After reading the title to this post, you’re likely thinking, “That’s a loaded question.” But as an IT auditor, we’re sure you have strong opinions on the topic. Given that departments within large (and at times small) businesses tend to work in silos, they may each have their own beliefs when it comes to the question of owning risk.

When it comes to whose day job risk is, that could vary depending on the organization, from the finance department to the IT department. The real owners of risk within the business are management, according to Keith Goldschmidt, Director of Risk & Compliance Solutions at Fastpath.

“Management needs to figure out how to properly communicate it throughout the organization to create a real risk culture within their company,” Goldschmidt told Internal Audit Insights during a recent interview.

Rather than being a function like information security or internal audit, Goldschmidt says that the actual owners of risk are whoever is going to own the business process, which makes it difficult to communicate and manage without getting to those business owners.

In the full video interview below, Goldschmidt discusses who the real owners of risk are within the enterprise, but also offers up insight on what IT audit can do to help streamline communication and do their part in creating a “risk culture” within the business.

MISTI's upcoming IT Audit & Controls Conference is just around the corner. Here's everything you need to know about this unique gathering for IT audit professionals.