After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?
Trap 1: Escalate directly to the board
Escalation is premature before attempting additional treatment options.
Trap 2: Update the risk register to reflect the residual risk
Updating the register is necessary, but the first action is to address the unacceptable residual risk.
Trap 3: Accept the residual risk
The residual risk exceeds appetite, so acceptance is not appropriate without further mitigation.
- A
Re-evaluate risk treatment options with the risk owner
The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.
- B
Escalate directly to the board
Why wrong: Escalation is premature before attempting additional treatment options.
- C
Update the risk register to reflect the residual risk
Why wrong: Updating the register is necessary, but the first action is to address the unacceptable residual risk.
- D
Accept the residual risk
Why wrong: The residual risk exceeds appetite, so acceptance is not appropriate without further mitigation.