The primary objective for selecting risk response options is to reduce risk to an acceptable level. Risk response options are the possible actions that can be taken to address the risks that have been identified and analyzed in the risk management process. Risk response options can be classified into four categories: avoid, transfer, mitigate, and accept for negative risks (or threats), and exploit, share, enhance, and accept for positive risks (or opportunities). The selection of the risk response options depends on various factors, such as the risk level, the risk appetite and tolerance, the cost and benefit, and the feasibility and availability of the options. The main goal of selecting the risk response options is to reduce the risk to a level that is acceptable to the organization, which means that the risk exposure is within the boundaries of the risk criteria and the risk appetite. The other options are not the primary objective for selecting risk response options, although they may be related or beneficial. Identifying compensating controls is a technique to implement additional or alternative controls when the existing controls are not effective or sufficient to reduce the risk to an acceptable level. Minimizing residual risk is a result of selecting and implementing the risk response options, but it is not the main purpose.
Residual risk is the risk that remains after the risk response, and it may or may not be acceptable depending on the risk appetite and tolerance. Reducing risk factors is a method to decrease the likelihood or impact of the risk by addressing the root causes or sources of the risk. However, reducing risk factors does not necessarily mean that the risk is reduced to an acceptable level, as there may be other factors or uncertainties that affect the risk. References = CRISC Review Manual, pages 32-331; CRISC Review Questions, Answers & Explanations Manual, page 862

Change management is the best way to prevent an unscheduled application of a patch, because it ensures that any changes to the IT environment are planned, approved, tested, and documented. Change management is a process that controls the implementation of changes to IT systems, applications, infrastructure, or processes. It aims to minimize the risk of disruption, errors, or failures caused by changes. Applying a patch is a type of change that may affect the security, functionality, or performance of an IT system or application. Therefore, applying a patch should follow the change management process and schedule, and avoid any unscheduled or unauthorized patching. Network-based access controls, compensating controls, and segregation of duties are all useful controls to protect the IT environment from unauthorized or malicious access, but they do not prevent an unscheduled application of a patch, as they do not address the change management process.
References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.4.2, page 211

The best course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions is B. Share the concern through a whistleblower communication channel1 According to the CRISC Review Manual, a whistleblower communication channel is a mechanism that allows employees to report suspected fraud or unethical behavior without fear of retaliation or reprisal. A whistleblower communication channel is part of an effective fraud detection and prevention framework, and it helps to promote a culture of integrity and accountability within the organization2 The other options are not as effective or appropriate as sharing the concern through a whistleblower communication channel, because:
*A. Implementing compensating controls to deter fraud attempts may not address the root cause of the problem, and it may also create additional complexity and cost for the system. Moreover, it may not prevent the colleague from finding other ways to bypass the controls or collude with external parties.
*C. Monitoring the activity to collect evidence may expose the system administrator to legal or ethical risks, especially if the monitoring is done without proper authorization or due process. It may also delay the reporting and resolution of the issue, and potentially allow more fraudulent transactions to occur.
*D. Determining whether the system environment has flaws that may motivate fraud attempts may be useful for understanding the context and the factors that contribute to the fraud risk, but it does not address the immediate concern of reporting the suspected fraud. It may also imply that the system administrator is trying to justify or rationalize the colleague's behavior, rather than holding them accountable.
1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100002 2: CRISC Review Manual, 7th Edition, page 224

Explanation/Reference:
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.