Cyber risk categories and cyber risks are assigned to risk owners
Context and Guidance: The risk owner should be the person who has the authority and authorisation within the organisation to make decisions about how to respond to specific risk categories and risks and to assign budget for risk responses. Remember that a legitimate (but potentially harmful) response to a risk is to accept the risk. The risk owner must have the authority to accept a risk. For a risk owner to fully accept a risk, it is important that they understand the risk and the potential impacts that may occur if the risk is realised. To determine if a risk owner has adequate authority for accepting a risk, it may help to consider whether the potential impacts of the risk may extend beyond the scope of her or his authority. It may also help to consider whether the potential risk owner has adequate authority and resources within her or his purview to make appropriate changes if the risk is deemed outside of the organisation's risk tolerance. Assignment of a risk to a risk owner may involve some form of written attestation of their ownership of the risk. Assignment of ownership at the right level of authority helps ensure that risk responses are effectively executed.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-2d, RISK-2e, RISK-2f, RISK-2i, RISK-2j, RISK-2k, RISK-2l, RISK-3f.