Risk Management Program

Reach and Maintain Acceptable Risk

Risk is always a part of your cyber strategy. It evolves based on your environment. It could be calm one moment, then a disastrous storm the next. The key to managing risk is to continually take care of your critical business areas and all interested parties. 

REGULATORY UPDATE: The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure require public companies to describe their cybersecurity programs in their periodic reporting and how they manage RISK.

But how do you manage the needs of many with different priorities?



By establishing reasonable security through the Duty of Care Risk Analysis (DoCRA). Duty of care requires that organizations demonstrate they used controls to ensure that risk was reasonable to the organization and appropriate to other interested parties at the time of the breach. This approach enables users to:

  • Prioritize security investments
  • Consider the needs of all interested parties
  • Demonstrate that the risk is ‘Acceptable’ or ‘Reasonable’
  • Protect the organization without overly burdening it
  • Continuously manage to ‘enough’ security
  • Manage your cyber insurance coverage appropriately

We also incorporate the Sedona Conference’s “Test for Reasonable Security Controls” establish that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others. By balancing an organization’s mission, objectives, and obligations, your risk strategy will have the appropriate balance of compliance, security, and corporate responsibility. You will be practicing ‘reasonable security’.
Reasonable Risk

Download the brochure

Learn more about how DoCRA applies to your compliance requirements such as HIPAA, PCI DSS, Privacy and help you reach and maintain acceptable risk and reasonable security.


Managing Risk

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.