Who Has Risk-Related Decision-Making Authority in Your Organization?

close-up-of-businessman-drawing-chain-of-interacti-2026-04-13-23-40-30-utc

By Brian Evans Insight Blog May 6, 2026

Best practice dictates that an information risk management strategy should align with the business and IT strategies to deliver the most effective outcomes. This involves translating the organization’s vision and mission into how resources are deployed to generate maximum value. The truth of the matter is that information risk management objectives can end up being in direct competition with other business objectives.

That’s why it becomes essential for any organization to define who is involved in risk-related decision making so that these individuals are empowered to ultimately make business-based risk management decisions. It is also important so that occasional unpopular positions can be made with a clearly documented mandate from the organization’s executive management. This is where the assignment of risk-related decision-making authority and accountability become critical to ensure the organization’s overall objectives are achieved.

Effective risk-related decision making is a key determinant of organizational success in protecting its information. It involves the assignment of decision-making rights and accountabilities.

Take the following points into consideration when selecting and assigning decision makers in your organization:

Assigning Decision-Making Authority

When assigning decision-making authority, start by articulating the decision that needs to be made. Then, determine the steps that should be carried out to reach a decision, who should provide input, and what activities are required to obtain such input. Next, determine who should decide, ensuring that the decision makers are equipped with the information to make a fact-based decision.

Defining Roles and Responsibilities

Clearly defined and documented roles, responsibilities and accountabilities should be part of the decision-making process because information risk management is inherently interdisciplinary and interdepartmental. This complexity requires a great deal of coordination if decision making is going to be effective. Without it, the process can lead to inconsistent or ill-informed decisions made by whoever may feel empowered or has the political clout. It can also lead to confusion and security lapses. Decision-making responsibility can be shared among various stakeholders. However, it is critical to delineate and clearly communicate each group’s role in the decision-making process. In some cases, particular stakeholders may be asked to provide input into a decision. But authority and responsibility for making the decision may reside elsewhere. When roles, responsibilities and accountabilities are clearly defined, efforts can be focused on those things that truly advance the organization’s objectives.

Aligning with Corporate Culture

Every organization has some type of informal rules that determine how things get done and the kinds of behavior that are acceptable. Risk-related decision-making authority should reflect and support the prevailing culture to maximize its effectiveness. If your organization is more hierarchical where the emphasis is on command and control, then the authority should reflect the organizational structure and chain of command through which decisions get made. If your organization gravitates towards consensus building, then steering committees, councils and teams should be established for collaborative decision-making authority. Whatever type of culture you work in, ensure that those with decision-making authority understand the decision-making process. The range of risk-related decisions can be broad, from policy or regulatory compliance to technical architecture to project prioritization. Ensure the decision-making authority aligns with your corporate culture.

Designating risk-related decision-making authority can be a challenging task. But risk is ultimately a business decision. As a result, risk-related decision making should no longer be solely owned and operated from the IT department. Consider these points to improve your overall risk management effectiveness.

Want to learn more? Contact us to discover how to define risk decision-making authority and strengthen your organization’s risk strategy.

Brian Evans

Principal Consultant, Security Governance at Presidio | + posts

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
Zoominfo	session	Zoominfo uses technologies to collect and store information when you interact with services it offer to their partners, such as advertising services or analytics. All of those processes are meant to improve your user experience and the overall quality of our services.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.