The correct answer isCbecause theprocess owneris the appropriate risk owner for a key business process, and therefore the most important action is tovalidate the decision with the process owner. An IT manager may provide operational input, but acceptance of business risk must be confirmed by the accountable business owner.
The other options are less important as the primary action:
A. Seek additional resources for risk mitigationmay be worthwhile, but first the acceptance decision must be validated by the actual risk owner.
B. Document the business rationale for risk acceptanceis necessary, but only after the correct owner has validated the decision.
D. Conduct a follow-up business process analysismay support the discussion, but the main issue is proper authority for accepting the risk.
Exact Extracts supporting the answer:
“For an IT system supporting a critical business process senior managers should be accountable for the risk.”
“For an organizational business unit the most accurate description of risk-related roles and responsibilities is that the management team owns the risk and is responsible for identifying assessing and mitigating risk and reporting to the appropriate support functions and the board of directors.”
“Accountability for a risk treatment plan lies with the risk owner.”
“The PRIMARY objective of risk reporting is to provide the risk owner with information to initiate risk response.”
“The risk practitioner’s primary role is to consult and recommend risk responses.”
These extracts show that the business or process owner is the accountable party for accepting risk associated with a key business process. Therefore, the risk practitioner should firstvalidate the decision with the process owner.
===========
