Skip to main content

Check who can approve the risk level

See your organisation’s policies to know who is authorised to accept risk at each level for an information system.

When to approve risks

Once you’ve done your risk assessment, you need someone to accept the risk in relation to a public cloud service.

How to approve risks at the right level of reporting

It’s not practical for chief executives to approve all risk assessments.

Following your organisation’s risk framework, make sure you sign off risk assessments at the right level for reporting risks. The GCDO has an example of these levels of reporting.

Evaluate the risks: Who can accept risks in each zone

Previous contact with the approver

You might also have consulted the approver earlier in the risk assessment process.

Regardless, you still need to have their final sign-off on the completed risk assessment.

The approver signs off or declines to accept the risk

Sign-offs, also called ‘endorsements’, can be done using either:

Why sign-offs are important

These sign-offs show the:

  • risk assessment is complete — that is, all necessary steps have been finished
  • person at the right level of reporting has accepted the risk.

Risk assessment sign-offs are not complete certification and accreditation processes

See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.

System certification and accreditation — NZISM

More information about risk

For analysing risks during assessments, the Government Chief Digital Officer (GCDO) has guidance about finding the:

What happens next

Send your risk documents to the GCDO

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated