Framework Category
Risk Management Strategy
Risk Management Strategy defines how an organization identifies, evaluates, and responds to cybersecurity risks.
It includes setting clear objectives, articulating risk appetite and tolerance, integrating with broader enterprise risk processes, and establishing consistent communication and prioritization methods—covering both threats and opportunities.
Implementation Questions
GV.RM-01
Risk management objectives are established and agreed to by organizational stakeholders
Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
Regular updates to cybersecurity risk management objectives ensure alignment with evolving business goals and the changing threat landscape. This process should incorporate both short-term tactical objectives and long-term strategic goals, with updates triggered by annual planning cycles and significant events such as mergers, new regulations, or major security incidents.
Has your organization established measurable objectives for cybersecurity risk management?
Measurable objectives provide concrete targets that enable an organization to track progress in managing cybersecurity risks.
Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
Leadership alignment on security is the focus: whether senior leaders have set and agreed measurable cybersecurity objectives that steer risk decisions and gauge performance. When senior leaders agree on cybersecurity objectives, it ensures consistent prioritization, resource allocation, and accountability throughout the organization. These objectives should be specific enough to measure progress and effectiveness of the security program.
GV.RM-02
Risk appetite and risk tolerance statements are established, communicated, and maintained
Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
Risk appetite statements define the types and amounts of risk an organization is willing to accept in pursuit of its objectives.
Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
Risk appetite statements are typically broad declarations about an organization's willingness to accept risk, while risk tolerance metrics provide specific thresholds that define acceptable risk levels in quantifiable terms.
Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
Risk appetite is rarely static, and reviewers want to know whether your organization formally reviews and updates it and its objectives in light of current exposure and residual risk.
GV.RM-03
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Does your organization integrate cybersecurity risk management into its enterprise risk management framework?
Integration of cyber risk into enterprise risk management is what's being assessed, specifically whether cybersecurity risks are weighed alongside financial, operational, compliance, and reputational risks rather than in isolation. Integrating cybersecurity into the broader risk management framework ensures consistent risk evaluation, prioritization, and resource allocation across the organization.
Is your cybersecurity risk management function integrated into your organization's enterprise risk management (ERM) processes?
Integration is the focus here: reviewers want to see cybersecurity risk managed within your broader enterprise risk management (ERM) processes rather than in a silo. Effective integration ensures cybersecurity considerations influence strategic business decisions, resource allocation, and risk acceptance thresholds across the enterprise.
Has your organization established formal criteria for escalating cybersecurity risks to senior management within your enterprise risk management framework?
Cybersecurity risk escalation criteria define the thresholds, conditions, and processes for elevating significant security concerns to appropriate leadership levels for awareness and decision-making. Without clear escalation paths, critical security issues may remain unaddressed at operational levels, potentially leading to delayed responses to serious threats or incidents.
GV.RM-04
Strategic direction that describes appropriate risk response options is established and communicated
Has your organization established documented risk acceptance criteria for different data classifications?
Risk acceptance criteria define the thresholds at which your organization is willing to accept, mitigate, transfer, or avoid cybersecurity risks based on data sensitivity levels.
Has your organization evaluated and determined whether to purchase cybersecurity insurance coverage based on your risk profile?
Cybersecurity insurance provides financial protection against losses from cyber incidents such as data breaches, ransomware attacks, business interruption, and third-party liability claims. The evaluation process should consider your organization's specific threat landscape, existing security controls, regulatory requirements, and potential financial impact of security incidents.
Has your organization documented the conditions under which shared responsibility models with third parties are acceptable for cybersecurity functions, financial transactions, and cloud services?
Shared responsibility models define which security controls are managed by your organization versus those managed by vendors or partners. Clear documentation helps prevent security gaps where each party assumes the other is responsible for a particular control. This is especially important for outsourced cybersecurity functions, financial transaction processing, and cloud service usage where responsibilities often overlap.
GV.RM-05
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
Has your organization established a formal process for reporting cybersecurity posture metrics to senior executives, directors, and management at defined intervals?
Regular reporting of cybersecurity metrics to leadership ensures strategic alignment, informed decision-making, and appropriate resource allocation for security initiatives. This process should include defined reporting intervals (e.g., quarterly), specific metrics that matter to leadership, and a consistent format that highlights both current status and emerging trends.
Has your organization established a formal cross-departmental communication framework for cybersecurity risks?
Cross-departmental communication is the concern: whether management, IT, legal, HR, and operations have defined channels for sharing cybersecurity threats, vulnerabilities, and incidents. Effective cross-departmental communication ensures that security risks are properly escalated, addressed holistically, and that response efforts are coordinated across the organization.
GV.RM-06
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Has your organization established formal criteria for when to use quantitative risk analysis methods, including defined probability and exposure formulas?
Quantitative risk analysis assigns numerical values to both the probability of security incidents and their potential impact, enabling more objective decision-making for resource allocation.
Does your organization use standardized templates or tools to document and track cybersecurity risk information?
Using standardized templates like risk registers ensures consistent documentation of risk details including descriptions, potential impact, mitigation strategies, and ownership. This structured approach helps organizations maintain visibility of their risk landscape, track remediation efforts, and support informed decision-making about resource allocation.
Has your organization established formal criteria for prioritizing identified risks across different levels of the enterprise?
Risk prioritization criteria help organizations make consistent decisions about which risks require immediate attention versus those that can be addressed later or accepted. These criteria should be tailored to different organizational levels (e.g., strategic, operational, project) and consider factors such as potential financial impact, regulatory compliance implications, and effect on business operations.
Has your organization established and implemented a standardized taxonomy of risk categories for consistent cybersecurity risk assessment and comparison?
Using standardized risk categories enables organizations to effectively integrate risk data across different business units, compare risks using common terminology, and make informed decisions about risk prioritization. Without consistent categorization, organizations may struggle to aggregate risk information, potentially missing critical patterns or underestimating cumulative impacts of similar risks across different systems or departments.
GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Has your organization established and documented a formal process for identifying and incorporating opportunities into risk management discussions?
Opportunity-aware risk management is the subject, namely whether you have a documented process for surfacing opportunities alongside risks, such as through SWOT analysis. Having a formal process ensures that positive outcomes and strategic advantages are considered alongside threats and vulnerabilities when making risk-based decisions.
Has your organization identified and documented stretch goals for security improvements beyond current compliance requirements?
Stretch goals represent aspirational security objectives that exceed minimum compliance requirements and demonstrate commitment to continuous security improvement. These goals should be documented, measurable, and aligned with the organization's overall security strategy and risk appetite.
Does your organization have a documented process for calculating, documenting, and prioritizing both positive and negative risks?
Risk that cuts both ways is the concern, specifically whether you document and prioritize both threats and opportunities through a defined process for calculating each. Positive risks represent potential benefits or advantages that could arise from certain scenarios, while negative risks represent potential harm or disadvantages.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

