Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

Reliance on Data Information Supplied by Others

The organization’s board should define, document and approve its policy for managing risk, including objectives and a statement of commitment to Risk Management. The policy may include:

the objectives and rationale for managing risk;
the links between the policy and the organization’s strategic plans;
the extent and types of risk the organization will take and the ways it will balance threats and opportunities;
the processes to be used to manage risk;
accountabilities for managing particular risks;
details of the support and expertise available to assist those involved in managing risks;
a statement on how Risk Management performance will be measured and reported;
a commitment to the periodic review of the Risk Management system;
a statement of commitment to the policy by directors and the organization’s executive.
Publishing and communicating a policy statement of this type demonstrates to the organization’s internal and external environment the commitment of the executive board to Risk Management and clearly specifies roles and accountability on a personal level.

The directors and senior executives must be ultimately responsible for managing risk in the organization. All personnel are responsible for managing risks in their areas of control. This may be facilitated by:

specifying those accountable for the management of particular risks, for implementing treatment strategies and for the maintenance of controls;
establishing performance measurement and reporting processes;
ensuring appropriate levels of recognition, reward, approval and sanction.
As it becomes apparent, the actual implementation of security measurements for the underlying IT platform is not part of this activity. Rather, the implementation of action plans is concerned with the actions to be performed to reduce the identified risks. The work necessary at the level of the technical implementation of security measures is conducted within the ISMS, that is, outside the Risk Management process.

Last but not least, an important responsibility of the top management is to identify requirements and allocate necessary resources for Risk Management. This should include people and skills, processes and procedures, information systems and databases, money and other resources for specific risk treatment activities. The Risk Management plan should also specify how the Risk Management skills of managers and staff will be developed and maintained.

The integration of the Risk Management process with other operational and product proce