The risk owner (A) is best positioned to approve specific risk treatment options because they are accountable for the business process or asset affected by the risk and ultimately bear the consequences of that decision. CISM clearly distinguishes between roles that advise on risk (e.g., information security manager, risk management function) and those that own and accept risk. Senior management (D) defines risk appetite and tolerance, but day-to-day treatment decisions are delegated to risk owners within those boundaries. Approving treatment options requires an understanding of operational impact, cost, and business value—making the risk owner the appropriate authority.
[References: ISACA CISM Review Manual (Risk management—risk ownership, accountability, and risk response); CISM Exam Content Outline (Domain 1)., , , ]
Submit