Module 23: Risk and Control Ownership

Accountability does not transfer. Ever.

This module is foundational.

CRISC expects you to understand clearly:

• Who owns risk
• Who owns controls
• Who monitors
• Who assures
• Who escalates

If you confuse these roles, you will miss governance questions.

What the exam is really testing

When ownership appears, CRISC is asking:

• Is accountability assigned to the correct party?
• Is separation of duties preserved?
• Is oversight independent from execution?
• Is risk acceptance authorized appropriately?

CRISC heavily favors structural clarity.

Who owns risk?

Risk is owned by:

The business process owner.

Not IT, not security, not internal audit. The person responsible for the activity that creates the risk owns it.

Why?

Because they:

• Benefit from the activity
• Make strategic decisions
• Accept or reject exposure
• Are accountable for business impact

Security advises. Business decides.

Who owns controls?

Control ownership typically belongs to:

The party responsible for operating the control.

Example:

• IT operations may own technical controls.
• HR may own background checks.
• Finance may own reconciliation controls.

Control ownership is operational.

Risk ownership is accountable.

They are not always the same.

Three Lines perspective

This module connects directly to Three Lines of Defense.

First Line — Management

• Owns risk
• Owns controls
• Executes mitigation

Second Line — Risk Management / Security

• Advises
• Monitors
• Challenges
• Facilitates

Third Line — Internal Audit

• Provides independent assurance

CRISC frequently tests violations of this structure.

The most common exam mistake

The trap here is assuming that security owns risk, or that risk managers can accept risk on behalf of the business. You will also see wrong answers where audit implements controls or IT owns all technology risk. CRISC strongly rejects all of these — business owns risk.

Example scenario (walk through it)

Scenario:
The IT security team identifies a high residual risk in a business application. The business unit decides to formally accept the risk.

Who must approve the risk acceptance?

A. Business process owner
B. Internal audit
C. IT security manager
D. External regulator

Correct answer:

A. Business process owner

Risk acceptance authority rests with the business owner.

Now consider this

A risk management team directly implements mitigation controls because business leadership is unresponsive.

What governance issue exists?

A. Weak inherent risk
B. Excessive appetite
C. Blurred separation of duties
D. Poor BIA

Correct answer:

C. Blurred separation of duties

Second line should advise and monitor — not execute controls.

Control ownership vs risk ownership

Important distinction:

A database administrator may own the access control mechanism.

But the business owner owns the risk of data exposure.

Control operator ≠ risk owner.

CRISC tests this nuance frequently.

Risk acceptance authority

Risk acceptance must be:

• Documented
• Approved by authorized management
• Aligned with appetite
• Escalated if exceeding tolerance

Risk managers do not “accept” risk.

They facilitate and document.

Vendor risk ownership trap

If risk is transferred to a vendor via contract:

Who owns the risk?

Still the business.

Accountability does not transfer.

Financial exposure may shift — governance does not.

Escalation discipline

If residual risk exceeds tolerance:

• Business must escalate
• Governance oversight required
• Formal review required

If security unilaterally blocks the business without governance review, that may also be inappropriate.

CRISC prefers structured escalation — not unilateral enforcement.

Here’s where it gets tricky

Internal audit identifies a control failure and directs the IT team to redesign the control process.

What governance principle may be compromised?

A. Inherent risk assessment
B. Residual risk tracking
C. Risk appetite definition
D. Audit independence

Correct answer:

D. Audit independence

Audit provides assurance, not operational direction.

Quick knowledge check

1) Who owns risk associated with a business process?

A. IT department
B. Business process owner
C. Security team
D. Internal audit

2) Who typically owns the operation of a technical control?

A. Internal audit
B. IT operations
C. Risk management
D. Board of directors

3) Which line of defense provides independent assurance?

A. First line
B. Second line
C. Executive leadership
D. Third line

Final takeaway

Risk ownership = business accountability.
Control ownership = operational responsibility.
Risk management = advisory and monitoring.
Audit = independent assurance.

If you blur those roles, governance fails.

If you blur those roles on the exam, expect to lose points. The exam is looking for clear lines between who owns, who advises, who assures, and who approves.