top of page

VERSION 1.0 - LAST UPDATE: NOVEMBER 2023

THE CYBER RISK MANAGEMENT PROGRAM (CRMP) FRAMEWORK

In the ever-evolving landscape of digital transformation, cybersecurity is no longer just an IT concern but an intrinsic part of business strategy and decision-making. This appendix introduces the Cyber Risk Management Program (CRMP) Framework, designed to holistically establish a cyber risk management program from Agile Governance and Risk-Informed Systems to Risk-Based Strategy & Execution and Risk Escalation & Disclosure.

Framework Purpose And Context

Recent years have witnessed a surge in cyber threats and incidents. Authorities and regulatory bodies have highlighted the pressing need for organizations to strengthen their cybersecurity posture and ensure effective communication to stakeholders about cyber risks. Boards and executives must be able to provide proper oversight of their cyber risk environment. Many existing standards and references, when viewed in isolation, may fall short in providing a comprehensive program that truly serves the business. This gap underscores the critical need for a unified framework that harmonizes and interprets the authoritative guidance, regulations, and standards, ensuring businesses can properly manage and oversee their cyber risks.

The CRMP Framework synthesizes insights from leading practices and standards, providing a structured and comprehensive approach to a cyber risk management program. The CRMP can be tailored to the unique needs and regulatory landscape of each organization. It serves as a guide to operationalize a cyber risk management program, enabling businesses to make informed risk decisions and evolve their security strategies to thrive in the digital age.

THE CRMP FRAMEWORK VERSION 1.0

The Framework is organized into four core "Components" and 23 "Principles". Click to download a PDF of the comprehensive framework.

DOWNLOAD FRAMEWORK PDF

Embrace an adaptive governance model that not only ensures comprehensive oversight but also promotes active engagement across all organizational levels. This dynamic approach allows for nimble reactions to the ever-changing cyber threat landscape.

Principle 1

Establish Policies and Processes

Enterprise-wide policies and processes must be in place for establishing a cyber risk management program.

Principle 3

Align Governance Practices with Existing Risk Frameworks

Cyber risk governance practices should be aligned with any existing enterprise or organizational risk frameworks.

Principle 5

Board of Directors and Senior Executives Provide Oversight

The board of directors and senior executives should provide proper oversight of the enterprise’s cyber risk practices.

Principle 7

Align Resources to the Defined Roles and Responsibilities

Appropriate resources and skill sets should be aligned to the defined roles and responsibilities with ongoing training in place.

Principle 2

Establish Governance and Roles and Responsibilities Across the “Three Lines Model”

Cyber risk governance must be established with clearly defined roles, responsibilities, and outputs across the “Three Lines Model.”

Principle 4

Board of Directors and Senior Executives Define Scope

The scope of an enterprise’s cyber risk practices should be defined and approved by its senior executives.

Principle 6

Audit Governance Processes

Audit processes should provide appropriate review and assessment of the enterprise’s cyber risk governance practices.

Elevate your leadership's decision-making process by providing a comprehensive portfolio of risk data. This empowers strategic choices that are not just data-driven but are deeply rooted in the realities of the enterprise's cyber risk.

Principle 1

Define a Risk Assessment Framework and Methodology

A risk framework and methodology must be defined and executed on to identify, assess, and measure cyber risk within the organizational context.

Principle 3

Establish Understanding of Risk-Informed Needs

The governance body should be identified and engaged in establishing a comprehensive understanding of its cyber risk informed needs.

Principle 5

Enable Reporting Processes

Reporting processes should equip the governance body with insights on the impact of cyber risks on existing practices and strategic decisions.

Principle 2

Establish a Methodology for Risk Thresholds

An approved and repeatable methodology for establishing acceptable risk thresholds – both appetite and tolerance – must be established.

Principle 4

Agree on a Risk Assessment Interval

The risk assessment process should be performed according to an agreed-on interval with its results regularly evaluated.

Establish clarity in your organization's risk appetite and tolerance. This not only guides strategic budgeting but also charts the course for the prioritization and execution of critical cyber risk management initiatives.

Principle 1

Define Acceptable Risk Thresholds

Acceptable cyber risk thresholds must be clearly understood, established, and approved by the risk owners based on the risk framework and methodology.

Principle 3

Execute to Meet Approved Risk Thresholds

The cyber risk treatment plan should be executed to meet the approved risk thresholds.

Principle 5

Audit Against Risk Thresholds

The audit function should review and assess proper execution of the cyber risk treatment plan based on the acceptable risk thresholds.

Principle 2

Align Strategy and Budget with Approved Risk Thresholds

The cyber risk treatment plan and budget should be aligned with the acceptable risk thresholds.

Principle 4

Monitor on an Ongoing Basis

The execution of the cyber risk treatment plan should be monitored on an ongoing basis with established performance indicators and operational metrics.

Principle 6

Include Third Parties in Risk Treatment Plan

The cyber risk treatment plan should take into account third parties including partners, suppliers, and supply chain participants.

Uphold a culture of transparency and trust by ensuring that risks are timely escalated and disclosed, fostering both internal coordination and external stakeholder confidence.

Principle 1

Establish Escalation Processes

Formal cyber risk escalation processes must be established.

Principle 3

Establish Disclosure Processes—Public Companies

Public companies must disclose their material risks, risk factors, cyber risk management processes, governance, and material incident reporting.

Principle 5

Audit Escalation and Disclosure Processes

Audit should review and assess the enterprise’s cyber risk escalation and disclosure processes to ensure their effectiveness, consistency, and compliance with relevant regulations and policies.

Principle 2

Establish Disclosure Processes—All Enterprises

The enterprise’s cyber disclosure processes should address its specific risk factors, organizational context, and requirements.

Principle 4

Test Escalation and Disclosure Processes

Cyber risk escalation and disclosure processes should be challenged, tested, and updated on an ongoing basis to incorporate lessons learned.

Framework Disclosure: While the CRMP Framework achieves a high degree of alignment with these references, it is important to recognize that no single standard or guidance can comprehensively cover all facets of a mature cyber risk management program as required for today’s environment. Thus, the motivation behind developing this framework and writing this book is to provide a holistic, synthesized view that integrates insights across multiple sources. Depending on the specific circumstances and nuances of your organization, you might find relevance in other standards or additional mappings.

In sum, this Framework seeks to encapsulate the essence of a comprehensive cyber risk management program as guided by authoritative sources. It serves as a guide, aiding organizations in understanding, implementing, and operationalizing a cyber risk management program, ensuring they remain resilient and adaptive in the face of digital challenges while protecting them from evolving liability and regulatory risks. As you navigate the intricacies of the framework, remember that its ultimate goal is to provide clarity, align with industry standards, and empower businesses to make better decisions and thrive securely in the digital age.

Stay updated, deepen your understanding, and strengthen your security with curated resources, articles, and tools that complement the insights shared in the book.

SUBSCRIBE FOR OUR INSIGHT

bottom of page