An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?
A. Revert the implemented mitigation measures until approval is obtained.
B. Validate the adequacy of the implemented risk mitigation measures.
C. Report the observation to the chief risk officer (CRO).
D. Update the risk register with the implemented risk mitigation actions.
A. Revert the implemented mitigation measures until approval is obtained.
B. Validate the adequacy of the implemented risk mitigation measures.
C. Report the observation to the chief risk officer (CRO).
D. Update the risk register with the implemented risk mitigation actions.