Has your organization established and documented a formal process for identifying and incorporating opportunities into risk management discussions?
Explanation
Opportunity-aware risk management is the subject, namely whether you have a documented process for surfacing opportunities alongside risks, such as through SWOT analysis. Having a formal process ensures that positive outcomes and strategic advantages are considered alongside threats and vulnerabilities when making risk-based decisions.
Evidence could include documented risk management procedures that specifically address opportunity identification, meeting minutes from risk committee discussions that show consideration of opportunities, or templates/tools used for risk-opportunity analysis such as SWOT worksheets, opportunity registers, or risk-opportunity matrices.
Implementation Example
Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis)
ID: GV.RM-07.030
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

