LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between Accountability and Responsibility in risk management — and why does the distinction trip people up?

Responsibility can be delegated, outsourced, or transferred. Accountability cannot.

Responsibility Accountability
Definition Who does the work Who answers for the outcome
Can be delegated? Yes — to teams, contractors, vendors No — sticks to one named owner
Example The MSSP runs the SOC The CISO is accountable that monitoring is effective
When risk is transferred The insurer takes financial responsibility The org is still accountable to customers, regulators, courts

The classic mistake:

  • "We outsourced security to AWS / our MSP / our cloud provider, so we're covered."
  • Wrong. Customers, regulators, and the press will hold your organisation accountable for any breach — regardless of which vendor made the technical mistake.
  • The outsourcing contract may give you a contractual claim against the vendor, but it doesn't move accountability for the data, the trust, or the brand.

Operational rule: every risk in the portfolio must have a single named Risk-Owner who is accountable — even if a dozen people are responsible for executing controls.

Tip: RACI charts encode this: Responsible (does the work), Accountable (one person, owns the outcome), Consulted, Informed. In risk portfolios, the "A" column is the one that must never be empty.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026