During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts
B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle
C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management