Skip to main content


Known Risk Exceptions and the Capability Maturity Model

In order to truly manage your risk, you need two things: 1) to identify and quantify your risk, and 2) to understand that you cannot mitigate all risk, and therefore, you will have to accept some known risk. Often known as “Risk Acceptance,” documenting and tracking the risks your organization knows about and have chosen to accept is truly the difference between proactive security and reactive security.

Reactive Security vs. Proactive Security

Capability Maturity ModelThe Capability Maturity Model (pictured on the right) gives us some great insight into how organizations can improve their processes over time.

Most organizations start ANY new process – we’ll use Information Security as our example here – by being completely reactive to the environment. Reactive security is unpredictable, inconsistent, often involves manual processes, and creates a lot of risk. The risks stem from having to be told by examiners, auditors, or an incident that there are significant deficiencies or holes in your Information Security Program that could lead to bad things happening to your organization.

Reactive security means that when new threats occur, new regulation is released, or new technology is implemented at your organization, the IT/IS department is often the last to know or must scramble to deal with the new issue without planning for said issue in advance.

Proactive security involves maturing your organization up the Capability Maturity Model so that formal processes are documented, expectations are defined and set, and standards implemented. Once processes are formalized, the organization can begin to develop metrics around those processes, leading to the ability to measure and manage risk.

Proactive security is formalized, repeatable, well-documented, measurable, and predictable. Proactive security allows your organization to get out in FRONT of problems and anticipate new issues, or at the very least, be able to deal with the unknown without having to scramble or start from scratch.

One of the major components of proactive security is to know and understand your risk, then document the risks you know about but either cannot or choose not to mitigate for the time being. Since you cannot mitigate ALL of your risk, there will always be some risk that must be accepted. Documenting your acceptance of these known risks and sharing these accepted risks with the IT Committee and the Board of Directors (who should then sign-off on these accepted risks) is the sign of a mature organization.

Initially, organizations tend to be afraid of documenting the risks they know about but are not addressing, as the common response is something like “you want us to share our dirty laundry with our examiners and auditors?” Well… yes! But it’s not sharing your “dirty laundry.” Documenting your Known Risk Exceptions is your organization’s way of demonstrating – to examiners, auditors, and senior management – that you understand you can’t mitigate all risks, but you’re either going to accept these risks for the time being or deal with the risk in a different manner.

Types of Risk Mitigation

There are four (4) ways to manage risk in general:

  1. Avoid the Risk – stop doing the thing or remove the thing from the network
  2. Accept the Risk – you can’t fix it now, so the risk is accepted and monitored going forward
  3. Reduce (Mitigate) the Risk – fix the issues or implement compensating controls
  4. Transfer the Risk – risk transference typically = insurance

Document Your Known Risk Exceptions

Formally documenting your Known Risk Exceptions and not only sharing these risk exceptions upstream in your organization, but ALSO with auditors and examiners is the best way to demonstrate that 1) you are truly understanding and measuring your risk, and 2) your whole organization is aware of these known risks, and how you plan to address these risks in the future.

The worst case scenario regarding your Known Risk Exceptions is that an examiner or auditor writes you up in their report for things you, your IT Committee, Senior Management, and the Board already know are issues. There will be no surprises. Additionally, you should also already have a plan in place to address these risks regardless, so the exam finding shouldn’t matter much anyhow.

More likely, though, is that your auditors and examiners will be significantly more impressed that you’re proactively managing security at your organization, and while they agree there are some issues with Known Risk Exceptions, you already have a plan in place to handle those issues in the future, so proceed accordingly.

Proactive security and Known Risk Exceptions allow you to get out in front of risk, as well as auditors and examiners, and be much more transparent about actual issues that could affect your organization, rather than hiding things or keeping secrets and hoping no one digs deep enough to find the real risks at your organization.

Here’s an example of an easy way to document Known Risk Exceptions at your organization:

Information Security Risk Exceptions

Written by: Jon Waldman
Partner, EVP of Information Security Consulting
SBS CyberSecurity, LLC


SBS Resources:

  • {Solution} TRAC: Risk Management Software: TRAC™ is SBS' integrated cybersecurity risk management solution. It was developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals.
  • {Consulting} CyberSecurity PartnershipA CyberSecurity Partnership (CSP) will move your organization beyond regulatory compliance toward truly managing information security - evolving from reactive security to a proactive approach. The result? A better long-term solution that leverages our extensive knowledge and experience and combines it with your team's knowledge of internal processes, people, and culture. 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager 

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, August 29, 2018
Categories: Blog