A risk practitioner has determined that a key control does not meet design expectations.
Which of the following should be done NEXT?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When a risk practitioner determines that a key control does not meet design expectations, the next step should be to modify the design of the control, which is the best answer from the given options. This is because the primary objective of a control is to mitigate or reduce the risks that it is designed to address. If a control does not meet design expectations, then it is likely to be ineffective in addressing the risk it is meant to mitigate. Hence, modifying the control design is necessary to ensure that the control is effective in mitigating the identified risk.
The other options provided in the question are not appropriate as the next step after determining that a key control does not meet design expectations.
Option A, invoking the incident response plan, is not appropriate because the situation does not constitute an incident that requires invoking an incident response plan. An incident response plan is a predefined set of procedures that an organization follows when a security breach or incident occurs. A key control not meeting design expectations does not necessarily equate to a security breach or incident.
Option C, documenting the finding in the risk register, is also not appropriate because it is not the next logical step to take after determining that a key control does not meet design expectations. Documenting the finding in the risk register is important, but it should be done after the control design has been modified, and the effectiveness of the control has been reassessed.
Option D, re-evaluating key risk indicators, is not appropriate because it assumes that the key control is ineffective due to a change in the risk environment. However, the question specifically states that the control does not meet design expectations, which implies that the control design itself is flawed, rather than any changes in the risk environment.
In summary, the next step that a risk practitioner should take after determining that a key control does not meet design expectations is to modify the design of the control to ensure that it is effective in mitigating the identified risk.