Framework Category
Risk Management Strategy
Risk Management Strategy defines how an organization identifies, evaluates, and responds to cybersecurity risks.
It includes setting clear objectives, articulating risk appetite and tolerance, integrating with broader enterprise risk processes, and establishing consistent communication and prioritization methods—covering both threats and opportunities.
Implementation Questions
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
Regular updates to cybersecurity risk management objectives ensure alignment with evolving business goals and the changing threat landscape. This process should incorporate both short-term tactical objectives and long-term strategic goals, with updates triggered by annual planning cycles and significant events such as mergers, new regulations, or major security incidents.
Has your organization established measurable objectives for cybersecurity risk management?
Measurable objectives provide concrete targets that enable an organization to track progress in managing cybersecurity risks. Examples include metrics for user training completion rates (e.g., 95% of employees complete security awareness training), incident response time targets (e.g., critical vulnerabilities remediated within 48 hours), or specific risk reduction goals for critical systems (e.g., reduce high-risk findings in industrial control systems by 50% year-over-year).
Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
This question assesses whether the organization's leadership has a unified approach to cybersecurity with clear, measurable objectives that drive risk management decisions and performance evaluation. When senior leaders agree on cybersecurity objectives, it ensures consistent prioritization, resource allocation, and accountability throughout the organization. These objectives should be specific enough to measure progress and effectiveness of the security program.
GV.RM-02
Risk appetite and risk tolerance statements are established, communicated, and maintained
Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
Risk appetite statements define the types and amounts of risk an organization is willing to accept in pursuit of its objectives. These statements should be tailored to different business functions and should guide decision-making processes when evaluating security controls, investments, and operational procedures. Without clear risk appetite statements, organizations may implement inconsistent security measures or make decisions that expose them to unacceptable levels of risk.
Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
Risk appetite statements are typically broad declarations about an organization's willingness to accept risk, while risk tolerance metrics provide specific thresholds that define acceptable risk levels in quantifiable terms. For example, translating a risk appetite statement of 'low tolerance for customer data breaches' into measurable metrics like 'zero critical vulnerabilities in customer-facing applications' or 'maximum 4-hour response time for security incidents involving customer data.' This translation enables consistent decision-making and clear accountability across the organization.
Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
This question assesses whether your organization regularly evaluates and adjusts its risk tolerance thresholds and strategic objectives in response to changing threat landscapes and actual risk exposure. As business conditions, technologies, and threats evolve, organizations need to recalibrate their risk appetite to ensure security controls remain aligned with business priorities and acceptable risk levels. Without this periodic refinement, security controls may become misaligned with actual business needs or fail to address emerging risks adequately.
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Does your organization integrate cybersecurity risk management into its enterprise risk management framework?
This question assesses whether cybersecurity risks are evaluated and managed alongside other business risks such as financial, operational, compliance, and reputational risks, rather than being handled in isolation. Integrating cybersecurity into the broader risk management framework ensures consistent risk evaluation, prioritization, and resource allocation across the organization.
Is your cybersecurity risk management function integrated into your organization's enterprise risk management (ERM) processes?
This question assesses whether cybersecurity risks are managed as part of the broader organizational risk landscape rather than in isolation. Effective integration ensures cybersecurity considerations influence strategic business decisions, resource allocation, and risk acceptance thresholds across the enterprise.
Has your organization established formal criteria for escalating cybersecurity risks to senior management within your enterprise risk management framework?
Cybersecurity risk escalation criteria define the thresholds, conditions, and processes for elevating significant security concerns to appropriate leadership levels for awareness and decision-making. Without clear escalation paths, critical security issues may remain unaddressed at operational levels, potentially leading to delayed responses to serious threats or incidents.
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
Has your organization established documented risk acceptance criteria for different data classifications?
Risk acceptance criteria define the thresholds at which your organization is willing to accept, mitigate, transfer, or avoid cybersecurity risks based on data sensitivity levels. These criteria should align with your data classification scheme (e.g., public, internal, confidential, restricted) and specify different handling requirements for each level. For example, risks to public data might have higher acceptance thresholds than those affecting restricted data containing regulated information.
