Certified in Risk and Information Systems Control (CRISC) — Question 72

After a risk has been identified, who is in the BEST
position to select the appropriate risk treatment option?

Answer options

• A. The risk practitioner
• B. The risk owner
• C. The control owner
• D. The business process owner

Correct answer: B

Explanation

The risk owner is responsible for the risk and understands its implications, making them the most suitable person to decide on the treatment options. While the risk practitioner, control owner, and business process owner may provide valuable input, they do not have the same level of accountability or insight into the specific risk as the risk owner does.