The business owner should own the risk if the ERP and payroll system fail to operate as expected, because the business owner is ultimately responsible for the business processes and objectives that depend on the systems.
The other options are not the risk owners, because:
* Option B: The ERP administrator is responsible for the technical aspects of the ERP system, but not the payroll system or the business outcomes.
* Option C: The project steering committee is responsible for overseeing the project of replacing the ERP system, but not the ongoing operation and maintenance of the systems or the business risks.
* Option D: The IT project manager is responsible for managing the project of replacing the ERP system, but not the payroll system or the business risks. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 90.

Section: Volume D

The first course of action for the risk practitioner when identifying ineffective controls is to determine whether the impact of the control failure is outside the risk appetite of the organization. The risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. If the impact is within the risk appetite, the risk practitioner may decide to accept the risk or monitor the situation. If the impact is outside the risk appetite, the risk practitioner may need to escalate the issue, report the ineffective control, request a formal acceptance of risk, or deploy a compensating control.
References: The answer is based on the following sources:
*CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, pages 149-1501
*CRISC Review Questions, Answers & Explanations Database, 12 Month Subscription, Question ID: QID-
10042
*Effective Risk Management Strategies | CRISC Exam Preparation3