APPENDIX 2: ESTABLISHING AN INFORMATION RISK TSAR – Managing Information Risk: A Director's Guide


The establishment of the role of Senior Information Risk Officer (SIRO) is one of several measures to strengthen controls outlined in a recent Cabinet Office report, Guidance on the Department Information Risk Handling. The SIRO should be an executive or senior manager on the board who is familiar with information risks and the organisation’s response to risk.

Sometimes also referred to as the ‘risk executive function’, the SIRO provides senior leadership input and oversight for all risk management. More than that, a SIRO acts as a voice for the IT security issues in the boardroom. The SIRO will be an advocate for information risk on the board.

The SIRO will normally take ownership for the entire risk assessment process and provide a focal point for lower level managers to voice risk concerns. At the top of a pyramid, the SIRO acts as an organisation-wide forum to consider all sources of risk (including aggregated risk from individual information systems).