Certified in Risk and Information Systems Control (CRISC) — Question 576
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:
Answer options
- A. service provider's IT manager
- B. service provider's risk manager
- C. organization's business process manager
- D. organization's vendor manager
Correct answer: C
Explanation
The correct answer is C, as the organization's business process manager is responsible for overseeing the integration and operational risks of the outsourced application. The service provider's IT manager and risk manager are focused on their own company's operations, while the vendor manager primarily handles supplier relationships, not specific application risks.