The correct answer isBbecausebusiness process ownersare accountable for the management of IT risk within the organization. In CRISC, risk accountability rests with those who own the business activities and processes affected by the risk. They are responsible for ensuring that risk is identified, assessed, treated, and monitored in a way that supports business objectives.

The other options are not the best answer:

A. Senior managementapproves risk appetite, provides oversight, and signs off on plans, but accountability for specific business risk resides with the owners of the business processes and services.

C. Second lineprovides oversight, guidance, framework support, and monitoring, but does not own the risk.

D. Internal auditis independent and provides assurance; it does not manage or own IT risk.

Exact Extracts supporting the answer:

“Accountability for business risk related to IT primarily lies with users of IT services.”

“For an IT system supporting a critical business process senior managers should be accountable for the risk.”

“For an organizational business unit the most accurate description of risk-related roles and responsibilities is that the management team owns the risk and is responsible for identifying assessing and mitigating risk and reporting to the appropriate support functions and the board of directors.”

“Risk owner is a risk management role that is part of the first line of defense.”

“Operational management is the function that manages risk according to the three lines of defense model.”

Taken together, these extracts show that accountability for IT risk is assigned to the first line, meaning business and operational owners, not assurance or oversight functions. Therefore,business process ownersare accountable for management of IT risk within the organization.

===========