DoCRA and the Proven Governance System

Reasonable Risk automates the Proven Governance System, a method for managing and reducing cyber security risk using Duty of Care Risk Analysis, also known as DoCRA. This presentation will explain how DoCRA is helping organizations manage cyber security risk as capably as they manage any other part of their business.

1. What is Duty of Care Risk Analysis?

Put most simply, DoCRA is a way to analyze risks, and is most often used to analyze cyber security risk.

2. What is Duty of Care Risk Analysis?

DoCRA considers risks both to the company that is evaluating their risk, and external parties, such as customers, the public, students, or patients. After all, when you suffer a breach, you don't sue yourself. People outside your company do. So companies should show how they consciously address those public risks

3. What is Duty of Care Risk Analysis?

DoCRA also sets a plan for safeguards that would bring risks down so low that no repair would be necessary, either for the company or others who may be harmed by an incident.

4. What is Duty of Care Risk Analysis?

Finally, DoCRA takes advantage of a concept in law called reasonableness that does not allow an organization to invest more in a safeguard than the risk they are reducing. In other words, the cure can not be worse than the disease.

5.

DoCRA is used for many purposes. It is an open risk analysis standard that is maintained by the nonprofit DoCRA Council. It is the basis for Center for Internet Security's Risk Assessment Method, also known as C.I.S. ram. And it is the backbone of the Reasonable Risk SaaS Application.

6.

Organizations implement DoCRA by experts using processes with technologies, all of which we'll reference in this presentation.

7. What Problems Does It Solve?

DoCRA inspires people and organizations to be good neighbors, and to integrate their duty of care for others into their business model. Tens of thousands of organizations have adopted DoCRA and can demonstrate that every risk, and every investment, treats the public with as much care as they treat their own organization. DoCRA and Reasonable Risk simply give those organizations instructions for exercising their good conscience, and providing evidence that they did when things go wrong.

8. What Problems Does It Solve?

Because DoCRA expresses risk in plain language, non-technical executives can begin engaging cyber security needs and opportunities the way they manage other parts of their business.

9. What Problems Does It Solve?

And when companies demonstrate that their executives and technicians made cyber security investments that reasonably addressed their business requirements and their duty to protect others, plaintiffs and regulators find it hard to demonstrate negligence. This makes liabilities go away.

10. What Problem Does It Solve?

According to the 2024 NetDiligence Cyber Claims Study, legal fees, fines, and settlements account for 92% of claims costs for large organizations in 2023. Only 8% went to incident response and recovery. Consider what this means. In cyber security, most companies focus on tools and technologies that prevent attacks, the 8%. But one control - effective risk management and governance - is what takes care of 92% of the actual risk for these companies. By focusing on one control they can reduce 92% of their risk.

11. Who Uses DoCRA?

DoCRA is used by technicians to understand their risks, and then to communicate those risks to executives using terms that help those executives make informed decisions about budgets, resources, and priorities.

12. Who Uses DoCRA?

Executives use DoCRA to understand the risks that technicians become aware of, and to determine whether the safeguards they are requesting are reasonable given the risk.

13. Who Uses DoCRA?

Regulators have been using DoCRA to determine whether breached organizations used reasonable cybersecurity controls, and to describe reasonableness in ther settlements.

14. Who Uses DoCRA?

Insurance companies can quickly determine whether a policy holder is a low risk or a high risk to their portfolio. Companies that can demonstrate reasonableness can also eliminate that huge liability risk.

15. Who Uses DoCRA?

Defense attorneys who can demonstrate the reasonableness of their clients, even after a breach.

16. Who Uses DoCRA?

And plaintiff's attorneys use DoCRA in their complaints to substantiate their charges that breached organizations did not use reasonable controls.

17. How Companies Use DoCRA

DoCRA professionals first help organizations define their risk assessment criteria, including what would constitute acceptable or unacceptable risk to the company and the public.

18. How Companies Use DoCRA

Next they perform a risk assessment, evaluating the likelihood and impact of foreseeable threats.

19. How Companies Use DoCRA

They accept risks that would not create a repairable harm, and prioritize the improvement of controls based on the highest risks.

20. How Companies Use DoCRA

The DoCRA professional then helps the organization implement policies, safeguards, and reporting capabilities to reduce risks over time.

21. How Companies Use DoCRA

And finally, they help organizations measure the performance of the risk management program using Key Risk Indicators and to make informed decisions based on those measures.

22. What is Risk Management and Governance?

Using this KRI, executives and technicians can communicate about the status of the cyber risk management program to see if it is effective, and if not, what executives can do to help improve it.

23. What is Risk Management and Governance?

In January, the company knows its risk is too high. But they have a plan for reducing risk to an acceptable level. That plan is traced by the orange line. Every new safeguard they implement reduces risks, so as long as those planned safeguards meet their deadline, the company will meet its acceptable risk goals.

24. What is Risk Management and Governance?

But by May, executives can tell that they are off plan. They are not reducing risks because security projects are not completing. Executives ask their technical managers what is causing projects to stall. This gives technical managers the opportunity to describe the impact of shifting corporate priorities, a lack of resources and budget, a need for more personnel, or business departments not collaborating with the security team to improve controls. These are the kinds of problems that executives can solve.

25. What is Risk Management and Governance?

When executives decide to provide more resources, to commit to priorities, or to enforce collaboration among peers, they can subsequently see the company's risks go down. They can see the effect of their decisions on risk reduction. This is effective cyber governance. And it is managing cyber security like any other part of the business.

26. What Makes DoCRA Different?

DoCRA is primarily a way for cyber risk management and governance to finally make sense. But by combining the risk analysis principles from insurance, law, technical standards, and business management, all risk decisions will be immediately understandable to the interested parties that can reduce the liabilities associated with incidents.

27.

DoCRA risk analysis looks like standard risk assessments by combining likelihood and impact. But it looks at the impact to the organization's mission, its objectives, and its obligations to ensure that all parties are considered in the risk assessment.

28.

One of the most attractive features of DoCRA is that it then examines a proposed mitigating safeguard to be sure that the safeguard does not hurt the company more than it helps the public. This concept has been part of US law for decades and makes it difficult for litigators or regulators to demonstrate negligence when companies suffer from an incident.

29. How the Proven Governance System Works

Reasonable Risk automates the Proven Governance System by helping develop the risk assessment criteria and the scope of the program, by conducting the risk analysis, by developing the risk remediation plan and budget, by developing key risk indicators for the program, and by operating continuous improvement activities, like reporting and measurably improving the program.

30.

Trained DoCRA professionals can use the processes we described here using Reasonable Risk, a SaaS application that automates cybersecurity risk management and governance.

31. How the Proven Governance System Works

DoCRA professionals help organizations implement the Proven Governance System by establishing the governance program, typically through documented policies and kickoff meetings, and to define their risk assessment criteria.

32. How the Proven Governance System Works

Those professionals then conduct the risk assessment for systems and business processes in the program scope. The assessment results in a prioritized list of controls, and recommended safeguards that would be reasonable.

33. How the Proven Governance System Works

The risk treatment roadmap includes a plan for what safeguards will be implemented when and with roughly what cost. This helps the organization plan their risk reduction efforts, but also creates a model plan for how risk will reduce over time.

34. How the Proven Governance System Works

All of those activities lay the groundwork for risk management and governance. But cyber governance is a learned behavior that takes time. Using Reasonable Risk software, DoCRA professionals then help organizations manage the implementation of policies and standards, implementing controls, measuring the results of new and improved controls, and holding executive level meetings to involve them in decision-making.

Using the Proven Governance System, DoCRA professionals can help organizations improve their cyber risk management and governance programs as well as they manage any other part of their business. Contact Reasonable Risk to discover how you can bring measurable risk management to your organization or clients.

Related to

Search

Support and Training Site