Who's to Blame? The Better Question is "Who's Accountable?"

This week, Gartner Research is hosting its 2008 Annual Symposium in Orlando, Florida to discuss what is on the horizon for Information Technology professionals in the coming years.   Several Gartner analysts unveiled what they see as the nine most contentious issues for IT professionals over the next two years.  Risk management made the list as the third most contentious issue - specifically, determining the accountability for security and risk management as it relates to business applications.  Here's what they had to say.

Issue 3 – Business Accountability for Security and Risk Management.  Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions — for example, signature forms, processes, and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.

Understanding the risks well enough to establish the appropriate accountability structure in advance of a risk event is a key element for strong risk management.  Otherwise, energy that should be focused on proactively managing risks becomes focused on determining who should be blamed for the risk that resulted in a catastrophe. Do you agree? Please share your thoughts below.