Who is Responsible for Information Risk Management?

Good question.

Information risk is the classic slopey shoulder issue – the corporate ‘hot potato’ that is often lobbed at the IT department when the risks go far beyond their remit. This approach can leave an organisation vulnerable, with the result that information risks are not really managed at all.

So, who should be responsible for Information Risk Management? The short answer in our view is ‘ everybody ‘. In a well-implemented Information Risk Management system, everyone has responsibility to ensure this is applied and effective: from IT to HR, from finance to individual business managers and staff on the ground.

But the ultimate responsibility must surely lie with the Board . Even though information risk affects all areas of a business it is often not prioritised at top level. It’s the Board’s duty to weigh up the corporate risks and benefits, aligning the goals of IT and the business for a balanced information risk management stance and approach.

We urge every business to see Information risks as business risks, with a top-down mandate and company-wide control.

Responsibilities of the Board

So if the Board is going to own information risk what steps do you need to take?

  • Make a firm commitment to managing information risk: develop an information risk management strategy that sets out principles, roles, responsibilities and a sound system of internal controls (your ‘security architecture’).
  • Prepare an Information Risk Register: a good mechanism for identifying and treating risks.
  • Provide policies (as required by international security standards) to give direction to employees. These policies will define your position on all aspects of information security and these policies are at the heart of your management of risk.

If your organisation is serious about protecting its valuable information have a look at the Ascentor Information Risk Action Plan .

Article by Dave James , MD of Ascentor

Other articles you might like:

You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.