Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Establish a Security Risk Governance Structure

Managing risk can only go so far without the right support.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail

Your Challenge

  • Many organizations are aware of the need to discuss and assess risk but struggle to do so in a systematic and repeatable way.
  • Many risks are identified solely at an IT level and are not properly escalated to inform the necessary stakeholders.

Our Advice

Critical Insight

  • When building out a risk management program, many organizations focus on how they perform their assessments and which analytical technique is used, while lacking many of the support systems.
  • Build upon existing processes by establishing a clear risk escalation path while regularly reporting on risk.
  • Allow stakeholders to be well informed on security risks, giving them the opportunity to make knowledgeable decisions.

Impact and Result

  • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who has final decision making on certain risks.
  • Don’t concern yourself solely with the measurement approaches to risk management – a clearly established governance structure can benefit any organization, regardless of the level of analysis that takes place.
  • Use Info-Tech’s templates to define clear responsibilities and accountabilities and to ensure that risks are presented effectively to the organization.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should establish a security risk governance program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Define security risk responsibilities

Define responsibilities for stakeholders within your security risk management program.

2. Build security risk management presentations and reports

Build reports of your security risk management program to ensure that the board or directors and management are well aware of the status of risk within the organization.

Guided Implementations

This guided implementation is a five call advisory process.

Guided Implementation #1 - Define security risk responsibilities

Call #1 - Determine function of risk executive
Call #2 - Determine function of the board and IT security group
Call #3 - Build security risk responsibilities document

Guided Implementation #2 - Build security risk management presentation and reports

Call #1 - Review an operational and management view into security risk
Call #2 - Build presentations and reports on security risk