• Sign In
  • Get Started
HomeGRC CentralRiskRisk Management & Organizational Accountability

Risk Management Should Drive Organizational Accountability

Risk Management Should Drive Organizational Accountability

What's Inside

Ownership and accountability for risk doesn’t belong to the GRC or ERM team. CISO, Ross Hosman, shares his view on who owns business risk.

Contents
Determining Risk OwnershipWhen and How to Accept Risk

Who owns the decision to accept the risk? According to Chief Information Security Officer, Ross Hosman, it’s not the governance, risk, and compliance (GRC) or enterprise risk management (ERM) teams. 

In his recent on-demand webinar about measuring your risk management program’s effectiveness, Ross explains his take on risk ownership—and accountability. Check out the webinar now or get an quick snapshot of his take below.

Get Critical Insights Into Measuring Your Risk Management Program

Walk through how to measure the effectiveness of a risk management program, techniques for converting risks into business terms, and real world examples.

Watch Now

Determining Risk Ownership

Early in the webinar, Ross introduces the concept of risk owners and risk acceptors. Neither of these roles belongs to the GRC or ERM teams. The responsibility for accepting and owning risk falls on the company’s leadership—the people whose decisions create that risk. They must own the consequences of their decisions and ensure the business only takes appropriate risks.

Without executive accountability, risk ownership falls on the GRC or ERM teams—even though they lack the authority to change the business.

"Drata keeps us on the right track from a security perspective, and helps cement transparency throughout the entire organization."

Ty Nickel, Sr. Manager of Information Security, Measurabl

Read the Story

When and How to Accept Risk

GRC and ERM teams can only manage risk. They may even reject decisions that expose the business to unacceptable risks. But they do not own the risk.

Risk managers must assess a risk based on its impact on the business and present their conclusions to the executive team. Accepting a high-impact risk is not possible. Instead, the risk owner must take responsibility for transferring, mitigating, or fixing the risk.

Accepting a low-impact risk depends on the executive team’s risk tolerance. But it’s still an executive decision, and they are accountable if that risk causes an incident.

Measuring the Effectiveness of Risk Management

Understanding the business perspective of managing risk is only one piece of the puzzle when it comes to measuring how effective a risk management program is.

If you’re looking to improve and automate your risk management program, schedule some time with our team and see how Drata can help you stay ahead of potential threats.

Just Getting Started on Risk Management?

Download this guide for a full breakdown of IT and cybersecurity risk management and how to make it work for your organization.

Get the Guide

Keep Reading

See More
Trends in data breaches across 10 commonly targeted industries

ARTICLE

Trends in Data Breaches Across 10 Commonly Targeted Industries

Managing Compliance and Risk in One Location with Drata

ARTICLE

Managing Compliance and Risk in One Location With Drata

Remote vs. In-office how cybersecurity threats compare

ARTICLE

Remote vs. In-Office: How Cybersecurity Threats Compare

Risk Management Should Drive Organizational Accountability

ARTICLE

Risk Management Should Drive Organizational Accountability

Take Your Learning Further

Discover research, guides, templates, and other resources on risk management.

Explore Risk Hub