In a decentralized governance structure, the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations within the parent organization (e.g., business units). Subordinate organizations establish their own policies, standards, guidelines, procedures, and processes for ensuring the development and implementation of risk management and cybersecurity strategies, decisions, and mechanisms to communicate across the organization. A decentralized approach to cybersecurity governance accommodates subordinate organizations with divergent mission and business needs and operating environments.
The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate organizations, so that no subordinate organization is able to transfer risk to another without the latter's informed consent. It is also important to share risk-related information with parent organizations, as the risk decisions by subordinate organizations may have an effect on the organization as a whole.
- Electricity Subsector Cybersecurity Risk Management Process, App. D, at 68.