Securing Information
Strengthening Business

Who is Responsible for Information Risk Management?

Good question.

Information risk is the classic slopey shoulder issue – the corporate ‘hot potato’ that is often lobbed at the IT department when the risks go far beyond their remit. This approach can leave an organisation vulnerable, with the result that information risks are not really managed at all.

So, who should be responsible for Information Risk Management? The short answer in our view is ‘ everybody ‘. In a well-implemented Information Risk Management system, everyone has responsibility to ensure this is applied and effective: from IT to HR, from finance to individual business managers and staff on the ground.

But the ultimate responsibility must surely lie with the Board . Even though information risk affects all areas of a business it is often not prioritised at top level. It’s the Board’s duty to weigh up the corporate risks and benefits, aligning the goals of IT and the business for a balanced information risk management stance and approach.

We urge every business to see Information risks as business risks, with a top-down mandate and company-wide control.

Responsibilities of the Board

So if the Board is going to own information risk what steps do you need to take?

  • Make a firm commitment to managing information risk: develop an information risk management strategy that sets out principles, roles, responsibilities and a sound system of internal controls (your ‘security architecture’).
  • Prepare an Information Risk Register: a good mechanism for identifying and treating risks.
  • Provide policies (as required by international security standards) to give direction to employees. These policies will define your position on all aspects of information security and these policies are at the heart of your management of risk.

If your organisation is serious about protecting its valuable information have a look at the Ascentor Information Risk Action Plan .

Article by Dave James , MD of Ascentor

Other articles you might like:

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths home workers fall for

From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.