Certified in Risk and Information Systems Control (CRISC) — Question 1312

Of the following, who should be responsible for determining the inherent risk rating of an application?

Answer options

• A. Application owner
• B. Senior management
• C. Business process owner
• D. Risk practitioner

Correct answer: A

Explanation

The Application owner is best positioned to determine the inherent risk rating, as they have deep knowledge of the application's functionalities and the potential risks associated with it. Senior management, business process owners, and risk practitioners may provide input, but they do not have the same level of insight into the specific application itself.