The management structure refers to how responsibilities are assigned. When the scope of the risk assessment is defined, keeping the scope within the ownership of a single entity is helpful. Working with one entity allows for easier implementation of recommendations.

A small organization may have a single information technology (IT) division that is responsible for all IT systems and processes. Because its staff members control all IT systems, they can implement recommendations for any of the systems.

However, a larger organization may have several IT divisions. In this case, various managers or management teams oversee different IT systems, and each manager has different responsibilities. For example, an organization may have the following divisions for IT management:

• Network infrastructure—This division is responsible for all the routers and switches in the network and may include all the firewalls.
• User and computer management—This division performs the day-to-day management of the network and accounts and may also include basic security measures. For example, the Group Policy tool can manage accounts in a Microsoft domain, and administrators who manage the Microsoft domain would manage Group Policy.
• Email servers—Some larger organizations have 10 or more email servers to manage email and trained personnel who are dedicated to primarily managing these servers. Personnel ensure email delivery and manage spam filtering and malicious attachments.
• Web servers—An organization can have dozens of web servers configured in one or more web farms. A web farm can generate a significant amount of revenue and have dedicated personnel to manage it.
• Database servers—Many organizations have a large amount of data stored in databases. Large databases are stored on dedicated servers. The knowledge needed to manage these servers is specialized, so some organizations have dedicated database administrators to manage them.
• Configuration and change management—This division oversees configuration settings and changes to either all servers or all systems. The team members may be responsible for building new servers, and they coordinate and document all change requests.

A small organization may perform a risk assessment for many systems at the same time. However, a larger organization will likely separate the risk assessments. For example, a large organization hosts e-commerce websites. Elements of the websites include web servers, database servers, and firewalls. However, various divisions within the organization manage these different elements. One division manages the web servers; another division manages the database servers; and a third division manages network security, including the firewalls. Performing a single risk assessment on all three elements can be challenging, and this is especially true when implementing recommendations. Managers in the different divisions might have competing goals, schedules, and priorities.

However, if the organization assesses a single division at a time, the results are easier to implement. For example, three separate risk assessments could be performed, one each for the web servers, database servers, and firewalls. Each assessment would have specific recommendations targeted for the owners of the system.