Developand implementthe organizational business logic for risk management, and ensure risk management is performed according to that business logic.
The organization's risk context, including mission, mission priorities, stakeholders, objectives, and direction, is understood.
Organizational mission, vision, and authorities are understood and considered.
Internal and outside stakeholder groups that affect or are affected by the organization are identified.
The priorities, expectations, and effects of outside stakeholder groups are understood and considered.
The priorities, expectations, and effects of internal stakeholder groups are understood and considered.
Organizational charter, expectations, and objectives are aligned, prioritized, and communicated as risk context.
Mission/business functions and criticality are communicated as risk context.
Positions, duties, and authorities for risk governance and management are established and communicated.
Risk governance roles and responsibilities are established and communicated.
Risk management roles and responsibilities are established and communicated.
The policies to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood.
Risk management stances, activities, appetites, roles, and authorities are established and communicated.
Organizational stances, activities, roles, and authorities that affect risk management are aligned with risk policies and appetite.
Organizational stances, activities, roles, and authorities that are affected by risk management are aligned with risk policies and appetite.
Methods, criteria, and expectations for discovering and distinguishing risk are established, communicated, and followed.
High-level organizational risks are periodically catalogued, categorized, and communicated.
Risk appetite statements are developed and periodically communicated to risk management programs.
Risk tolerance statements are created as more specific translations of risk appetite statements and communicated to risk management programs as a basis for identifying risk.
Risk scenarios that describe assets, threats, vulnerabilities, probabilities, and impacts are crafted and communicated.
Methods, criteria, and schedules for expressing and explaining risk are established, communicated, and followed.
Mandatory and voluntary disclosure decisions are informed through an enterprise risk profile and performed on a scheduled or as-needed (e.g., incident disclosure) basis.
An enterprise risk communication format is established, communicated, and used as the basis for communication with risk management programs.
Criteria for immediate and periodic escalation of program risks are established, communicated, understood, and used as the basis for risk communication.
Criteria for transfer of elevation of risk ownership are established, communicated, understood, and used as the basis for risk communication.
Risk governance is adapted based on changes in organizational objectives, risk exposure, and residual risk.
Risk appetite is adjusted based on changes in organizational objectives, risk exposure, and residual risk.
Strategic opportunities (aka positive risks) are adjusted based on changes in organizational objectives, risk exposure, and residual risk.
Strategic priorities are adjusted based on changes in organizational objectives, risk exposure, and residual risk.
Risk is identified and addressed by risk management programs according to the criteria and expectations of risk governance.
Risk appetite statements and related contextual information are understood and applied by risk management programs.
Assigned roles, responsibilities, and authorities are understood and implemented by risk management programs.
Organizational risk management policy and policies affecting risk management are understood and implemented by risk management programs.
Risk tolerance statements are used by risk management program personnel as a basis for identifying risk.
Risk is identified, adjudicated, and tracked by risk management programs according to published formats.
Risk is communicated and transferred by risk management programs according to published escalation and elevation criteria and process.
Risk management programs provide feedback for adjustment of risk appetite, opportunities, and strategic priorities.
Continuously identify and address risks in accordance with the organization's risk management policies, processes, and priorities.
Risk events for the organization are catalogued and recorded.
The assets (data, personnel, devices, systems, facilities, third-party services, etc.) that enable the organization to achieve its objectives are identified along with the assets' relative importance to those objectives and the organization's strategy.
Threats against the organization's assets are identified and documented.
Vulnerabilities of the organization's assets are identified and documented.
Potential consequences are identified for each risk for the organization's assets and documented.
Risks are categorized in anticipation of future grouping and combination.
Risk events are assessed for likelihood, impact, and exposure.
The likelihood of each risk event is estimated using risk assessment techniques and probability models.
The impact of each risk event is estimated using risk assessment techniques that take into consideration both tangible and less tangible impacts, including secondary/cascading impacts, and the estimated impact is recorded.
Key risks are ranked for response decisions.
The exposure presented by each risk is determined using qualitative and/or quantitative models and recorded.
The risks are prioritized based on exposure and other factors using qualitative and/or quantitative models, and the priorities are recorded.
Risk responses are developed, costed, decided, described, assigned, and executed.
The exposure associated with each risk is checked against risk tolerance statements to determine which risks need transferred, mitigated, or avoided to achieve technical and/or data objectives.
For each risk that needs transferred, mitigated, or avoided, the appropriate risk response option that will achieve business objectives and comply with risk guidance from leadership is identified, planned, costed, and recorded, along with the estimated cost of applying the risk response.
A risk owner is assigned for each risk response.
Plans for implementing risk responses are documented.
Risk responses that will take an extended period of time or require additional funding to fully enact are recorded and tracked.
Risk analysis is revised after risk responses are determined to reflect the envisioned reduction of likelihood and impact from each risk response.
Controls are implemented or adjusted to perform risk response plans.
Residual risk is forecasted for each risk after risk responses are decided.
Risks are checked and assessed, and risk responses are adapted as needed.
Risk conditions are continually monitored against risk tolerance to ensure conditions remain within acceptable levels.
The effectiveness of risk responses is evaluated against objectives to identify risk that exceeds acceptable levels.
Findings from audits and risk assessments are analyzed to identify changes in risk and the effectiveness of risk responses.
When risk exceeds risk tolerance, changes to risk responses are identified and planned.
Risk tolerance statements and budgets are adjusted as needed to reflect appropriate risk responses.
Risk response plans are updated as needed to include monitoring and measurement milestones that can trigger the release or repurposing of management reserve resources.
Controls are adjusted to implement changes to risk response plans.
Changes to risks are identified and tracked.
Information on risks is recorded and disseminated.
Details regarding the considerations, assumptions, and results of risk management activity are documented.
Risks that match escalation criteria are periodically communicated to higher-level risk managers.
Risks that match elevation criteria are transferred to higher-level risk managers for ownership assignment.
Risks that match urgent escalation or elevation criteria are communicated immediately to higher-level risk managers.
Errors in risk management are reduced through root-cause analysis and refinement implementation.
Lessons learned while identifying and addressing risks are communicated to leadership.
Risk management is refined based on analysis and feedback of circumstances involving implicit risk acceptance.