Risk ownership

Understanding risk ownership, and who does not own risk, is critically important in order to make the correct risk decisions that support your organization's business and mission objectives:

• Risk ownership is held by the C-suite and/or people at the boardroom level.
• The ability to own risk is tied to authority and the ability to commit funds to reduce risk.
• Senior leaders have the ability to fund risk reduction efforts as well as the ability to change the direction of organizational efforts and culture.
• It is critically important that risks to the organization be effectively communicated to senior leadership with effective, well thought out plans to reduce risk.
• While risk ownership sits with the executive team of an organization, it is the responsibility of the information security professional to deliver the facts regarding organizational risk coupled with the necessary plans of action to reduce the risk to acceptable levels.
• This is where an effective understanding of the organization comes into play. Senior leadership will not be receptive to your risk reduction strategies if they do not align with the organizational mission.