With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group?
Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure.