The “Hot Potato Problem” Of Insider Risk

Why Fragmented Ownership Leaves Organisations Vulnerable

Ask any executive who owns insider risk, and you will often see a pause. Not because people don’t care, but because it doesn’t sit neatly within one function.

It crosses HR, IT, Security, Legal, and Risk. Each team holds part of the picture.

No one holds all of it.

The result is predictable.

HR sees disengagement but doesn’t know what to escalate. IT removes access at exit but misses the weeks of unusual downloads beforehand. Security sees alerts but lacks the people context to judge if they matter. Legal becomes involved only once the evidence is clear, which is usually too late.

Each function optimises for its own role. But risk doesn’t stay within those boundaries. It moves... quietly... between them.

This is the “hot potato” problem. Responsibility is passed from one team to the next, with the assumption that someone else will catch it. By the time it lands, it’s already too late.

This doesn’t mean the organisation lacks maturity. It means maturity exists in parts, not as a complete capability.

Boards are told: Training is complete. Access is controlled. Monitoring is in place.

But no one is joining the dots.

And without that, the organisation isn’t in control. It’s just informed in fragments.

The real governance question isn’t: Which team owns insider risk? It’s: Who is responsible for bringing it together?

Because insider risk doesn’t fail within functions. It fails between them.