The IT Law Wiki
The IT Law Wiki

Definition[]

A risk executive

[h]elps to ensure that risk-related considerations for individual information systems, to include authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions and that information system-related security risks are consistent across the organization.[1]
is a functional role (individual or group) established within organizations to provide a more comprehensive, organization-wide approach to risk management. The risk executive serves as the common risk management resource and coordinates with senior leaders and executives to:
  • Establish risk management roles and responsibilities;
  • Develop and implement an organization-wide Risk Management Strategy that guides and informs organizational risk decisions (including how risk is framed, assessed, responded to, and monitored over time);
  • Manage threat and vulnerability information with regard to organizational information systems and the environments in which the systems operate;
  • Establish organization-wide forums to consider all types and sources of risk (including aggregated risk);
  • Determine organizational risk based on the aggregated risk from the operation and use of information systems and the respective environments of operation;
  • Provide oversight for the risk management activities carried out by organizations to ensure consistent and effective risk-based decisions;
  • Develop a greater understanding of risk with regard to the strategic view of organizations and their integrated operations;
  • Establish effective vehicles and serve as a focal point for communicating and sharing risk-related information among key stakeholders internally and externally to organizations;
  • Specify the degree of autonomy for subordinate organizations permitted by parent organizations with regard to framing, assessing, responding to, and monitoring risk;
  • Ensure that acceptance of the cybersecurity plan considers all factors necessary for mission and business success; and
  • Ensure shared responsibility for supporting organizational missions and business functions through the use of external providers, receives an appropriate level of visibility and deliberation.[2]

References[]