Cyber Risk Reporting and Escalation Procedure

Operational Risk Reviews: [CUSTOMIZE: Weekly] reviews conducted by [CUSTOMIZE: Security Operations / IT Operations] to assess new risks, update existing risk ratings, and review treatment progress.

Management Risk Reviews: [CUSTOMIZE: Monthly] reviews conducted by [CUSTOMIZE: CISO / Cyber Risk Team] to consolidate operational inputs, assess risk trends, and prepare management reporting.

Executive Risk Reviews: [CUSTOMIZE: Quarterly] reviews conducted with [CUSTOMIZE: Executive Risk Committee] to review the enterprise cyber risk posture, approve treatment decisions, and allocate resources.

Board Risk Reviews: [CUSTOMIZE: Quarterly] briefings to the [CUSTOMIZE: Board Risk Committee] on cyber risk posture, significant developments, and strategic risk considerations.

Ad Hoc Reviews: Triggered by significant incidents, threat intelligence indicating imminent risk, or material changes to the risk environment.

Risks shall be prioritized using the following criteria evaluated in combination:

Residual Risk Level: Based on the risk assessment methodology (likelihood x impact after controls), risks rated Critical or High receive priority attention.

Velocity: Risks with rapid onset potential (could materialize within [CUSTOMIZE: 30 days]) are escalated regardless of overall risk level.

Business Impact: Risks affecting [CUSTOMIZE: customer-facing services, regulatory compliance, financial operations] receive elevated priority.

Trend Direction: Risks with deteriorating trends (increasing likelihood or impact) over [CUSTOMIZE: two or more] reporting periods are flagged for enhanced attention.

Aggregation: Related risks that individually appear moderate but collectively represent material exposure are identified and reported as aggregated risk.

The following escalation criteria apply:

Executive risk reports shall include the following standard sections:

1. Risk Posture Summary: Overall risk status (GREEN/AMBER/RED), change from prior period, and key drivers of change.

2. Top Risks: The [CUSTOMIZE: top 10] cyber risks ranked by priority with current ratings, trend indicators, and treatment status.

3. KRI/KPI Dashboard: Current values against thresholds with trend indicators.

4. Incident Summary: Count and classification of incidents in the reporting period with notable incidents detailed.

5. Compliance Status: Summary of regulatory compliance posture with open findings and remediation progress.

6. Treatment Progress: Status of approved risk treatment initiatives against planned milestones.

7. Emerging Risks: New or evolving risks identified during the period that may require strategic attention.

8. Resource and Budget Status: Cyber risk program resource utilization and budget status.

9. Decisions Required: Specific risk treatment decisions or resource allocation requests for executive action.

All risk treatment decisions made by governance bodies shall be documented in the [CUSTOMIZE: GRC tool/risk register] within [CUSTOMIZE: 5 business days] of the decision.

Each decision record shall include: risk ID, decision date, decision maker, treatment option selected, assigned owner, target completion date, and any conditions or compensating controls.

Treatment progress shall be reported at each subsequent governance meeting until the treatment is complete and validated.

Treatments that fall behind schedule by more than [CUSTOMIZE: 30 days] shall be automatically escalated to the next governance level.