Risk Review and Executive Escalation
OversightControl Statement
Cyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation.
Description
Ongoing risk review and escalation processes ensure that cyber risks do not remain hidden at operational levels where they cannot receive appropriate attention and resources. This control requires a systematic approach to periodically reviewing the organization's cyber risk register, reassessing risk levels, prioritizing risks based on potential impact to the organization, its programs, and its customers, and ensuring that significant risks are communicated clearly to executives and senior management who have the authority to allocate resources and make risk treatment decisions.
Key Implementation Activities
- 1 Conduct regular (at minimum quarterly) reviews of the cyber risk register to reassess risk levels, identify new risks, and retire mitigated risks
- 2 Apply a consistent risk prioritization methodology considering likelihood, impact, velocity, and alignment with organizational risk tolerance
- 3 Establish defined escalation criteria and pathways ensuring material cyber risks reach the appropriate level of management and governance
- 4 Prepare executive-level risk reports that translate technical risks into business impact language appropriate for decision-makers
- 5 Track risk mitigation decisions and actions to ensure that prioritized risks receive the allocated resources and that mitigation plans progress as planned
Evidence Examples
- Cyber risk register showing risk entries with assessment dates, priority rankings, risk owners, and treatment statuses
- Quarterly risk review meeting minutes with attendance records and documented decisions
- Executive risk reports or board risk dashboards showing prioritized cyber risks in business context
- Escalation records demonstrating that material risks were raised to appropriate governance bodies
- Risk treatment plans with milestones, owners, and progress tracking for prioritized risks
Maturity Levels
Risk reviews are informal and inconsistent. Executives receive limited or reactive reporting on cyber risks, typically only following incidents. Risk prioritization is based on individual judgment rather than a defined methodology.
Scheduled risk reviews occur with documented outputs. Executives receive regular risk reports with business-context analysis. Escalation criteria are defined and risks are tracked through treatment to resolution.
Risk reviews are continuous and informed by real-time threat intelligence and automated risk scoring. Executives receive dynamic risk dashboards with predictive trend analysis. Risk treatment effectiveness is measured and feeds back into prioritization.
Document Templates
Evidence Requirements View all evidence
| Type | Evidence Item | Frequency | Level |
|---|---|---|---|
| Document | Cyber Risk Register with assessment dates, priority rankings, owners, and treatment status | Maintained continuously | Required |
| Document | Risk escalation criteria and pathway documentation | Reviewed annually | Required |
| Record | Quarterly risk review meeting minutes with attendance and documented decisions | Quarterly | Required |
| Record | Executive risk reports or Board dashboards showing prioritized risks in business context | Quarterly | Required |
| Record | Escalation records demonstrating material risks were raised appropriately | Per escalation event | Required |
| Record | Risk treatment plans with milestones, owners, and progress tracking | Per treatment plan | Required |