Certified in Risk and Information Systems Control (CRISC) — Question 497

A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?

Answer options

• A. The risk owner is a staff member rather than a department manager.
• B. The risk owner is in a business unit and does not report through the IT department.
• C. The risk owner is not the control owner for associated data controls.
• D. The risk owner is listed as the department responsible for decision making.

Correct answer: D

Explanation

Option D is the greatest concern because the risk owner should ideally be in a position to make informed decisions regarding risk management. If the risk owner is merely listed as the decision-making department without the authority or expertise, it could lead to ineffective risk management. The other options, while concerning, do not directly impact the decision-making authority as significantly as option D does.