To run a business, there are always business risks. It is a matter of how much risk acceptance is comfortable.
Say, shoplifter will incur revenue loss of a supermarket. Therefore, protection decision is against high value goods, e.g. adding RFiD anti-theft tag. Even CCTV and guards are deployed, there might still be a chance of incidental slipping thru on goods not protected by anti-theft tag. This is risk acceptance.
The business owner is fully accountable to manage these risks. That said, there should be parties with different knowledge domains to help business owner understand the inherent risks and the ultimate risk acceptance is the business owner.
For risks involving regulatory compliance, these must be addressed or else putting the organization into civil or criminal offence, temporary or even permanent suspension of business license. An example is the taxi business that needs to have vehicle license for passenger, compulsory vehicle inspection, public liability insurance, emission control of exhausted gas etc.
Similarly in the cyber business, the IT and Cybersecurity Teams are to help business owner understand what are the risks to the business model. Examples are data privacy, company reputation, unlicensed software, technology obsolescence.
No doubt, protection investment will increase cost to operate. Business owner has to incorporate this as part of the budget/revenue planning in order to sustain cybersecurity while maintaining intended business outcomes.