Certified in Risk and Information Systems Control (CRISC) — Question 725

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Answer options

• A. business process owner.
• B. chief information officer.
• C. project manager.
• D. chief risk officer.

Correct answer: A

Explanation

The business process owner is best suited to manage the risk since they have direct oversight of the HR system and its processes. The chief information officer, project manager, and chief risk officer may be involved, but they do not have the same level of accountability for the specific processes and risks associated with the HR system.