Upon discovering that an IT control has failed, the risk practitioner's most important action is to review compensating controls. This involves assessing whether other existing controls can mitigate the risk associated with the failed control. Evaluating compensating controls helps determine the immediate impact of the control failure and guides decisions on necessary remediation steps.