The most concerning factor for a risk practitioner reviewing risk action plans for documented IT risk scenarios is that many action plans were discontinued after senior management accepted the risk. Risk action plans are documents that define the roles, responsibilities, procedures, and resources for implementing the risk responses and strategies for the IT risk scenarios. Risk action plans help to reduce, transfer, avoid, or accept the IT risks, and to monitor and report on the IT risk performance and improvement. Discontinuing risk action plans after senior management accepted the risk is a major concern, because it may indicate that the risk acceptance decision was not based on a proper risk analysis or evaluation, or that the risk acceptance decision was not communicated or coordinated with the relevant stakeholders, such as the board, management, business units, and IT functions. Discontinuing risk action plans after senior management accepted the risk may also create challenges or risks for the organization, such as compliance, legal, reputational, or operational risks, or conflicts or inconsistencies with the organization’s risk appetite, risk objectives, or risk policies. The other options are not as concerning as discontinuing risk action plans after senior management accepted the risk, although they may also pose some difficulties or limitations for the risk management process. Individuals outside IT managing action plans for the risk scenarios, target dates for completion missing from some action plans, and senior management approving multiple changes to several action plans are all factors that could affect the quality and timeliness of the risk management process, but they do not necessarily indicate a lack of risk management accountability or oversight. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, page 4-32.
