A compensating control is a temporary or alternative control that is implemented when the primary control for mitigating a risk is not feasible or available. A compensating control should provide a similar level of protection and assurance as the primary control, and should be aligned with the risk appetite and tolerance of the organization. The risk practitioner’s best course of action when a compensating control needs to be applied is to obtain the risk owner’s approval. The risk owner is the person who has the authority and accountability for managing a specific risk, and who is responsible for ensuring that the risk is within the acceptable level. The risk practitioner should consult with the risk owner to explain the situation, proposethe compensating control, and seek their approval before implementing it. This way, the risk practitioner can ensure that the compensating control is appropriate, effective, and acceptable for the risk owner, and that the risk owner is aware of and agrees with the change in the risk treatment. The other options are not the best course of action, as they do not involve the risk owner’s approval or input. Recording the risk as accepted in the risk register implies that the risk is not treated or reduced, which may not be the case with a compensating control. Informing senior management may be a good practice, but it does not ensure that the risk owner is involved or agrees with the compensating control. Updating the risk response plan may be a necessary step after implementing the compensating control, but it does not require the risk owner’s approval or consultation. References = 5 Key Risk Mitigation Strategies (With Examples), Risk Management 101: Process, Examples, Strategies