The organization’s process owner should own the risk of exposing the payroll data due to a control weakness at the third party, because the process owner is the person who is responsible for the business process that generates, uses, or transfers the payroll data. The process owner should also ensure that the third party complies with the contractual obligations and service level agreements that define the expected performance and security standards of the payroll data processing. The other options are not the correct answers, because they are not the primary owners of the risk, although they may also be involved in the risk management process. The third party’s IT operations manager, the third party’s chief risk officer (CRO), and the organization’s risk practitioner are examples of secondary owners or stakeholders of the risk, who may provide support, guidance, or oversight to the risk owner, but they are not accountable for the risk or the risk response strategy. References = CRISC: Certified in Risk & Information Systems Control Sample Questions