Skip to main content

3.13 Control Ownership

3.13 Control Ownership


  • Risk register should include the owner of each risk who is accountable for managing that risk. Risk owner should be a senior official who can make decisions for managing the risk.


  • Mapping of each risk to relevant business processes is the best basis for establishing the risk ownership. Risk ownership should be documented in a risk register. A risk register contains the details of each risk like likelihood, potential impact, priority, status of mitigation and risk owner.


  • There should be frequent communication between risk practitioners and risk owners with respect to risk responses and control effectiveness.


  • Risk owners should ensure that residual risk is within the acceptable limit of the organization.


  • Results of continuous monitoring should be communicated to the risk owner as they own the risk and are responsible for appropriate risk response.


Key aspects from CRISC exam perspective


CRISC Questions

Possible Answer 

What is the best basis for establishing risk ownership?

To map risk to relevant business process

Risk ownership should be documented in

Risk Register

Whom should the results of continuous monitoring be best communicated?

Risk Owner



Self-Assessment Questions


Practice Questions - 3.13 Control Ownership

Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more