The Role of Risk in the Model
Enterprise Risk Management is the arbitration layer of the Security Operating Model. When there are competing priorities — framework maturity improvements vs. compliance deadlines vs. MVS gaps vs. a new product launch — risk provides the decision-making structure.
Every organization has a finite amount of time, budget, and attention to spend on security. The risk program determines where those resources go. It does this by answering a deceptively simple question that most organizations never formally ask: what scenarios must we avoid, what should we try to avoid, and what can we accept?
Without a risk program, security investment is driven by the loudest voice in the room, the most recent headline, or whatever the auditor asked about last. That is not a strategy. It is reaction.
Risk Scenarios, Not Risk Registers
Traditional risk registers — long spreadsheets of individual vulnerabilities rated on likelihood and impact scales — are useful for operational tracking but poor at driving executive decision-making. A board director does not need to know that you have 47 “high” risks on a register. They need to know what could actually happen to the business and what you are doing about it.
Scenario-based risk thinking addresses this. Common risk scenario categories — informed by industry data from sources like the Verizon Data Breach Investigations Report and Ponemon Institute research — include:
Data Breach. Unauthorized access to or exfiltration of sensitive data. The cost profile includes investigation, notification, regulatory fines, litigation, and long-term reputational damage.
Business Interruption. Events that prevent the organization from operating — whether from infrastructure failure, destructive attacks, or supply chain disruption.
Ransomware. A specific and increasingly common variant of both data breach and business interruption. Ransomware warrants separate scenario treatment because the decision tree is unique.
Misappropriation. Fraud, insider threats, and unauthorized use of company resources or systems. Often underweighted because it involves trusted insiders rather than external attackers.
These are illustrative categories. Your organization’s risk scenarios should reflect your specific business, industry, and threat landscape.
Stakeholder Alignment
Risk cannot be a security-only exercise. The scenarios that matter to the business span multiple functions — finance, legal, operations, engineering, product, and executive leadership. The risk program must pull stakeholders from across the organization together and create shared understanding of what the priority risks are and what the organization is willing to invest to address them.
This is where the concept of risk appetite becomes concrete. Risk appetite is not an abstract policy statement. It is a set of decisions: we will invest X to reduce the probability of scenario Y because the potential impact of Z is unacceptable to the business. Those decisions require input from people outside the security organization, and they require executive endorsement.
Risk Governs the Other Pillars
MVS priorities are validated by risk. The MVS controls are opinionated defaults — but the risk program confirms whether those defaults are the right priorities for your specific business.
Framework investment is directed by risk. The evidence-based framework provides dozens of domains to improve. The risk program determines which domains receive investment first.
External governance requirements are weighed by risk. Compliance obligations are mandatory, but when multiple obligations compete for resources, the risk program provides the prioritization.
Quantification
Where possible, risk scenarios should be quantified — expressed in financial terms that the business can act on. This is not about false precision. It is about giving leadership a basis for comparing the cost of investment against the expected cost of exposure.
Even a rough order-of-magnitude estimate — “a ransomware event affecting our primary production environment would cost between $2M and $8M in recovery, lost revenue, and regulatory response” — is more useful to a board than a heat map with red, yellow, and green dots.
Industry data helps calibrate these estimates. Breach cost studies, insurance claims data, and sector-specific loss reports provide benchmarks that prevent internal estimates from drifting into either complacency or catastrophizing.
Enterprise Risk Management is the third pillar of the Security Operating Model. Need help building a risk program that drives real prioritization? Contact us.