Quiz Entry - updated: 2026.07.14
What's the difference between Accountability and Responsibility in risk management — and why does the distinction trip people up?
Responsibility can be delegated, outsourced, or transferred. Accountability cannot.
| Responsibility | Accountability | |
|---|---|---|
| Definition | Who does the work | Who answers for the outcome |
| Can be delegated? | Yes — to teams, contractors, vendors | No — sticks to one named owner |
| Example | The MSSP runs the SOC | The CISO is accountable that monitoring is effective |
| When risk is transferred | The insurer takes financial responsibility | The org is still accountable to customers, regulators, courts |
The classic mistake:
- "We outsourced security to AWS / our MSP / our cloud provider, so we're covered."
- Wrong. Customers, regulators, and the press will hold your organisation accountable for any breach — regardless of which vendor made the technical mistake.
- The outsourcing contract may give you a contractual claim against the vendor, but it doesn't move accountability for the data, the trust, or the brand.
Operational rule: every risk in the portfolio must have a single named Risk-Owner who is accountable — even if a dozen people are responsible for executing controls.
Tip: RACI charts encode this: Responsible (does the work), Accountable (one person, owns the outcome), Consulted, Informed. In risk portfolios, the "A" column is the one that must never be empty.