In your opinion, who SHOULD own the risk in your organization?

IT Director/Other Senior IT Manager17%

CISO/Other Senior Security Manager51%

Senior Manager in another part of the organization11%

CEO/other board member16%

operational risk2%

Other (comment below)1%


3.2k views1 Upvote7 Comments

Assistant Director IT Auditor in Education, 10,001+ employees
Risks are owned by the department head (senior level) where the risk exist, they are the folks who can best managed the risks.
CIO Strategic Advisor in Services (non-Government), 2 - 10 employees
No one person should 'own' risk for an organization. Risk should be transparent and shared among the appropriate stakeholders.
1 1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

What I have seen in risk management, is that risk owner varies depending on the organization. A risk can be assigned to a person or persons responsible for the day-to-day management of a risk. By assigning an owner, the designated risk owner ensures someone in the organization is accountable for the said risk. If there is no one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore, it is highly likely the risk may fall through the cracks and nothing done to address it (well run organizations assigned ownership) . Having a risk owner is an important step toward ensuring that a plan to mitigate (or accept) the risk is developed and acted upon in a timely manner to protect the organization from that risk exposure. In my career, I have seen SVP shown the door because they never took action to address risks identified in audits and the risk became realized.

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
The question is loaded as there are multiple definitions of risk.  A well structured risk governing body consists of the multiple lens.
Director in Manufacturing, 1,001 - 5,000 employees
Owned by Application (Budget) owner.  In my experience the risk can come from older or unmaintained systems, so if the owner wont' fund for upgrades, enhancements, closing security gaps, it's on the owner and the budget to decide to keep the systems and the risk, or shut it down, or fund remediation.
Director, IT Architecture in Software, 5,001 - 10,000 employees
Every StakeHolder should own risk
3 1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

Pproviding the person owning the risk is held accountable to address, mitigate, or accept the risk.


Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.7k views131 Upvotes319 Comments

Insider threats – rogue admins19%

Encrypting my data51%

Deleting my backup copies11%

Resident malware8%

Data theft – data exfiltration11%



1.6k views1 Comment

We are not doing regression testing10%

25% manual, 75% automated50%

50% manual, 50% automated27%

100% manual, 0% automated8%

Don't know2%


1.6k views3 Upvotes2 Comments

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
66.8k views69 Upvotes39 Comments