RISK EXECUTIVE (FUNCTION)One of the

RISK EXECUTIVE (FUNCTION)
One of the most confusing positions introduced with the RMF is that of the risk executive
(function). This is due to the uniqueness of the requirements of this function and
the inability to map this function to a position that existed in the C&A process. While
the risk executive (function) is normally located at tier 1, it provides risk management
guidance to individuals at all tiers, including, but not limited to, senior leaders,
executives, chief information security officers, authorizing officials, business
process and information owners, enterprise architects, system security professionals,
and system administrators. In this way, the risk executive (function) serves as the
central point for information about the organization’s risk management process
and its current risk profile.
The risk executive (function) must look at risk from the organizational perspective
across a number of unique domains, including information security, personnel
security, physical security, and budget. Because of the complex and differing
knowledge required, the function can be a group—normally, a board—or a person,
or an office supported by an expert staff or group within the organization who has
expert knowledge of the required domains. According to NIST SP 800-39, the risk
executive (function) coordinates with senior leaders and executives to: