Why cyber risks should belong to business decision makers and not the IT department

Thursday, 26 January, 2023

Risk Jenga tower

Risk management is an essential part of business. It heavily relies on two things: a way of qualifying/quantifying risks pertaining to a certain area of the business, and a decision being made on the method of treatment for each risk. However, many organisations appoint risk owners that are not in the best position to make those decisions, often leading to overly risk-averse postures, or exposing the business to risks they weren’t aware of. So how should you go about appointing a risk owner?

Appointing a risk owner is important

Part of the risk assessment process involves designating a risk owner. This is important because if no specific person or department owns a risk, it is more likely for that risk to fall through the cracks and not be addressed, leaving the business exposed.

Risk owners should be in a position to treat risk

At Cydea we use and help maintain the Open Information Security Risk Universe (OISRU) to aid our risk assessments. The OISRU has a taxonomy of consequences that may arise from risk events, grouped under three main categories of strategic, financial, and operational. All of these consequences can have either a direct or indirect effect on the business’ financial performance, and therefore any associated risks require a buy-in from those within the company whose job it is to ensure the successful financial performance of the organisation.

For most businesses, risk treatment is a balancing act between the cost of mitigation vs the cost of recovery (vs the cost of doing nothing!). If the cost to the business of mitigating a risk is higher than the estimated cost of recovery in the event that such a risk comes to pass over the same period of time, then it does not make financial sense to implement the mitigation.

This is why appointing an IT manager as owner of all cybersecurity risks is not a fully mature approach to risk ownership, as they don’t have an organisation-level view of risk. A better approach is to appoint owners aligned to the area of the business affected by the risk. The people who will ‘feel the pain’ of a risk event and can judge what the magnitude of consequences will be. They also need to be suitably senior or empowered to make decisions and do something about the risk. They are not a scapegoat.

Risk owners should be advised by others

It’s a theme you’ll find running through our posts at Cydea; the best approach is a team approach. Whether it’s in-house or outsourced, your IT and/or security team will have valuable insights into cyber security risks, and their expert opinion should feed the risk analysis of each risk statement. The risk owner should be a decision maker who shoulders the responsibility of the welfare and success of the business.

It’s a bit like taking your car in for repairs. The mechanic at the garage will give you expert advice on all the issues. They will know which things must be repaired to keep the car legally on the road and moving from A to B; and they’ll advise on which issues could be left for another day, and the risk that doing so carries. As the car owner, however, you make the decisions because you own the risk.

Checklist for your next cyber risk assessment

Next time you are going through your cyber risk assessment process, be it for a regular review or for the first time, consider the following when appointing a risk owner:

  • Do they have the seniority required to make decisions with potential financial consequences?
  • Are they aligned with the business?
  • Do they need a champion to monitor and advise?

If you can tick all of these boxes then your risk owner is well placed to make the decision, and ultimately own the risk, on the behalf of the business.

Photo by Valery Fedotov from Unsplash.