Certified in Risk and Information Systems Control (CRISC) — Question 790

Who should be responsible for evaluating the residual risk after a compensating control has been applied?

Answer options

• A. Risk practitioner
• B. Compliance manager
• C. Risk owner
• D. Control owner

Correct answer: C

Explanation

The correct answer is C, the Risk owner, as they are ultimately responsible for understanding and evaluating the risks associated with their assets, including any residual risks after controls are applied. The other roles, while important, do not hold the same level of accountability for the risk evaluation process.