Accountability vs Responsibility: The Distinction That Wins Exam Questions

April 22, 2026 · 4 views

Few distinctions earn more exam marks for less effort than the difference between accountability and responsibility. It appears across CRISC, CISM and CISSP, usually disguised as an outsourcing or breach scenario. Master one sentence and you resolve them all: responsibility can be delegated; accountability cannot.

The definitions

• Responsibility is the obligation to perform a task. It can be assigned, shared, and delegated to teams, individuals, or third parties.
• Accountability is the obligation to answer for the outcome. It rests with one role and cannot be transferred. The accountable party owns the result regardless of who did the work.

A manager can delegate to an analyst the responsibility of running access reviews. If those reviews fail, the manager is still accountable for the failure. The delegation moved the work, not the answerability.

The outsourcing trap

The most common exam form: an organisation outsources data processing to a cloud provider, and a breach occurs at the provider. Who is ultimately accountable to regulators? The answer is the organisation that collected the data — the data controller — not the provider, not the insurer, not whichever party the contract assigns liability to. Outsourcing and insurance transfer operational responsibility and financial impact. They never transfer accountability. Under GDPR this is explicit: the data controller determines the purposes and means of processing and bears primary accountability; the processor merely acts on instructions.

RACI and the single 'A'

This is why a well-formed RACI chart has exactly one Accountable role per activity but may have many Responsible ones. If you see two A's on a task, that is a governance defect — when something goes wrong, two people point at each other and no one owns it. Multiple R's are fine and normal; a single, unambiguous A is the requirement.

Why it matters beyond the exam

The distinction is not pedantry. After an incident, the question "who is accountable?" determines who must answer to the board, the regulator and the customer. Organisations that blur it — assuming a vendor's certification means the vendor is accountable for their data — discover the hard way that accountability stayed home. Build your contracts, your RACI charts and your risk register on the assumption that accountability is yours to keep.