How Much Risk is Too Much?
Here’s the hard truth. Not all risk can be eliminated. But compliance frameworks like CMMC require you to determine how much risk is acceptable and then document that decision clearly.
Let’s talk about what Risk Tolerance is, what must be defined for a CMMC compliance assessment, and how to set realistic Risk Tolerances so that you balance security, cost and mission requirements.
Risk Tolerance is the residual risk that your organization is willing to accept after you’ve done everything you can to eliminate it. In many cases, there will still be some risk remaining. This is called residual risk. How much residual risk your organization is willing to tolerate reflects your business’s priorities, the leadership’s judgments and, of course, your contractual obligations.
CMMC assessors will ask:
- “Has your organization documented what level of risk is acceptable?”
- “Are the risk decisions consistent with that tolerance?”
- “Who has the authority to make these decisions?”
To determine risk tolerance, the leadership has to consider:
- Operational Risks. How much disruption is acceptable?
- Contractual Impact: Could the risk jeopardize a contract?
- Regulatory Impact: Can this risk lead to non compliance or penalties?
- Financial Impact. How much of a loss is acceptable if the risk actually comes to fruition?
Most organizations define risk tolerance using a threshold. High. Moderate. Or Low…
Low risks are usually accepted automatically. We document them and then pretty much ignore them.
Moderate risks are accepted. We document and justify why we are accepting those risks.
And then finally, high risks. High risks are risks that an organization usually decides need to be mitigated. We talked about the different ways to mitigate risk in a previous edition of CMMC Today. We can accept it, we can transfer it, etc.
Your Risk Tolerance philosophy becomes part of your Risk Assessment methodology. It should be stated explicitly in your Risk Assessment procedure and approved by senior leadership. That approval is what makes your risk decisions credible and compliant.
Now that we’ve defined your scope and determined how much risk an organization can accept, the next step is to identify exactly who is responsible for managing that risk. In the next edition of CMMC Today, we’ll define the key roles required for success for a CMMC Risk Management Program.
