NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-29Risk Management Program Leadership Roles

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

Practitioner Notes

This control ensures that senior leaders across your organization — not just the CISO — have defined roles in the risk management program. Risk management is a leadership responsibility, not just an IT function.

Example 1: Define risk management roles for the CEO (risk acceptance authority), CFO (risk financing and insurance), CISO (technical risk management), and business unit leads (operational risk owners). Document these roles in your risk management strategy and communicate them organization-wide.

Example 2: Create a RACI chart (Responsible, Accountable, Consulted, Informed) for your risk management program that maps each major risk activity to the appropriate leader. Post this chart in your governance documentation and reference it during risk review meetings.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process