The risk practitioner’s best course of action when the residual risk is now within the organization’s defined appetite and tolerance levels is to verify the adequacy of risk monitoring plans. Risk monitoring is the process of tracking and reviewing the risk status and performance, and ensuring that the risk responses are effective and efficient1. Risk monitoring plans are the documents that specify the objectives, scope, methods, roles, and responsibilities for the riskmonitoring activities2. By verifying the adequacy of risk monitoring plans, the risk practitioner can:
Ensure that the risk monitoring plans are aligned with the organization’s risk strategy, objectives, and policies, and that they comply with the relevant standards and regulations3.
Evaluate whether the risk monitoring plans are comprehensive and consistent, and that they cover all the key aspects and indicators of the risks and the risk responses4.
Identify and address any gaps, issues, or challenges that may affect the implementation or outcome of the risk monitoring plans, and recommend and implement appropriate improvement actions5.
The other options are not the best course of action, because:
Identifying new risk entries to include in ERM is not a relevant or necessary course of action, as it is not directly related to the residual risk or the risk responses. ERM is the process of identifying, analyzing, evaluating, and managing the risks that may affect the organization’s strategic, operational, financial, or reputational objectives6. Identifying new risk entries is a part of the risk identification process, which is the first step in ERM. It should be performedperiodically or when there are significant changes in the internal or external environment, not when the residual risk is within the appetite and tolerance levels7.
Removing the risk entries from the ERM register is not a valid or advisable course of action, as it may create a false sense of security or complacency. The ERM register is a tool that records and summarizes the key information and data about the identified risks and the risk responses. Removing the risk entries from the ERM register may imply that the risks no longer exist or matter, which is not true. The risks may still occur or change, and the risk responses may still fail or become obsolete. Therefore, the risk entries should be kept and updated in the ERM register, unless the risks are completely eliminated or transferred.
Re-performing the risk assessment to confirm results is not an efficient or effective course of action, as it may be redundant or unnecessary. Risk assessment is the process of estimating the probability and impact of the risks, and prioritizing the risks based on their significance and urgency. Re-performing the risk assessment may not provide any new or useful information or insights, and may waste time and resources. Instead, the risk practitioner should verify and validate the risk assessment results, and ensure that they are accurate and reliable.
References =
Risk Monitoring - CIO Wiki
Risk Monitoring Plan - CIO Wiki
Risk Monitoring and Reporting - ISACA
Risk Monitoring and Control - Project Management Institute
Risk Monitoring and Review - The National Academies Press
Enterprise Risk Management - CIO Wiki
Risk Identification - CIO Wiki
[Risk Register - CIO Wiki]
[Risk Register: How to Use It in Project Management - ProjectManager.com]
[Risk Assessment - CIO Wiki]
[Risk Assessment Process - ISACA]
