Subscribe to the Non-Human & AI Identity Journal

Who is accountable when OT risk is communicated poorly to leadership?

Accountability sits with the security and operational leaders who own risk translation, because funding and response depend on how the threat is described. If executives only hear technical noise, they cannot prioritise correctly. OT governance needs a shared language for severity, reach, and duration that leadership can act on.

Why This Matters for Security Teams

When OT risk is not translated into business language, leadership often sees only abstract technical alarms instead of operational impact. That creates a governance gap: plant safety, production continuity, regulatory exposure, and recovery time are all real risks, but they are not equally visible unless someone is accountable for framing them clearly. The right question is not just whether a vulnerability exists, but what it means for uptime, safety boundaries, and recovery sequencing. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises governance and communication, not just technical safeguards.

In practice, accountability usually sits with the security leader, OT owner, and operational risk owner together, because each holds part of the context needed to make the risk legible. Security teams may understand exploitability, while plant leadership understands process dependency and safety tolerance. If those perspectives are not merged, decision-makers can underfund the wrong control, delay mitigation, or accept risk without real awareness of the consequences. In practice, many security teams encounter accountability failures only after an outage, audit finding, or safety event has already exposed the missing translation layer.

How It Works in Practice

Effective OT risk communication starts with assigning ownership for the message, not just the asset. Security teams should provide the technical evidence, but operational leaders must help translate that evidence into production and safety terms. That means describing likelihood, blast radius, duration of disruption, compensating controls, and the time needed to recover if a controller, historian, or engineering workstation is affected.

A practical approach is to build a shared risk narrative that leadership can act on. Instead of presenting a list of vulnerabilities, frame the issue around business outcomes such as shutdown risk, manual workaround limits, supplier impact, or safety instrumented system dependency. Where possible, map the issue to governance and control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially controls for risk assessment, incident response, contingency planning, and system monitoring.

  • Define who owns the technical analysis, who validates operational impact, and who approves escalation.
  • Use severity bands that reflect production loss, safety exposure, and restoration time, not only CVSS-style scoring.
  • Present one-page summaries for executives, with clear decisions required, options, and tradeoffs.
  • Document assumptions, because OT environments often contain legacy systems, vendor dependencies, and maintenance windows that change the real risk picture.
  • Test the communication path during tabletop exercises so leadership hears risk before a live incident forces action.

This model works best when OT, security, engineering, and business leadership share a common risk taxonomy and regularly review it. These controls tend to break down when outsourced operations, fragmented asset ownership, or undocumented plant dependencies prevent a single leader from confirming the true business impact.

Common Variations and Edge Cases

Tighter risk reporting often increases coordination overhead, requiring organisations to balance speed of escalation against the effort needed to verify operational consequences. That tradeoff becomes especially visible in distributed industrial environments, where site-specific processes, vendor-managed systems, or 24/7 production constraints make a single standard message too coarse for decision-making.

There is no universal standard for OT risk language yet, so current guidance suggests adapting the message to the audience without changing the underlying facts. For a plant manager, the critical issue may be downtime hours and restart complexity. For a board member, the concern may be safety, compliance, and resilience of revenue streams. For a regulator or insurer, the focus may be evidence of due diligence and recovery discipline. The accountability challenge is that each audience needs a different framing, but the message must remain consistent.

Edge cases also appear when a cyber issue crosses into physical process risk or when leadership assumes that IT-style response metrics are sufficient. In those situations, accountability should be explicit: the risk owner is responsible for communicating impact, the operational owner is responsible for validating feasibility, and executive leadership is responsible for deciding on acceptance, mitigation, or shutdown. The strongest programmes treat this as a governance function, not a one-off reporting task.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 provides the primary governance reference for this topic.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.RM-01 Risk communication depends on governance roles and shared risk decision-making.

Assign clear risk owners and define how OT risk is escalated into business decisions.