Tue Mar 10 20:41:42 PDT 2015

Risk Management: How does the enterprise do risk management?


Option 1: We will use the provided risk management model.
Option 2: We will use the REQUIRED risk management model.
Option 3: We will use a risk management model already in use (as described).


The risk management function, in context, is used to turn duties to protect into decisions about what to protect and how well.
Turns Business Needs into Duties to Protect.
Risk Management
Turns Duties to Protect into What to Protect and How Well.
{Capabilities & Intents}
{Technical, Human, Organizational, Structural}
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Uses Power and Influence to Control the Protection Program.
Organizational Governance
Business Processes
Human Actuators & Sensors

Risk management in context
Risk Management

Risk management transforms duty to protect into what to protect, selects between risk acceptance, transfer, avoidance, and mitigation, and for risk mitigation approaches, attempts to match surety of mitigation with desired risk reduction.

Risks are generally formed from the combination of threats, vulnerabilities, and consequences. Threats, including nature and accidents as well as individual actors and groups, possibly acting in concert, exploit sequences of vulnerabilities to induce consequences.

Risk management is the process used by enterprises to turn duty to protect into decisions of what to protect and to what extent they should be protected. It leads to the executive security management function that is tasked with carrying out the duty to protect the things that should be protected to the extent appropriate to the need as identified by risk management.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved