CRISC Certified in Risk and Information Systems Control – Question192

You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?

A.
Recommend against implementation because it violates the company's policies
B. Recommend revision of the current policy
C. Recommend a risk assessment and subsequent implementation only if residual risk is accepted
D. Conduct a risk assessment and allow or disallow based on the outcome

Correct Answer: C

Explanation:

Explanation: If it is necessary to quickly implement control by applying technical solution that deviates from the company’s policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.
Incorrect Answers:
A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company’s policy, is taken by management.
B: The recommendation to revise the current policy should not be triggered by a single request.
D: Risk professional can only recommend the risk assessment if the company’s policies is violating, but it can only be conducted when the management allows.