Who is responsible for Information Risk Management?

Good question.

Information risk is the classic slopey shoulder issue – “the corporate – hot potato” that is often lobbed at the IT department when the risks go far beyond their remit. This approach can leave an organisation vulnerable, with the result that information risks are not really managed at all.

So, who should be responsible for Information Risk Management? The short answer, in our view, is – everybody. In a well-implemented Information Risk Management system, everyone has a responsibility to ensure this is applied and effective: from IT to HR, from finance to individual business managers and staff on the ground.

But the ultimate responsibility must surely lie with the Board. Even though information risk affects all areas of a business, it is often not prioritised at top level. It’s the Board’s duty to weigh up the corporate risks and benefits, aligning the goals of IT and the business for a balanced information risk management stance and approach.

We urge every business to see Information risks as business risks, with a top-down mandate and company-wide control.

Responsibilities of the Board

So if the Board is going to own information risk, what steps do you need to take?

  • Make a firm commitment to managing information risk: develop an information risk management strategy that sets out principles, roles, responsibilities and a sound system of internal controls (your “security architecture”).
  • Prepare an Information Risk Register: a good mechanism for identifying and treating risks.
  • Provide policies (as required by international security standards) to give direction to employees. These policies will define your position on all aspects of information security and these policies are at the heart of your management of risk.

If your organisation is serious about protecting its valuable information, have a look at the Ascentor Information Risk Action Plan.

Article by Dave James, MD of Ascentor

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch