Risk Owner

caution

This page has been moved to the eSSIF-Lab Framework on Github.

Short Description

The owner of a risk that is associated with an objective must be the party that owns that objective, and vice versa, because ownership implies the authority to realize the objective, which in turn implies the authority to manage the associated risks. Of course, as owners are parties, a risk owner may mandate actors to execute the actions that are necessary to manage a risk, but that does not relieve the party from its ownership (and facing possibly associated consequences). In fact, the objective of mandating risk management activities may come with risks which are often overlooked.

Purpose

Knowing who owns a risk is knowing who is accountable when something goes wrong.

Edit this page