According to the CRISC Review Manual (Digital Version), assessing changes in residual risk is the best approach for determining whether a risk action plan is effective, as it measures the impact and value of the risk response actions and controls on the risk level. Residual risk is the risk that remains after the risk response actions and controls have been implemented. Assessing changes in residual risk helps to:
Evaluate the extent to which the risk response actions and controls have reduced the likelihood and/or impact of the risk to an acceptable level
Identify and report any deviations, errors, or weaknesses in the risk response actions and controls and their performance
Recommend and implement corrective actions or improvement measures to address any issues or deficiencies in the risk response actions and controls
Monitor and measure the effectiveness and efficiency of the risk response actions and controls and their alignment with the organization’s risk appetite and risk tolerance
Update the risk register and the risk treatment plan to reflect the current risk status and the residual risk levels
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.2: Risk Response Process, pp. 161-1621
