- A dedicated committee or council exists to consider IT risk.
- The council meets at regular intervals.
- Risk events are owned and monitored by Business stakeholders.
- Business stakeholders participate in council meetings and are always consulted on changes to risk posture.
- Management & the Board sign off on all action plans for non-negligible IT risk.
- The CRO holds accountability for executing the risk management program.
- Accountability for IT risk decisions is held by the CEO.