NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
August 20, 2014

Integrated Risk Management Part 1: Establishing Guidelines

Justin Fimlaid Justin Fimlaid

One of the preliminary things you want to do when establishing an Integrated Risk Management approach is establish your guidelines for how you identify, evaluate, and communicate risk. This establishes your common definition of risk measurement across your enterprise allowing for stakeholders make relevant comparisons across various business units across the enterprise. This will allow your various risk minded to teams to discuss risk and risk mitigation in a meaningful way, so your risk ranking terminology has the same definition if you are in IT, Finance, HR, Legal, etc.

First things first, you need to define the risk philosophy of the enterprise. This includes defining what risk the organization will accept and tolerate in pursuit of organizational objectives, one example might be that you organization is willing to trust proprietary data to a business partner outsourcer in order to cut operating expenses.

Once you have a handle on your risk philosophy, you need to start thinking about risk appetite which is the translation of risk philosophy to guiding principles for your organization. This part can be tricky as people (risk managers) operating at the front lines of risk mitigation can interpret these principles differently, but the goal here is establish concrete examples that can be easily quantified or qualitatively measured and used as a benchmark which to measure other risks against. Using our same example above for business processing outsourcing with the goal of cost reduction your appetite might look something like - willing to invest $150 million into business process outsourcing to achieve long term cost savings, must have full return on investment in 5 years, and any workforce reduction media/news must not damage brand reputation.

Once your risk appetite has been defined the enterprise should figure out risk tolerances. Your risk tolerance is your risk limit--the maximum amount of risk you are willing to take on. This is the threshold which decision makers use to determine if they will or will not accept the risk. An example here might look your company not taking a risk on compliance -- for a hospital onboarding a new system that might jeopardize HIPAA compliance is not tolerable.

Next part is defining your risk assessment criteria, and this will go a long away toward establishing the terminology you use on a day to day basis. Using your risk appetites and risk tolerances, you need a terminology of how these translate to impact and vulnerabilities. Here establishing and defining what "low", "medium", "high" mean for your business will help risk managers across the enterprise help to assess risk in their respective areas. This is easier said than done especially if you have a large group of people trying to define the risk classification scheme. Which ever risk classification model you decide on it should fit for your business.

Check back next week, we'll be talking about strategy and risk identification.

Included Topics

  • Compliance
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Industry Insights 4 min read
CISO Security Metrics: Proving Business Value Read More
Compliance 1 min read
MARS-E 2.0: Key Dates for Compliance Read More
Compliance 3 min read
Do I Need a SOC2 Report? Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.