Does your organization have a documented process for calculating, documenting, and prioritizing both positive and negative risks?
Explanation
Risk that cuts both ways is the concern, specifically whether you document and prioritize both threats and opportunities through a defined process for calculating each. Positive risks represent potential benefits or advantages that could arise from certain scenarios, while negative risks represent potential harm or disadvantages.
Evidence could include a risk register or risk assessment documentation that clearly shows both positive and negative risks with their calculations, documentation methods, and prioritization criteria. The register should demonstrate how the organization weighs opportunities against threats when making security and business decisions.
Implementation Example
Calculate, document, and prioritize positive risks alongside negative risks
ID: GV.RM-07.032
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

