Risk and Control Ownership

Who Owns Risk Versus Who Owns Controls

CISM draws a sharp line between two roles candidates conflate:

• The risk owner is the individual with the authority and accountability to manage a specific risk and to decide its treatment — usually a senior business or process leader who owns the affected objective.
• The control owner is the person accountable for the design and operation of a specific control that addresses the risk.

The information security manager is neither, by default. The manager facilitates the risk process, advises on options, and reports status — but business risk is owned by the business. A recurring exam answer: when a high residual risk needs acceptance, the security manager escalates to the accountable business owner for a documented decision rather than accepting it personally. Security accepting business risk on the business's behalf is a classic wrong answer.

Governance Structures: Three Lines and RACI

The Three Lines Model

The Institute of Internal Auditors' Three Lines Model (updated 2020 from the older "Three Lines of Defense") clarifies how accountability is layered:

1. First line — operational management that owns and manages risk directly (business units, IT operations).
2. Second line — risk, security, and compliance functions that set policy and provide oversight and expertise.
3. Third line — internal audit, providing independent assurance to the governing body.

A key independence rule: the third line (audit) must not own or operate controls, or its assurance is no longer independent. The security manager generally sits in the second line — advising and overseeing, not owning operational risk.

RACI for Risk and Control Accountability

A RACI chart assigns, for each risk or control, who is Responsible (does the work), Accountable (answerable for the outcome), Consulted (provides input), and Informed (kept aware). The non-negotiable rule CISM tests: exactly one party is Accountable per item — accountability cannot be shared or it becomes nobody's.

Worked Scenario

A business unit launches a new application; security identifies residual risk above appetite. The unit's VP wants to proceed. The manager's correct action is to document the residual risk and require the accountable business owner (the VP) to formally accept or fund treatment, then record that decision. The manager does not unilaterally block the launch (no business authority) and does not silently accept the risk (not the risk owner). Common trap: picking "the security team accepts the residual risk" — security advises and reports, but the accountable business leader must own the acceptance.

Why Ownership Must Sit With the Business

A durable principle in CISM is that risk and control ownership follows authority and resources. The party who can change the activity, fund the control, or accept the consequences must own the risk. Security teams rarely control business budgets or processes, so assigning them ownership of business risk creates accountability without authority — a setup that fails in practice and is a wrong answer on the exam.

This also explains the manager's reporting line. The information security manager should report independently enough to give honest risk assessments without conflict — which is why placing security under the function it must assess (for example, reporting to the head of IT operations whose systems it audits) is discouraged in favor of a more independent line to a risk committee or the board.

Asset, Risk, and Control Owners Are Distinct

These can be different people for the same risk. The data owner classifies the customer database, the business VP owns the risk of its breach, and the IT manager owns the encryption control — and the security manager coordinates and reports across all three.

Worked Scenario

An audit finds a control with no documented owner. The manager's best action is to assign a single accountable owner with the authority and resources to operate it, then record this in the register — not to assume the security team owns it by default, and not to leave it pending the next audit. Common trap: answering that "the CISO owns all controls." Ownership maps to the function with operational authority; the CISO coordinates the program but cannot operate every control across the enterprise.

Clear ownership is also what makes accountability survive turnover and reorganizations. Roles, not named individuals, should anchor the register so that when a VP leaves, the successor inherits the documented risk. The manager periodically confirms that every open risk and key control still has a valid, willing, and resourced owner — an "orphaned" risk whose owner has left is a common audit finding and a frequent exam scenario whose answer is to reassign ownership promptly, not to let the security team absorb it by default.