Certified in Risk and Information Systems Control (CRISC) — Question 717

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Answer options

• A. Business continuity director
• B. Business application owner
• C. Disaster recovery manager
• D. Data center manager

Correct answer: B

Explanation

The Business application owner is the individual who has the ultimate responsibility for the application and its performance, making them the appropriate person to accept the risk associated with its redundancy. The other roles, while important, do not hold the same level of authority over the application itself and may not fully understand the implications of the risk.