Information handling can be outsourced. Accountability can not. When things go wrong, the image loss remains with the owner.
Risk is managed at multiple levels.
Organization: clarify boundaries of responsibility, align policies and practices, establish process
System: assign risk ownership - what if our assets are transmitted through your infrastructure?
Individual: which person carries which role?
When systems transcend boundaries of organizations, how do we make sure the ball is not dropped?