Has your organization evaluated and determined whether to purchase cybersecurity insurance coverage based on your risk profile?
Cybersecurity insurance provides financial protection against losses from cyber incidents such as data breaches, ransomware attacks, business interruption, and third-party liability claims. The evaluation process should consider your organization's specific threat landscape, existing security controls, regulatory requirements, and potential financial impact of security incidents.
Has your organization documented the conditions under which shared responsibility models with third parties are acceptable for cybersecurity functions, financial transactions, and cloud services?
Shared responsibility models define which security controls are managed by your organization versus those managed by vendors or partners. Clear documentation helps prevent security gaps where each party assumes the other is responsible for a particular control. This is especially important for outsourced cybersecurity functions, financial transaction processing, and cloud service usage where responsibilities often overlap.
GV.RM-05
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
Has your organization established a formal process for reporting cybersecurity posture metrics to senior executives, directors, and management at defined intervals?
Regular reporting of cybersecurity metrics to leadership ensures strategic alignment, informed decision-making, and appropriate resource allocation for security initiatives. This process should include defined reporting intervals (e.g., quarterly), specific metrics that matter to leadership, and a consistent format that highlights both current status and emerging trends.
Has your organization established a formal cross-departmental communication framework for cybersecurity risks?
This question assesses whether your organization has defined clear channels and processes for how different departments (management, operations, IT, legal, HR, etc.) share information about cybersecurity threats, vulnerabilities, and incidents. Effective cross-departmental communication ensures that security risks are properly escalated, addressed holistically, and that response efforts are coordinated across the organization.
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Has your organization established formal criteria for when to use quantitative risk analysis methods, including defined probability and exposure formulas?
Quantitative risk analysis assigns numerical values to both the probability of security incidents and their potential impact, enabling more objective decision-making for resource allocation. Organizations should have clear guidelines specifying when quantitative methods are appropriate (versus qualitative approaches) and document the specific mathematical formulas used to calculate risk scores, probability distributions, and financial exposure values.
Does your organization use standardized templates or tools to document and track cybersecurity risk information?
Using standardized templates like risk registers ensures consistent documentation of risk details including descriptions, potential impact, mitigation strategies, and ownership. This structured approach helps organizations maintain visibility of their risk landscape, track remediation efforts, and support informed decision-making about resource allocation.
Has your organization established formal criteria for prioritizing identified risks across different levels of the enterprise?
Risk prioritization criteria help organizations make consistent decisions about which risks require immediate attention versus those that can be addressed later or accepted. These criteria should be tailored to different organizational levels (e.g., strategic, operational, project) and consider factors such as potential financial impact, regulatory compliance implications, and effect on business operations.
Has your organization established and implemented a standardized taxonomy of risk categories for consistent cybersecurity risk assessment and comparison?
Using standardized risk categories enables organizations to effectively integrate risk data across different business units, compare risks using common terminology, and make informed decisions about risk prioritization. Without consistent categorization, organizations may struggle to aggregate risk information, potentially missing critical patterns or underestimating cumulative impacts of similar risks across different systems or departments.
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Has your organization established and documented a formal process for identifying and incorporating opportunities into risk management discussions?
This question assesses whether your organization has a structured approach to identify potential opportunities alongside risks, such as through SWOT analysis or similar frameworks. Having a formal process ensures that positive outcomes and strategic advantages are considered alongside threats and vulnerabilities when making risk-based decisions.
Has your organization identified and documented stretch goals for security improvements beyond current compliance requirements?
Stretch goals represent aspirational security objectives that exceed minimum compliance requirements and demonstrate commitment to continuous security improvement. These goals should be documented, measurable, and aligned with the organization's overall security strategy and risk appetite. Examples include achieving a higher maturity level in a security framework, implementing advanced security technologies, or reducing incident response times beyond industry standards.
Does your organization have a documented process for calculating, documenting, and prioritizing both positive and negative risks?
This question assesses whether your organization considers both threats (negative risks) and opportunities (positive risks) in your risk management framework. Positive risks represent potential benefits or advantages that could arise from certain scenarios, while negative risks represent potential harm or disadvantages.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
