Information risk is the classic slopey shoulder issue – the corporate ‘hot potato’ that is often lobbed at the IT department when the risks go far beyond their remit. This approach can leave an organisation vulnerable, with the result that information risks are not really managed at all.
So, who should be responsible for Information Risk Management? The short answer in our view is ‘everybody’. In a well-implemented Information Risk Management system, everyone has responsibility to ensure this is applied and effective: from IT to HR, from finance to individual business managers and staff on the ground.
But the ultimate responsibility must surely lie with the Board. Even though information risk affects all areas of a business it is often not prioritised at top level. It’s the Board’s duty to weigh up the corporate risks and benefits, aligning the goals of IT and the business for a balanced information risk management stance and approach.
We urge every business to see Information risks as business risks, with a top-down mandate and company-wide control.
Responsibilities of the Board
So if the Board is going to own information risk what steps do you need to take?
- Make a firm commitment to managing information risk: develop an information risk management strategy that sets out principles, roles, responsibilities and a sound system of internal controls (your ‘security architecture’).
- Prepare an Information Risk Register: a good mechanism for identifying and treating risks.
- Provide policies (as required by international security standards) to give direction to employees. These policies will define your position on all aspects of information security and these policies are at the heart of your management of risk.