Skip to main content

3.5 Developing a Risk Action Plan


3.5 Developing a Risk Action Plan


  • Risk practitioners should play a consultative role in assisting risk owners and help them to decide appropriate risk responses.


  • Final decision on risk response should be taken by the risk owner but risk practitioners should guide him on technologies, policies, procedures, control effectiveness and leveraging of existing controls.


  • If the current risk is above the risk appetite of the organization, then a further risk response is required to bring down the level of risk.


  • Different alternatives for risk response are evaluated and analyzed. Risk responses are prioritized by considering the cost-benefit analysis of each alternative.


  • Once a risk response is finalized, a risk action plan is created and documented in the risk register. Risk action plan should include a start date, end date, details about strategy, details about the responsible person or team.


  • For effective implementation of an action plan, it is recommended to assign the responsibility of implementing the action plan to concerned individuals along with timelines for the implementation. Other options are not as effective as option D.


  • Risk action plan should be considered as a project. Critical paths of the project should be properly monitored because delays in these elements increase overall project risk.


  • Implemented control should be reviewed at frequent intervals to ensure that identified risk is kept at an acceptance level.



Key aspects from CRISC exam perspective
CRISC Question
Possible Answer
How to ensure  that identified risk is kept at an acceptable level?
Periodic review of the control
Risk action plan must include
·         Start data
·         End data
·         Responsible person
·         Detail action plan


Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more