So we talked a little bit earlier about the importance of roles and responsibilities, making sure that we have clear separation of duties, making sure that we don't have gaps in our protections. So this next section, we're gonna point out a couple of key roles. Well,
the first thing we talk about is risk prioritization,
and when we look at risk prioritization, ultimately this is the responsibility of senior management. But it's their job to create a response plan. A strategy to make sure that we understand how to put our resource is at those areas with lowest risk tolerance.
So we want to be able to focus our efforts because we don't have unlimited money. We don't have unlimited time. We can't
respond to everything equally so. Ultimately,
risk prioritization is the responsibility of senior management, and it's quite important.
All right, other roles or other ideas within the organization. The C I O business managers, chief risk officers, and then on the next slide, we've got risk practitioners. Okay, See, I Oh, there are that individual is the senior most official
that works with i t.
And they are ultimately responsible for ensuring that I t strategies air in alignment with business and ultimately that the I T department delivers value.
Right doesn't just run around fixing machines and correcting problems, but the work that we do an I t. Brings value to the organization when you invest in i t. Here's what your return will be. So ultimately there are champion. Ah, But in order to effectively champion
for the I T department,
they have to have that approach in mind. So they have to have anticipated value means to track value. They want to build a portfolio so that we can look at the various ways that I t contributes to the organization. So when you get up to the chief information officer,
they are there to champion for I t. And to make sure that we're delivering value
now as we come down to business managers, Okay, these air, the folks that are accountable.
making those risk based decisions.
So what that means in. And I already talked about it. There's ever a conflict between what I thi wants to do and what the business owner won't wants to do. That business owner wins every single time, but they are accountable for the decisions that are made
so ultimately, when it comes down to
protecting the assets in a means that is appropriate,
the accountability goes on the business manager shoulder.
All right, So,
uh, also, I will just mention that frequently business managers are influenced or have communications with the risk practitioner. So it's not like they're just going out there and saying, Ah, 72 character passwords. Probably good,
right? They take that information that the risk practitioner
collects and analyzes and provides. And then they make decisions based on what they're being advised, whether or not to follow through or or no. All right, Chief Risk officer once again, high level chief officers, these air senior management.
And they're the ones that are ultimately
maintaining risks, analysing risks, making sure that our risk profile and you'll notice the word responsible. So the this guy, this chief risk officer is actually doing this. They are analyzing the risk there, making sure that we operate with in the
correct risk profile.
They're making decisions. Okay, so the chief risk officer is the one that is, is actively working with risks. Okay, They're gonna provide governance and guidance, but again, when we talk about
what decisions are to be made. The chief risk officer supports the business, but the business always makes the decisions. Therefore, the business is the element that is accountable.
All right, So the priority of the C r. O. Is organizational compliance when applicability all making sure that we operate within a risk appetite, making sure that we have the elements that are necessary. The three lines of defense.
Right? So ultimately, the big responsibility the worker bee
is gonna be the chief risk officer. Accountability still goes to manage.
All right. Another set of responsibilities that the chief risk officer has to accomplish. They manage the risk assessment process, ensuring that were properly assessing risks. What are what's our methodology? Um, are we getting good results?
Implementation of corrective actions. Okay, so we're finding after vulnerability assessment that we have, um, too many default accounts. Well, what are we going to do about it? So it's up to the chief risk officer toe oversee
a plan and a set of actions in order to mitigate the problems that were found
communicate risk management issues. So kind of that liaison between the day to day staff, the business owners the chief information officer, but ultimately to provide that communication across the various stakeholders and then supporting the risk management functions.
So supporting the risk manager arms or the risk
practitioner, which is gonna be us. Those of us that air see risks. Ah, were generally kind of somewhere in the middle here. Our job titles may vary, but ultimately we are risk practitioners. So it's our job to determine a process for dealing with risks.
We're gonna be the force that has the main impact on what our risk management strategy is.
We're gonna be responsible for defining key risk indicators, working with the business to come up with key performance indicator and indicators. We're gonna conduct assessments and determine if our controls are working properly.
And then ultimately we're gonna provide reports, Chief Risk officer, business leaders, chief information officer, just like we said. So we're all working together in with the purpose of furthering the risk management process