The correct answer isCbecause the primary consideration when assigning ownership of IT-related risk isaccountability for losses due to impact. Risk ownership should be assigned to the person or function with the authority and accountability for the business consequences if the risk materializes. Ownership should align to business accountability, not just technical control operation.
The other options are less appropriate:
A. Accountability for control operationmay belong to a control owner, but that is not always the same as the risk owner.
B. Ability to design controls to mitigate the riskis relevant to implementation, not primary ownership.
D. Span of control within the organizationmay influence practicality, but it is not the key principle for assigning risk ownership.
Exact Extracts supporting the answer:
“Accountability for business risk related to IT primarily lies with users of IT services.”
“For an IT system supporting a critical business process senior managers should be accountable for the risk.”
“For an organizational business unit the most accurate description of risk-related roles and responsibilities is that the management team owns the risk and is responsible for identifying assessing and mitigating risk and reporting to the appropriate support functions and the board of directors.”
“The best basis for establishing risk ownership is mapping identified risk to a specific business process.”
“During the risk assessment process it is most important to establish a clear line of accountability to ensure that risk ownership is assigned to the appropriate level.”
These extracts show that risk ownership must align with the party accountable for the business impact of the risk. Therefore, the primary consideration isaccountability for losses due to impact.
