Certified in Risk and Information Systems Control (CRISC) — Question 1247

Which of the following should be the PRIMARY consideration when identifying and assigning ownership of IT-related risk?

Answer options

• A. Accountability for control operation
• B. Accountability for losses due to impact
• C. Ability to design controls to mitigate the risk
• D. Span of control within the organization

Correct answer: A

Explanation

The primary focus should be on accountability for control operation, as it ensures that there is a clear responsibility for managing and executing risk controls. While the other options address important aspects of risk management, they do not directly relate to the accountability needed for effective control operations.