- Many organizations are aware of the need to discuss and assess risk but struggle to do so in a systematic and repeatable way.
- Many risks are identified solely at an IT level and are not properly escalated to inform the necessary stakeholders.
- When building out a risk management program, many organizations focus on how they perform their assessments and which analytical technique is used, while lacking many of the support systems.
- Build upon existing processes by establishing a clear risk escalation path while regularly reporting on risk.
- Allow stakeholders to be well informed on security risks, giving them the opportunity to make knowledgeable decisions.
Impact and Result
- Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who has final decision making on certain risks.
- Don’t concern yourself solely with the measurement approaches to risk management – a clearly established governance structure can benefit any organization, regardless of the level of analysis that takes place.
- Use Info-Tech’s templates to define clear responsibilities and accountabilities and to ensure that risks are presented effectively to the organization.
This guided implementation is a five call advisory process.
Guided Implementation #1 - Define security risk responsibilities
Call #1 - Determine function of risk executive
Call #2 - Determine function of the board and IT security group
Call #3 - Build security risk responsibilities document
Guided Implementation #2 - Build security risk management presentation and reports