Certified in Risk and Information Systems Control (CRISC) — Question 377

Who is accountable for risk treatment?

Answer options

• A. Risk owner
• B. Risk mitigation manager
• C. Enterprise risk management team
• D. Business process owner

Correct answer: A

Explanation

The risk owner is the individual responsible for identifying, assessing, and managing risks, including the treatment of those risks. The risk mitigation manager and enterprise risk management team may assist or provide support, but ultimately, it is the risk owner who is accountable for the risk treatment process. The business process owner may have a role in the context of operational risks, but does not have the primary responsibility for risk treatment.