Which of the following should be a risk practitioner’s NEXT step upon learning the organization is not in compliance with a specific legal regulation?
A . Assess the likelihood and magnitude of the associated risk.
B . Identify mitigation activities and compensating controls.
C . Notify senior compliance executives of the associated risk.
D . Determine the penalties for lack of compliance.
Answer: A