Addressing Ineffective Control: Next Steps

A.

The risk practitioner noted an ineffective control that links to several low residual risk scenarios while reviewing management's IT control self-assessments. This means that the control in question is not effective in mitigating the risks associated with it, but even if the control fails, the residual risk is low. In this scenario, the NEXT course of action would be to re-evaluate the risk scenarios associated with the control (Option D).

Re-evaluating the risk scenarios associated with the control would help the risk practitioner determine whether the risks are being appropriately identified and evaluated. It will also help to ensure that the risk management approach is consistent with the organization's risk tolerance level. By re-evaluating the risk scenarios, the risk practitioner can assess whether the low residual risks are acceptable to the organization or not.

Proposing mitigating controls (Option A) would be an appropriate course of action if the risk associated with the control was deemed unacceptable. However, in this case, the residual risk is low, so proposing mitigating controls would be an unnecessary expense and effort.

Assessing management's risk tolerance (Option B) may be useful in understanding whether the low residual risks associated with the control are acceptable to the organization. However, it should be done after re-evaluating the risk scenarios associated with the control.

Recommending management to accept the low risk scenarios (Option C) would not be a prudent course of action without re-evaluating the risk scenarios associated with the control. The risk practitioner needs to ensure that the residual risks are appropriately evaluated and within the organization's risk tolerance before recommending acceptance of low risk scenarios.

Therefore, the most appropriate course of action would be to re-evaluate the risk scenarios associated with the control (Option D).