Who owns this risk anyway?
Updated: Jul 14, 2019
The shareholders and senior management of an organization knows the best about their business and the risks that they are exposed to. They accept risks that are within their appetite to maximize value that the business generate. Where the businesses did not understand the risks, it could fail due to its lack of preparedness. Threats (posing risks) could originate from it's market conditions, business contexts, political or environmental factors. It could originate internally or external to the organization. A comprehensive view of risks is necessary to ensure ongoing success of the organization. The business is always clear about the ownership of their risks. However, that is not the case for most of the middle and lower level staff. This disconnect could result in wrong risk categorization and assignment when risk assessment is performed bottom-up.
This is an area of most concern. The IT designs and builds infrastructure that the business needs to achieve its tactical and strategic objectives. In delivering what the business needs, the IT choses technologies, processes and people constrained to a limited budget allocated by the business. The selection of technologies, processes setup and people involved brings various risks into the business, which are widely classified as technology operation risks. As an example, insufficiently skilled resources to support a particular kind of technology is a big risk to the organization. If the technology were to fail, it might not be restored efficiently or effectively.
Whose risk is it anyway?
While the technologists (IT) clearly are the custodians of this infrastructure, any failure of the infrastructure will still result in business process failure. In this scenario, the business owns the risk as the liability of failure rests with the business. The business might ask IT to mitigate this risk with further component redundancies and disaster recovery solutions, creating a high available solution. Now, there is always a residual risk of a component of the solution failing, which has no impact to the business performance (assuming the primary risk was mitigated effectively). Who owns this risk now? I think it is safe to say that the IT as a custodian of the risks owns this risk, as the liability now solely rests with IT and IT alone.
The policy authority is the accountable and responsible party to make policies to minimize the risks applicable to a system, and to express management's needs and expectations from the workforce. It is easier to imagine that the policy authority is also the risk owner. In the scenario that we discussed above (prior to mitigating the primary risk), management is expected to state their performance and service level requirements, recovery time objectives and recovery point objectives for the business processes (which uses the IT systems). I.e., management is the policy authority. Once the risk is mitigated (ignoring residual risks for now), risks to component failure is owned by IT and therefore subsequent performance, service levels, recovery time objectives and recovery point objectives must be stated by IT. I.e. IT is the policy authority in this case.
Does every system need a policy document?
Let me know your thoughts by commenting below.