[Andrew Brown]

I’ve obtained permission from the original author (Lucas Everly-Commonwealth of PA) to modify this document. The original intent was to clarify/visualize the difference between appetite/tolerance and risk thresholds.

Attachments:

You must be logged in to view attached files.

[Andrew Brown]

I found the author and had a good conversation with him about the “Risk Landscape chart.pdf”. He – Lucas Everly, created it because execs in his organization were conflating risk appetite with risk threshold. He created the diagram to be an accurate visualization between: appetite, tolerance, and threshold.

We can reference this work and should cite him. He also gave his blessing for modifying it for our needs, which I’ve begun based on the conversations yesterday and via email afterwards.

[Andrew Brown]

I’m listening to the CSF 2.0 briefing from NIST on the Cyber-ERM COI meeting today. Perhaps a “quick-start” guide for developing a Risk Appetite statement, a Risk tolerance statement and ultimately a Risk profile. We may be able to plagiarize… reuse the NIST quick start guide(s). Duplication of terminology, process only reinforces the documents

[Andrew Brown]

Update/Clarification
I would add that Third-party risks and /or Supply-Chain risks would be grouped under either “Service” as orgs. hire 3rd parties to perform a service, OR under “Staff” as Orgs hire 3rd party staffing resources.

[Andrew Brown]

This is somewhat duplicative of the NISTIR 8286. There’s a few points of clarity that the NISTIR doesn’t address. It is very much in a draft state.

Attachments:

You must be logged in to view attached files.

[Andrew Brown]

Attached is an excerpt from a risk management document I was working on in a previous organization. Specifically, the risk impact category taxonomy and explanation of use.

Attachments:

You must be logged in to view attached files.

[Author]

Posts