GV.RM-06.028

Has your organization established formal criteria for prioritizing identified risks across different levels of the enterprise?

Explanation

Risk prioritization criteria help organizations make consistent decisions about which risks require immediate attention versus those that can be addressed later or accepted. These criteria should be tailored to different organizational levels (e.g., strategic, operational, project) and consider factors such as potential financial impact, regulatory compliance implications, and effect on business operations. Evidence could include a documented risk prioritization framework or matrix that defines how risks are scored and ranked, meeting minutes showing risk prioritization discussions, or a risk register that demonstrates consistent application of prioritization criteria across the enterprise.

Implementation Example

Establish criteria for risk prioritization at the appropriate levels within the enterprise

ID: GV.RM-06.028

Context

Function: GV: GOVERN
Category: GV.RM: Risk Management Strategy
Sub-Category: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub