figure depicting three tier risk management process

The cybersecurity risk management process explained in the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline has two primary components: the risk management model and the the risk management cycle. The risk management model reflects the organization as a three-tiered structure and provides a comprehensive view for the electricity sector organization and how risk management activities are undertaken across the organization. This structure is simple enough that it can be applied to any electricity sector organization regardless of size or operations. The three tiers of the risk management model are:

  • Tier 1: Organization
  • Tier 2: Mission and Business Process
  • Tier 3: Information Technology and Industrial Control Systems

[[{"type":"media","view_mode":"media_large","fid":"325399","attributes":{"alt":"risk management process","height":182,"width":202,"style":"margin: 20px 4px; width: 205px; height: 190px; float: left;","class":"media-image caption media-element file-media-large","data-delta":"2"},"field_deltas":{},"link_text":null,"fields":{}}]]The risk management cycle is a continuous process for making risk decisions within each of the tiers defined in the risk management model. It is constantly re-informed by the changing risk landscape as well as changing organizational priorities and functions. The risk management cycle provides four elements that structure an organization's approach to risk management: frame; assess; respond; and monitor.

The RMP is based on integrating the risk management cycle at each business tier in the risk management model. The goals of this process are to improve risk-assessment, awareness, and security behavior at all levels of an organization. The process is designed to 1) accommodate any size or type of organization; 2) support a mission and business focused approach, and 3) support improved communication of risk across the organization.