1.9 Ownership & Accountability
For successful risk management, each risk should have assigned ownership and accountability.
Risk should be owned by a senior official who has necessary authority and experience to select the appropriate risk response based on analyses and guidance provided by the risk practitioner.
Risk owners should also own associated controls and ensure the effectiveness and adequacy of the controls.
Risk should be assigned to an individual employee rather than as a group or a department. Allocating accountability to the department as a whole will circumvent ownership.
Accountability for risk management lies with senior management and the board.
Risk ownership is best established by mapping risk to specific business process owners.
Details of the risk owner should be documented in the risk register.
Results of the risk monitoring should be discussed and communicated with the risk owner as they own the risk and are accountable for maintaining the risk within acceptable levels.
Key aspects from CRISC exam perspective