Skip to main content

1.9 Ownership & Accountability

1.9 Ownership & Accountability

 

  • For successful risk management, each risk should have assigned ownership and accountability.

 

  • Risk should be owned by a senior official who has necessary authority and experience to select the appropriate risk response based on analyses and guidance provided by the risk practitioner.

 

  • Risk owners should also own associated controls and ensure the effectiveness and adequacy of the controls.

 

  • Risk should be assigned to an individual employee rather than as a group or a department. Allocating accountability to the department as a whole will circumvent ownership.

 

  •  Accountability for risk management lies with senior management and the board.

 

  • Risk ownership is best established by mapping risk to specific business process owners.

 

  • Details of the risk owner should be documented in the risk register.

 

  • Results of the risk monitoring should be discussed and communicated with the risk owner as they own the risk and are accountable for maintaining the risk within acceptable levels. 


 

Key aspects from CRISC exam perspective

 

CRISC Question

Possible Answer

Best way to assign the risk ownership 

Mapping risk to specific business process owner

Risk ownership is documented in

Risk Register

Accountability for risk ultimately belongs to

  • Board of Director

  • Senior Management

What is the purpose of the audit trail?

To establish accountability

Result of risk monitoring should be mandatorily communicated to

Risk owner

 


Video Tutorials - 1.9 Ownership and Accountability


Flashcards - 1.9 Ownership and Accountability

 

Practice Questions - 1.9 Ownership and Accountability

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more