Acceptance is often a reasonable strategy for InfoRisk.
Who does the accepting?
If you have one omnipotent Risk Manager who calls the shots, the answer is simple.
But, to create a risk culture, Risk Management will have to take place on multiple levels.
Suppose the Network Dept assess a certain risk, can they accept it on behalf of the organization? If yes, how are they in a position to judge (and accept) the business impact? If no, how can Risk Mgmt be scalable unless responsibility is delegated?
No comments:
Post a Comment