Who should be involved in making IT-risk decisions?
Best practice dictates that an information risk management strategy should align with the business and IT strategies to deliver the most effective outcomes. This involves translating the organization's vision and mission into how resources are deployed to generate maximum value.
The truth of the matter is that information risk management objectives can end up being in direct competition with other business objectives.
That’s why it becomes essential for any organization to define who is involved in risk-related decision making so that these individuals are empowered to ultimately make business-based risk management decisions. It is also important so that occasional unpopular positions can be made with a clearly documented mandate from the organization’s executive management.
This is where the assignment of risk-related decision making authority and accountability become critical to ensure the organization’s overall objectives are achieved.
Effective risk-related decision making is a key determinant of organizational success in protecting its information. It involves the assignment of decision-making rights and accountabilities.
Take the following points into consideration when selecting and assigning decision makers in your organization:
- Assigning decision-making authority. When assigning decision-making authority, start by articulating the decision that needs to be made. Then, determine the steps that should be carried out to reach a decision, who should provide input, and what activities are required to obtain such input. Next, determine who should decide, ensuring that the decision makers are equipped with the information to make a fact-based decision.
- Defining roles and responsibilities. Clearly defined and documented roles, responsibilities and accountabilities should be part of the decision making process because information risk management is inherently interdisciplinary and interdepartmental. This complexity requires a great deal of coordination if decision making is going to be effective. Without it, the process can lead to inconsistent or ill-informed decisions made by whoever may feel empowered or has the political clout. It can also lead to confusion and security lapses. Decision-making responsibility can be shared among various stakeholders. However, it is critical to delineate and clearly communicate each group's role in the decision-making process. In some cases, particular stakeholders may be asked to provide input into a decision. But authority and responsibility for making the decision may reside elsewhere. When roles, responsibilities and accountabilities are clearly defined, efforts can be focused on those things that truly advance the organization's objectives.
- Aligning with corporate culture. Every organization has some type of informal rules that determine how things get done and the kinds of behavior that are acceptable. Risk-related decision making authority should reflect and support the prevailing culture to maximize its effectiveness. If your organization is more hierarchical where the emphasis is on command and control, then the authority should reflect the organizational structure and chain of command through which decisions get made. If your organization gravitates towards consensus building, then steering committees, councils and teams should be established for collaborative decision making authority. Whatever type of culture you work in, ensure that those with decision-making authority understand the decision-making process. The range of risk-related decisions can be broad, from policy or regulatory compliance to technical architecture to project prioritization. Ensure the decision-making authority aligns with your corporate culture.
Designating risk-related decision making authority can be a challenging task. But risk is ultimately a business decision. As a result, risk-related decision making should no longer by solely owned and operated from the IT department. Consider these points to improve your overall risk management effectiveness.