You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly
implement control by applying technical solution that deviates from the company’s policies. What
you should do?
A.
Recommend against implementation because it violates the company’s policies
B.
Recommend revision of the current policy
C.
Recommend a risk assessment and subsequent implementation only if residual risk is accepted
D.
Conduct a risk assessment and allow or disallow based on the outcome
Explanation:
If it is necessary to quickly implement control by applying technical solution that deviates from the
company’s policies, then risk assessment should be conducted to clarify the risk. It is up to the
management to accept the risk or to mitigate it.
Answer D is incorrect. Risk professional can only recommend the risk assessment if the
company’s policies is violating, but it can only be conducted when the management allows.
Answer A is incorrect. As in this case it is important to mitigate the risk, hence risk professional
should once recommend a risk assessment. Though the decision for the conduction of risk
assessment in case of violation of company’s policy, is taken by management.
Answer B is incorrect. The recommendation to revise the current policy should not be triggered by
a single request.