, or challenges that may arise from the deviation from the approved risk action plan, and recommend and implement appropriate improvement actions or contingency plans3.

Communicate and report the results and outcomes of the validation to the relevant stakeholders, such as the risk owner, the risk committee, or the chief risk officer, and obtain their feedback and approval4.

The other options are not the best course of action, because:

Reporting the observation to the chief risk officer (CRO) is not the best course of action, as it may not provide sufficient information or evidence to support the deviation from the approved risk action plan. The CRO may not be able to evaluate or approve the implemented risk mitigation measures without knowing their adequacy or impact on the risk level5.

Updating the risk register with the implemented risk mitigation actions is not the best course of action, as it may not reflect the current or accurate risk status or performance. The risk register is a document that records and summarizes the key information and data about the identified risks and the risk responses6. Updating the risk register without validating the adequacy of the implemented risk mitigation measures may create inconsistencies or inaccuracies in the risk register.

Reverting the implemented mitigation measures until approval is obtained is not the best course of action, as it may expose the organization to higher or unacceptable levels of risk. Reverting the implemented mitigation measures may undo or negate the benefits or outcomes of the risk mitigation, and may increase the likelihood or impact of the risk events7.

References =

ISACA Risk Starter Kit provides risk management templates and policies

Risk Appetite and Tolerance - CIO Wiki

Risk Monitoring and Review - The National Academies Press

Risk Reporting - CIO Wiki

Chief Risk Officer - CIO Wiki

Risk Register - CIO Wiki

Risk Mitigation - CIO Wiki

Actual exam question for Isaca CRISC exam by Dune5055 at Mar 29, 2026, 11:00:10 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 306 Topic 31 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 306 Topic 31 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 306 Topic 31 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 306 Topic 31 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval