What is risk management?

Risk management and risk ownership are two very different things. While risk ownership is an executive/board responsibility, risk management is a delegated responsibility that extends throughout the organization:

• While risk ownership sits with the most senior leaders of an organization, risk management is a team sport.
• Risk management spans from the most junior front-line employee up to senior management.
• Risk management duties are delegated down from the senior management.
• Risk acceptance cannot be delegated. Risk acceptance decisions must be made by the risk owners and must be communicated effectively by the risk managers.

It is a very common trap for an IT professional to fall into to think that they are the risk owner because they are responsible for an information system. The IT professional may be inclined to make decisions that relate to the risk of an IT system that they are not authorized to make, which can lead to an inadvertent exposure for the organization. Risk should be communicated up the organizational hierarchy to the risk owners via a repeatable risk management process.