The risk owner is the person designated by ISO 27001 Clause 6.1.2 as accountable for a specific risk. Responsibilities include monitoring the risk, approving the risk-treatment plan, and formally accepting residual risk. Risk owners must have sufficient authority to commission mitigation measures. You should appoint risk owners from management because operational staff typically lack the required decision-making power. In the risk register the risk owner is recorded by name for each scenario.