← Back to catalog
PM-9

Risk Management Strategy

Program Management (PM)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and Privacy risk to individuals resulting from the authorized processing of personally identifiable information; Implement the risk management strategy consistently across the organization; and Review and update the risk management strategy [assignment] or as required, to address organizational changes.

Discussion

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.AE-04The estimated impact and scope of adverse events are understoodDetect
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and consideredGovern
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and directionGovern
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risksGovern
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholdersGovern
GV.RM-02Risk appetite and risk tolerance statements are established, communicated, and maintainedGovern
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processesGovern
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicatedGovern
GV.RM-05Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third partiesGovern
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicatedGovern
GV.RM-07Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussionsGovern
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
ID.RA-04Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recordedIdentify
ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicatedIdentify
PR.IR-04Protect
RC.RP-04Critical mission functions and cybersecurity risk management are considered to establish post-incident operational normsRecover