Defined Roles Demonstrate Maturity and Repeatability
Have you ever heard the saying that if Everybody thinks Somebody is going to do something, then Nobody actually does it?
That’s especially true with Risk Management.
One of the most common reasons that Risk Management programs fail is simple: no one knows who owns what. Everybody assumes Somebody else is doing Risk Management — and in the end, Nobody does it.
CMMC requires clear accountability – not assumptions.
Let’s talk about the key roles required in a CMMC-aligned Risk Management program, who fulfills them, and how to formally assign responsibility so your program will hold up during an assessment.
In CMMC, processes must be institutionalized. That means Risk Management cannot depend on a single individual. (Usually.) Instead, it must be assigned as an organizational responsibility with documented roles.
What if you’re a small business, and there is only one individual? The truth is, one person can fulfill multiple roles — and that’s okay depending on your organizational structure. What matters is not how many people you have, but that the roles are clearly defined and formally assigned.
There are four primary roles in a compliant risk management structure.
First is the Risk Executive Function.
This is the person or organization that provides overall governance and makes final risk decisions. This is where the buck stops.
Next is the System Owner.
The System Owner is responsible for the system where the risk exists — for example, a system that processes CUI in a CMMC environment. This person is accountable for ensuring that risks associated with that system are addressed appropriately.
Third is the Information Security Officer or IT Manager.
This role identifies technical risks and recommends mitigations. This is the person whose function is consulted when risks are identified and evaluated.
Finally, there are Process Owners and Functional Stakeholders.
These are the people on the ground — the ones that actually do the work. They identify operational impacts and remediation priorities. And they are informed of risks and Risk Management decisions.
We often describe these roles using what’s called a RACI chart.
RACI stands for Responsible, Accountable, Consulted, and Informed.
For example, the Risk Executive Function — maybe the CEO — is responsible for final risk decisions. In an electronic shop, the floor supervisor might be the system owner – and therefore accountable. The IT manager and team leads are consulted because they identify technical risks and recommend mitigations. And the functional stakeholders are informed so they understand the risks and the decisions that have been made.
For Risk Management to be credible, decisions must be made by the proper authority. Only designated leadership — such as the CEO, CIO, or senior management — can formally accept risk.
These roles and authorities must be formally documented in your Risk Management Policy. That documentation becomes objective evidence during your CMMC assessment.
Once again, in small businesses, one person may fulfill multiple roles — and that’s fine. What matters is that the roles are defined and assigned, not how many people they’re assigned to.
Now that your organization has clearly defined roles and authority, the next step is to decide how you will assess and score risk.
In the next edition of CMMC Today, we’ll explore the three main Risk Assessment methodologies — quantitative, qualitative, and hybrid — and help you choose which one is right for your CMMC program.
