With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group?
Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure.
The best is for the risk owner to be the role more interested in treat the risk and with enough authority to do something about it, in this case, the Accounting Director of company X. As for the person to perform risk assessment, you should consider the person with the most knowledge about the accounting program and related processes (in general this person is known as the key user).
This article will provide you a further explanation about risk owners: