According to the CRISC exam content outline2, one of the tasks of a risk practitioner is to “report on risk, in line with organizational reporting requirements, to enable decision making andescalation”. Therefore, the first thing that the risk practitioner should do after discovering apolicy violation is to report the incident to the appropriate authority, such as the IT security manager or the risk management committee. This will ensurethat the incident is properly documented, investigated, and resolved, and that any potential impact or consequences are minimized.

The other options are not the first actions that the risk practitioner should take. Planning a security awareness session (B) may be a preventive measure to avoid future incidents, but it does not address the current one. Assessing the new risk © may be part of the risk response process, but it should be done after reporting the incident and gathering more information. Updating the risk register (D) may be a result of the risk assessment and response, but it should not be done before reporting the incident and following the organizational procedures.