4000 Words Report

Imagine you are in charge of an organisational risk management strategy across three distinct departments of the organisation. The organisation envisions risk as, ‘potential vulnerabilities present across our security landscape leads to exposure which enables a cyber incident against the infrastructure, capability, services and applications, which leads to an impact upon Confidentiality, Integrity and/or Availability resulting in reduced resilience, reduced safety, ineffective capabilities, loss of business services, financial impact and reputational damage to UK Government’.
The risk applies to three main business domains:

1. IT & Infrastructure

2. Equipment

3. Logistics & Support services

Each business domain is managed by a separate Director, but collectively they (all three) own the risk. There is a separate Director who is accountable for the risk, and they report the status to the Executive Board throughout the year.

Given the complexity of the risk and its significant breadth and depth it’s difficult to establish a baseline level of risk exposure – a pre-mitigation level, which represents the whole business (all three domains). Defining the Risk Appetite (RA) is also challenging given the differences across the domains, the views from each Director, the level of resources available etc.