Risk Management Should Drive Organizational Accountability

Ownership and accountability for risk doesn’t belong to the GRC or ERM team. Drata's CISO shares his view on who owns business risk.
Elliot Volkman

by Elliot Volkman

October 14, 2022

Who owns the decision to accept the risk? In the view Drata’s CISO, Ross Hosman, it’s not the governance, risk, and compliance (GRC) or enterprise risk management (ERM) teams. 

In his recent on-demand webinar about measuring your risk management program’s effectiveness, Ross explains his take on risk ownership—and accountability. You can go watch the full video here, but if you’d like a snapshot of his take keep reading. 

Determining Risk Ownership

Early in the webinar, Ross introduces the concept of risk owners and risk acceptors. Neither of these roles belongs to the GRC or ERM teams. The responsibility for accepting and owning risk falls on the company’s leadership—the people whose decisions create that risk. They must own the consequences of their decisions and ensure the business only takes appropriate risks.

Without executive accountability, risk ownership falls on the GRC or ERM teams—even though they lack the authority to change the business.

When and How to Accept Risk

GRC and ERM teams can only manage risk. They may even reject decisions that expose the business to unacceptable risks. But they do not own the risk.

Risk managers must assess a risk based on its impact on the business and present their conclusions to the executive team. Accepting a high-impact risk is not possible. Instead, the risk owner must take responsibility for transferring, mitigating, or fixing the risk.

Accepting a low-impact risk depends on the executive team’s risk tolerance. But it’s still an executive decision, and they are accountable if that risk causes an incident.

Measuring the Effectiveness of Risk Management

Understanding the business perspective of managing risk is only one piece of the puzzle when it comes to measuring how effective a risk management program is. To learn more, watch the full on-demand webinar with Drata's CISO. 

If you’re looking to improve and automate your risk management program, schedule some time with our team and see how Drata can help you stay ahead of potential threats.

Trusted Newsletter
Resources for you
Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Join us at RSA

FOMO Alert: Why You Won’t Want to Miss Drata at RSA

Harmonize Announcement

Welcoming Harmonize To the Drata Family

Elliot Volkman
Elliot Volkman
Director of Brand, Content, and Community
Related Resources
DDRR RiskTrendst (1)

Navigating the New Normal: 5 Takeaways From Our Risk Trends Report

TPRM (1)

Unveiling Third-Party Risk Management (TPRM): A Future-Proof Approach to Risk

Drataverse Digital Risk and Reward

Control Meets Confidence at Drataverse Digital: Risk and Reward


What Is a Data Retention Policy? Best Practices + Template