Roles
The Canvas Board
The Canvas Board makes decisions regarding the prioritization of risks and measures, risk treatment, priorities, measures, actions and action owners, measurement methods, and targets (intended effectiveness) as proposed by the Teams.
The composition of the Canvas Board depends on the structure and role distribution within the organization, but typically includes:
the business owners β they are ultimately the risk owners and must decide whether and when a residual risk may be accepted and whether measures are workable;
the CEO or General Director, who can make a decision when the business owners cannot reach an agreement;
the CISO, who is (delegated) responsible for information security and the operation of the ISMS;
the Compliance Officer and/or Data Protection Officer and/or Quality Manager, who is (delegated) responsible for compliance with relevant laws, regulations, and internal standards;
the CIO, who is (delegated) responsible for the implementation of (technical) security measures, possibly in collaboration with the IT provider.
Team Captain
Responsible for the preparation, execution, and reporting of the workshops of their team. Represents the interests of their team in the alignment meeting. Reports on the progress and effectiveness of the Canvas Method in the Management Review.
Risk Owner
The business owner is the owner of the risks that impact their business process and information assets. They are the one who decides whether a (residual) risk may be accepted.
Typically, this is the manager of the organizational unit where a risk exists. They may decide (in the Alignment Meeting) whether a risk is acceptable (unless there are reasons outside their department to deviate from this).
Workshop Facilitator
Guides the progress of the Workshops themselves. Is not a member of the Team and has no vested interest in the decisions being made. The Workshop Facilitator is a process guide; the team makes the decisions.
Must have knowledge of the domain in which the method is applied (i.e., information security), as well as the processes and context of the Team and the organization.
Canvas Team
A Canvas Team is a group of employees who participate in a cycle of workshops. This team represents a particular department or functional group within the organization. The team must feel free to discuss risks and measures without being held accountable for them. Therefore, it is often not advisable to include a hierarchical superior in the team, as this may lead other participants to exhibit socially desirable behavior and either not mention or describe certain risks differently.
Participant
TBD.
Last updated