Risk and Control Ownership

Mastering Risk and Control Ownership for CRISC

Introduction

In the realm of Certified in Risk and Information Systems Control (CRISC), understanding the distinction between Risk Ownership and Control Ownership is fundamental to effective enterprise risk management. Without clear ownership, risks remain unmanaged, and controls often fail due to a lack of maintenance, leading to the 'tragedy of the commons' where everyone assumes a risk is someone else's problem.

What is Risk and Control Ownership?

Risk Ownership refers to the individual or function with the accountability for a specific risk. This person has the authority to make decisions regarding how to treat the risk (accept, avoid, mitigate, or transfer) and is accountable for the impact of that risk on business objectives.

Control Ownership refers to the individual or team responsible for the design, implementation, and effective operation of a specific internal control. While they ensure the control works, they do not necessarily accept the risk associated with the failure of that control.

Why is it Important?

• Accountability: Ensuring a specific person is answerable prevents ambiguity during a crisis.
• Alignment: It aligns risk management with business objectives, as risk owners are typically senior business leaders.
• Maintenance: Control owners ensure that safeguards (technical or administrative) remain updated and effective over time.
• Gap Analysis: Clear ownership makes it easier to identify gaps where risks exist without designated oversight.

How it Works in Practice

The relationship works through a structured flow, typically documented in the Risk Register:

1. Assignment: During risk identification, a Risk Owner (usually a Business Process Owner) is assigned.
2. Decision: The Risk Owner decides on a response strategy (e.g., Mitigate).
3. Implementation: If mitigation is chosen, a Control Owner is assigned to deploy specific controls (e.g., the IT Manager implements a firewall).
4. Reporting: The Control Owner reports on strict metrics (KPIs/KRIs) to the Risk Owner regarding the control's performance.
5. Review: The Risk Owner reviews these reports to ensure the residual risk remains within the organization's risk appetite.

Exam Tips: Answering Questions on Risk and Control Ownership

When facing CRISC exam questions on this topic, apply the following logic to identify the correct answer:

1. The Golden Rule of Ownership
The Risk Owner is almost always the Business Process Owner or the Head of the Department.
Exam Trap: Do NOT select the CISO, the Risk Practitioner, or the IT Department as the risk owner unless the risk is exclusively internal to IT operations. The business makes the money; therefore, the business owns the risk to that money.

2. Accountability vs. Responsibility (RACI)
Look for the distinction between Accountable and Responsible.
The Risk Owner is Accountable (the neck solely on the line).
The Control Owner is Responsible (the hands doing the work).

3. Sign-off Authority
If a question asks who has the authority to accept a risk, it is the Risk Owner. However, if the residual risk exceeds the defined risk appetite, the authority escalates to the Risk Committee or Senior Management.

4. The Role of the Risk Practitioner
As a CRISC candidate, remember your role is not to own the risk. Your role is to facilitate the process, monitor the environment, and report data so the Risk Owner can make informed decisions.

5. Control Failures
If a control fails, the Control Owner must fix it, but the Risk Owner must be informed immediately because the risk profile has changed (the likelihood or impact has increased).