CRISC · Question #361
CRISC Question #361: Real Exam Question with Answer & Explanation
The correct answer is D: Report the activity to the supervisor.. Upon discovering a risk owner accepting gifts from a supplier whose products are used for risk mitigation, the risk practitioner's first action should be to report the activity to their supervisor.
Question
A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?
Options
- AInitiate disciplinary action against the risk owner.
- BReassess the risk and review the underlying controls.
- CReview organizational ethics policies.
- DReport the activity to the supervisor.
Explanation
Upon discovering a risk owner accepting gifts from a supplier whose products are used for risk mitigation, the risk practitioner's first action should be to report the activity to their supervisor.
Common mistakes.
- A. Initiating disciplinary action is typically the role of HR or management, not the risk practitioner, and it should only occur after a proper investigation.
- B. While reassessing risk and reviewing controls is necessary, it is a subsequent step after reporting the ethical breach and addressing the conflict of interest.
- C. Reviewing ethics policies is important, but the immediate action upon discovering a potential violation is to report it, as the violation is already apparent.
Concept tested. Risk practitioner ethical obligations and reporting
Topics
Community Discussion
No community discussion yet for this question.