The Risk Owner
Which brings us to the “risk owner.” Depending upon the organization’s structure and mission, there may be people who are held accountable for decisions that accept or mitigate organizational risk. In my years of very unscientific surveys of enterprise information security professionals, my sense is that many enterprise-sized organizations let business leaders (usually, a vice president or above) decide about what risk to take, how much residual risk to accept rather than treat, and which attack vectors can remain unmitigated. But certainly, even in my casual (though lengthy) observation, organizations big, medium, and small differ, sometimes dramatically, with respect to exactly who can make these decisions.
Since one of the purposes of ARA is to uncover risks from digital systems, naturally the process is going to search for and find risk. Not all of that risk can be mitigated. And in some organizations, none of it will be mitigated until a decision maker chooses to apply a treatment.
In some organizations, the risk assessor may be empowered to make decisions, anywhere from making all the computer risk decisions to only those that fall within organization guidance, standards, or policies. A decision split that I have seen numerous times is constrained to where a risk can be entirely treated by following an organization standard or industry standard, or similar. The assessor is empowered to decide upon a design to fulfill the requirement. However, if the risk cannot be treated to at least an industry standard approach, then it must be “raised.”
Raising risk means bringing the untreated or residual risk to a decision maker for a risk decision. These decisions typically take one of three mutually exclusive forms: 
- 2. Craft an exception to treating the risk immediately, that is, “fix the risk later, on an agreed-upon schedule.”
- 3. Treat the risk immediately.
In order to raise a risk for a decision, one must know to whom to raise the risk. The person who can make this decision for an organization is the “risk owner.” This is the person or persons who have sufficient responsibility to the organization that matches the scope of the risk.
[R]isk owner: person or entity with the accountability and authority to manage a risk15
In large organizations, there may be an escalation path based upon the impact of the risk, from team, to group, to division, to enterprise. Depending upon how much of the entire organization may be impacted, the risk owner might escalate from the project team (project delayed or over budget), to the director for a group (operations of the group are impacted), to a vice president of a division, or even to the top tier of management for risks involving the reputation of the entire enterprise. In short, it is the impact of the risk that dictates at what level a decision can be made. But of course, there is subjectivity when scoping impact. Although this subjectivity needs to be acknowledged, it is still usually possible to ascertain the scope of impact in terms of organizational levels and boundaries. If in doubt, go up a level. It never hurts to have clear decision-making power. On the other hand, if a decision is made by those without the authority to make it, they put the organization at risk. Risk decisions made at a level insufficient to the scope of the impact will then likely be hidden from those that do have the authority. Impact surprises from risks that had previously been discovered but have not been made known to decision makers are rarely “fun.”
Before any assessments are performed, the assessor should have a firm grasp on just which roles have decision-making power over particular impact scopes. At each level (whether a single level or many), the role with the decision-making authority will be the risk owner. Having a clear understanding of just who is capable of making which decisions is critical so that any residual risk that is uncovered will be dealt with appropriately. Whether decisions are made collectively by all participants, or the organization has a strict hierarchy (with all decisions made at the top level), whatever the form, the assessor must understand the form and the roles. Given the difficult and changeable nature of cyber risk, there is sure to be residual risk for which hard decisions will need to be made, and risk assumed or treated.
Along with risk ownership is the escalation path of decision making. This is also an important prerequisite to assessment. Of course, fully collective organizations, where decisions are made by all the participants, have no formal, hierarchical escalation path. But that doesn’t mean that there’s no formal escalation path at all. The escalation might be from a working group to the governing body. In organizations that make decisions in a fully participatory manner, the escalation will be to a time and place where everyone can participate, where all can be a part of the decision.
In enterprises that make some decisions through some form of informal consensus, there is usually a deciding “vote” in case of a deadlock at each peer level. Typically, that structure will be the escalation path. And in the typical, hierarchical corporate or government organization, the decision making structure is usually laid out clearly. In these more hierarchical organizations, the security architect must understand just how much or how little each level may decide, to what amount of harm, and for what organizational scope of impact. This might be given in dollar amounts: Managers may decide for $15,000 of harm, which is confined to their team. Directors may have $50,000 discretion, with impact bounded strictly to the director’s group. And vice presidents might have $250,000 discretion, which is confined to their division. These numbers are merely examples, not a recipe. Each organization decides these things locally. The key is to find out some measure of risk discretion confined to impact to an organization boundary before having to escalate a risk. In other words, know who the risk owners are within the organization and for how much and how wide the risk owners may decide.
-  Assumption of the risk: “proceed without treatment,” that is, the organizationagrees to bear the burden of the consequences, should an impact occur.