Module 23: Risk and Control Ownership

CRISC Domain 3 — Risk Response and Reporting Section A 10–12 min read
You can assign responsibility.
You cannot outsource accountability.

This module is foundational.

CRISC expects you to understand clearly:

  • Who owns risk
  • Who owns controls
  • Who monitors
  • Who assures
  • Who escalates

If you confuse these roles, you will miss governance questions.

What the exam is really testing

When ownership appears, CRISC is asking:

  • Is accountability assigned to the correct party?
  • Is separation of duties preserved?
  • Is oversight independent from execution?
  • Is risk acceptance authorized appropriately?

CRISC heavily favors structural clarity.

Who owns risk?

Risk is owned by:

The business process owner.

Not IT.
Not security.
Not internal audit.

The person responsible for the activity that creates the risk owns it.

Why?

Because they:

  • Benefit from the activity
  • Make strategic decisions
  • Accept or reject exposure
  • Are accountable for business impact

Security advises.
Business decides.

Who owns controls?

Control ownership typically belongs to:

The party responsible for operating the control.

Example:

  • IT operations may own technical controls.
  • HR may own background checks.
  • Finance may own reconciliation controls.

Control ownership is operational.

Risk ownership is accountable.

They are not always the same.

Three Lines perspective

This module connects directly to Three Lines of Defense.

First Line — Management

  • Owns risk
  • Owns controls
  • Executes mitigation

Second Line — Risk Management / Security

  • Advises
  • Monitors
  • Challenges
  • Facilitates

Third Line — Internal Audit

  • Provides independent assurance

CRISC frequently tests violations of this structure.

The most common exam mistake

Candidates often assume:

  • Security owns risk.
  • Risk managers accept risk.
  • Audit implements controls.
  • IT owns all technology risk.

CRISC strongly rejects these assumptions.

Business owns risk.

Example scenario (walk through it)

Scenario:
The IT security team identifies a high residual risk in a business application. The business unit decides to formally accept the risk.

Who must approve the risk acceptance?

A. IT security manager
B. Internal audit
C. Business process owner
D. External regulator

Correct answer:

C. Business process owner

Risk acceptance authority rests with the business owner.

Slightly harder scenario

A risk management team directly implements mitigation controls because business leadership is unresponsive.

What governance issue exists?

A. Weak inherent risk
B. Blurred separation of duties
C. Excessive appetite
D. Poor BIA

Correct answer:

B. Blurred separation of duties

Second line should advise and monitor — not execute controls.

Control ownership vs risk ownership

Important distinction:

A database administrator may own the access control mechanism.

But the business owner owns the risk of data exposure.

Control operator ≠ risk owner.

CRISC tests this nuance frequently.

Risk acceptance authority

Risk acceptance must be:

  • Documented
  • Approved by authorized management
  • Aligned with appetite
  • Escalated if exceeding tolerance

Risk managers do not “accept” risk.

They facilitate and document.

Vendor risk ownership trap

If risk is transferred to a vendor via contract:

Who owns the risk?

Still the business.

Accountability does not transfer.

Financial exposure may shift — governance does not.

Escalation discipline

If residual risk exceeds tolerance:

  • Business must escalate
  • Governance oversight required
  • Formal review required

If security unilaterally blocks the business without governance review, that may also be inappropriate.

CRISC prefers structured escalation — not unilateral enforcement.

Slightly uncomfortable scenario

Internal audit identifies a control failure and directs the IT team to redesign the control process.

What governance principle may be compromised?

A. Inherent risk assessment
B. Audit independence
C. Risk appetite definition
D. Residual risk tracking

Correct answer:

B. Audit independence

Audit provides assurance, not operational direction.

Quick knowledge check

1) Who owns risk associated with a business process?

A. IT department
B. Security team
C. Business process owner
D. Internal audit

Answer & reasoning

Correct: C

Risk ownership belongs to the business.

2) Who typically owns the operation of a technical control?

A. Internal audit
B. Risk management
C. IT operations
D. Board of directors

Answer & reasoning

Correct: C

Control ownership is operational.

3) Which line of defense provides independent assurance?

A. First line
B. Second line
C. Third line
D. Executive leadership

Answer & reasoning

Correct: C

Internal audit (third line) provides independent assurance.

Final takeaway

Risk ownership = business accountability.
Control ownership = operational responsibility.
Risk management = advisory and monitoring.
Audit = independent assurance.

If you blur those roles, governance fails.

CRISC rewards candidates who preserve separation, accountability, and structured authority.

Next Module Module 24: Third-Party Risk Management