An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan.
Which of the following is the risk practitioner’s BEST course of action?
A . Revert the implemented mitigation measures until approval is obtained.
B . Validate the adequacy of the implemented risk mitigation measures.
C . Report the observation to the chief risk officer (CRO).
D . Update the risk register with the implemented risk mitigation actions.
Answer: B