nerdexam
(ISC)2

CISSP · Question #1401

What action should be taken by a business line that is unwilling to accept the residual risk in a system after implementing compensating controls?

The correct answer is B. Purchase insurance to cover the residual risk.. Residual risk is the risk that remains after implementing controls to mitigate the original risk. If a business line is unwilling to accept the residual risk in a system, one possible action is to purchase insurance to cover the potential losses or damages that may result from th

Submitted by viktor_hu· Mar 5, 2026Security and Risk Management

Question

What action should be taken by a business line that is unwilling to accept the residual risk in a system after implementing compensating controls?

Options

  • ANotify the audit committee of the situation.
  • BPurchase insurance to cover the residual risk.
  • CImplement operational safeguards.
  • DFind another business line willing to accept the residual risk.

How the community answered

(57 responses)
  • A
    5% (3)
  • B
    84% (48)
  • C
    2% (1)
  • D
    9% (5)

Explanation

Residual risk is the risk that remains after implementing controls to mitigate the original risk. If a business line is unwilling to accept the residual risk in a system, one possible action is to purchase insurance to cover the potential losses or damages that may result from the residual risk. This is a form of risk transfer, which is one of the four risk management strategies, along with risk avoidance, risk mitigation, and risk acceptance. Notifying the audit committee, implementing operational safeguards, and finding another business line are not valid actions to deal with

Topics

#risk management#residual risk#risk mitigation#risk transfer

Community Discussion

No community discussion yet for this question.

Full CISSP Practice