| “
|
is a functional role (individual or group) established within organizations to provide a more comprehensive, organization-wide approach to risk management. The risk executive serves as the common risk management resource and coordinates with senior leaders and executives to:
- Establish risk management roles and responsibilities;
- Develop and implement an organization-wide Risk Management Strategy that guides and informs organizational risk decisions (including how risk is framed, assessed, responded to, and monitored over time);
- Manage threat and vulnerability information with regard to organizational information systems and the environments in which the systems operate;
- Establish organization-wide forums to consider all types and sources of risk (including aggregated risk);
- Determine organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation;
- Provide oversight for the risk management activities carried out by organizations to ensure consistent and effective risk-based decisions;
- Develop a greater understanding of risk with regard to the strategic view of organizations and their integrated operations;
- Establish effective vehicles and serve as a focal point for communicating and sharing risk-related information among key stakeholders internally and externally to organizations;
- Specify the degree of autonomy for subordinate organizations permitted by parent organizations with regard to framing, assessing, responding to, and monitoring risk;
- Ensure that acceptance of the cybersecurity plan considers all factors necessary for mission and business success; and
- Ensure shared responsibility for supporting organizational missions and business functions through the use of external providers, receives an appropriate level of visibility and deliberation.[2]
|
”
|