The correct answer is C because corrective action must be initiated by the party that owns the affected business process/risk. The risk report should go to the person or group that can take action, accept the risk, fund the treatment, or direct remediation. The uploaded CRISC notes state: “The PRIMARY objective of risk reporting is to provide the risk owner with information to initiate risk response,” and also state that ownership is best established by mapping identified risk to a specific business process.
The CFO, CRO, and CIO may need to be informed depending on severity, but the business process owner is the best recipient when the purpose is to initiate corrective action.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit