Exam CRISC topic 1 question 808 discussion

A is the correct answer - Page 117 CRISC Manual - Each risk must be linked to an individual who accepts ownership of the risk. The risk owner is tasked with making the decision of what the best response is to the identified risk and must be at a level in the organization where he or she is authorized to make decisions on behalf of the organization and can be held accountable for those decisions.

For effective risk ownership, it is crucial that risk owners have decision-making authority. This means that they are empowered to make decisions related to the identified risks, including implementing controls, making changes to processes, and taking actions to mitigate or respond to risks. Decision-making authority enables risk owners to actively manage and address risks within their areas of responsibility. While senior management oversight (Option B), segregation of duties (Option C), and alignment with IT system ownership (Option D) are important considerations, they are not as fundamental as ensuring that risk owners have the authority to make decisions about the risks they own.

A. Risk owners have decision-making authority. Effective risk ownership requires that risk owners have the authority and responsibility to make decisions regarding the management of the risks they own. This includes the authority to implement risk response plans, allocate resources, and take actions to mitigate or manage the risks within their domain. Without decision-making authority, risk ownership may lack the ability to effectively address and control risks, making it less meaningful in practice.

Agree with A.