Has your organization established formal criteria for prioritizing identified risks across different levels of the enterprise?
Explanation
Risk prioritization criteria help organizations make consistent decisions about which risks require immediate attention versus those that can be addressed later or accepted. These criteria should be tailored to different organizational levels (e.g., strategic, operational, project) and consider factors such as potential financial impact, regulatory compliance implications, and effect on business operations.
Evidence could include a documented risk prioritization framework or matrix that defines how risks are scored and ranked, meeting minutes showing risk prioritization discussions, or a risk register that demonstrates consistent application of prioritization criteria across the enterprise.
Implementation Example
Establish criteria for risk prioritization at the appropriate levels within the enterprise
ID: GV.RM-06.028
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

