A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?
A.
The risk owner is a staff member rather than a department manager.
B.
The risk owner is in a business unit and does not report through the IT department.
C.
The risk owner is not the control owner for associated data controls.
D.
The risk owner is listed as the department responsible for decision making.
Straight from the CRISC book "a control should be owned by the owner of the risk that it mitigates. However, the control may be owned by someone else in the case of controls that affect more than one risk."
Something is missing in this question. RIsk owner is a person not a department/business unit. Also risk owner should be a senior person not a staff member.. so all of the options other than C are a concern.
A. The risk owner is a staff member rather than a department manager.
The greatest concern would be when the risk owner is a staff member rather than a department manager. Risk owners should typically be individuals with the appropriate level of authority and decision-making power to manage and address the risks effectively. Department managers or higher-level management personnel are better positioned to allocate resources, drive risk mitigation efforts, and ensure cross-functional collaboration when needed.
Would say D first, then A. Having a non-decision maker as the accountable person is not good, but second to not having a specific person assigned as the risk owner.
Correction, reason:
When the risk owner is not the control owner for associated data controls, it can lead to a lack of coordination and accountability in managing the risk. This is because the risk owner is responsible for identifying and managing risks, while the control owner is responsible for implementing and maintaining controls to mitigate those risks. If the risk owner and control owner are not the same person, it can be difficult to ensure that the controls are appropriate and effective in mitigating the identified risks, and that there is accountability for their implementation and effectiveness.
In summary, while the risk owner does not necessarily have to be the owner of the control, it is important to ensure that there is coordination and accountability between the two roles to effectively manage and mitigate risks.
To ensure accountability, the risk owner must be an individual, not a department or organization. On the other hand, the owner of the risk need not necessarily be the owner of the control and that it is not is not a concern.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CRISC Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
FredDurst
11 months, 1 week agomynk29
1 year, 6 months agoCbtL
1 year, 7 months agoldl
1 year, 7 months agoBroesweelies
1 year, 8 months agoCbtL
1 year, 7 months agoKoulyo
1 year, 8 months agojohn_boogieman
1 year, 9 months agojohn_boogieman
1 year, 9 months ago