Back

Include criteria for risk tolerance in the decision-making criteria.


CONTROL ID
12950
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment ins… (4.5 32, Final Report on EBA Guidelines on outsourcing arrangements)
  • the ability to oversee the service provider and to manage the risks; (4.7 44(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and con… (PO9.5 Risk Response, CobiT, Version 4.1)
  • Define criteria for selecting objectives and strategies, guidance on priorities, risk/reward trade-off (e.g., risk appetite, tolerance, thresholds, and capacity) and compliance. (OCEG GRC Capability Model, v. 3.0, A1.5 Define Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
  • The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision- making processes. Risk criteria should be aligned with the risk management framework and custo… (§ 6.3.4 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Justification for risk treatment is broader than solely economic considerations and should take into account all of the organization's obligations, voluntary commitments and stakeholder views. The selection of risk treatment options should be made in accordance with the organization's objectives, ri… (§ 6.5.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • Risk management is integral to all organizational activities. Although AI systems can deliver benefit to the organization, the organization's objectives related to good governance of decision-making, to use of data, and to the organization's desired culture and values should be revised to take accou… (§ 6.7.2 ¶ 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Considers new and emerging risks as part of decision-making (e.g., a new business partner is not taken on without exercising due diligence). (Authority and Responsibilities ¶ 5 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Embedding risk in decision-making: Management addresses risk consistently when making key business decisions, which includes discussing and reviewing risk scenarios that can help everyone understand the interrelationship and impacts of risks before finalizing decisions. (Embracing a Risk-Aware Culture ¶ 1 Bullet 5, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • A validation though audits, self-assessments, penetration tests, and vulnerability assessments that risk decisions are informed by appropriate identification and analysis of threats and other potential causes of loss. (App A Objective 4.2.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management uses reporting of the results of self-assessments, penetration tests, vulnerability assessments, and audits to support management decision making. (App A Objective 10.5, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the institution's risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM. (App A Objective 7, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Management has committed to support the board's risk decisions. (App A Objective 7:3 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Ensure that the board and management understand the risk categories. (App A Objective 7:4 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • System requirements (e.g., "the system shall respect the privacy of its users") are elicited from and understood by relevant AI actors. Design decisions take socio-technical implications into account to address AI risks. (MAP 1.6, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Decision-makers are informed by an organization's risk profile, risk appetite, and risk tolerance levels. Processes should address when and how the escalation of risk decisions needs to occur. (2.3.2. ¶ 3 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. (T0012, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)