Certified in Risk and Information Systems Control (CRISC) — Question 1409
An organization has outsourced its accounts payable function to an external service provider that does not have an effective business continuity pian (BCP) in place. Who owns the associated risk?
Answer options
- A. Service provider
- B. Business continuity manager
- C. Business process owner
- D. The vendor's risk manager
Correct answer: C
Explanation
The business process owner is ultimately responsible for the risks associated with the outsourced function, even if it is managed by an external service provider. The service provider's lack of a business continuity plan does not transfer the ownership of risk away from the business process owner. The other options, while related, do not have the direct accountability for the risk associated with the accounts payable function.