This approach defines a relatively small set of standard approaches that are defined for specific risk levels and situations, and then uses them wherever feasible to meet the needs of systems and situations. In exceptional cases, these profiles are modified to meet the need, and these exceptions are tracked as part of the overall management system and removed when feasible to keep the protection effort systematic and gain from the economy of scale associated with standard approaches.
Create a new standard for every encountered instance that is unique and reuse where feasible.
For enterprises that are not yet at a maturity level where they can or have defined standard approaches new standards can be created time after time and reused where feasible until the maturity level has reached a point where a limited number of standards can be uniformly applied on a wider scale.
Handle each system and situation as an independent risk management effort.
For enterprises with very high risks or where every system is truly unique from a protection standpoint, independent risk management can be carried out for each system, however; the costs are likely to be high and the risk management function far larger than it is for other comparable sized enterprises.
Don't match surety with risk, create a set of rules and follow them.
Many enterprises take a minimalistic stance for security and only follow mandatory protection requirements. These enterprises can often create sets of rules to follow that meet the minimal requirements and not perform any significant matching of surety to risk.