CRISC Certified in Risk and Information Systems Control – Question602

During testing, a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP). Which of the following should be done NEXT?

A.
Complete a risk exception form
B. Report the gap to senior management
C. Consult with the business owner to update the BCP
D. Consult with the IT department to update the RTO

Correct Answer: B