Certified in Risk and Information Systems Control (CRISC) — Question 1422

Who is PRIMARILY accountable for risk treatment decisions?

Answer options

• A. Risk manager
• B. Business manager
• C. Data owner
• D. Risk owner

Correct answer: D

Explanation

The Risk owner is primarily accountable for risk treatment decisions as they have the authority and responsibility for managing specific risks. The Risk manager may facilitate the process, while the Business manager and Data owner may have roles in risk management, but they do not hold the ultimate accountability for risk treatment decisions.