In your opinion, who SHOULD own the risk in your organization?

LeadershipSecurity & GRC

IT Director/Other Senior IT Manager16%

CISO/Other Senior Security Manager47%

Senior Manager in another part of the organization14%

CEO/other board member15%

operational risk5%

Other (comment below)2%

754 PARTICIPANTS
4.7k viewscircle icon1 Upvotecircle icon8 Comments
Sort by:
Director, Experience Design in Education5 months ago

Who owns the risk entirely depends on the nature of the risk. It doesn't make much sense for sales to own infosec risk, or for IT to own revenue risk.

Lead Consulant, Customer Success in Software4 years ago

Every StakeHolder should own risk

Lightbulb on3 circle icon1 Reply
no title4 years ago

Pproviding the person owning the risk is held accountable to address, mitigate, or accept the risk.

Lightbulb on2
Director in Manufacturing5 years ago

Owned by Application (Budget) owner.  In my experience the risk can come from older or unmaintained systems, so if the owner wont' fund for upgrades, enhancements, closing security gaps, it's on the owner and the budget to decide to keep the systems and the risk, or shut it down, or fund remediation.

Lightbulb on2
VP, Chief Security & Compliance Officer in Software5 years ago

The question is loaded as there are multiple definitions of risk.  A well structured risk governing body consists of the multiple lens.

CIO Strategic Advisor in Services (non-Government)5 years ago

No one person should 'own' risk for an organization. Risk should be transparent and shared among the appropriate stakeholders.

Lightbulb on1 circle icon1 Reply
no title5 years ago

What I have seen in risk management, is that risk owner varies depending on the organization. A risk can be assigned to a person or persons responsible for the day-to-day management of a risk. By assigning an owner, the designated risk owner ensures someone in the organization is accountable for the said risk. If there is no one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore, it is highly likely the risk may fall through the cracks and nothing done to address it (well run organizations assigned ownership) . Having a risk owner is an important step toward ensuring that a plan to mitigate (or accept) the risk is developed and acted upon in a timely manner to protect the organization from that risk exposure. In my career, I have seen SVP shown the door because they never took action to address risks identified in audits and the risk became realized.

Lightbulb on1

Content you might like

What capabilities do you have to control AI access to data sources at your organization?

data security posture management 30%

data loss prevention 56%

data access governance 41%

encryption 33%

privacy enhanced technology 33%

use of synthetic data 11%

None, not using AI 4%

View Results

Do you often wait for direction from business leaders before engaging your IT function? How can IT leaders break free from being in “wait and see” mode?

Read More Comments

Velocity is one key metric for Agile Scrum teams. What other metrics have you implemented to help determine performance of your new Agile scrum teams?

Read More Comments

When securing your mobile application(s), which of the following is your #1 priority to protect?

Your core data44%

Your cryptographic keys45%

Your proprietary code9%

Other (please comment below)

View Results

How do you think AI will disrupt business across industries? Add to my list: 1. Content creation 2. Photos and video production 3. Basic coding and debugging 4. Strategic analysis to be highly complimented 

Read More Comments