Advancing Risk Management Capability Using the Octave Forte Process Draft v5.0
Abstract
OCTAVE FORTE (Operationally Critical Threat, Asset, and Vulnerability Evaluation FOR The Enterprise) is a process model that helps executives and other decision makers understand and prioritize the complex risks affecting their organization. It also helps organizations identify, analyze, prioritize, and mitigate risks that could impact them. The Software Engineering Institute (SEI) developed the OCTAVE FORTE process model to help organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners as decision makers. Executives use information about risk to develop a governance structure, prioritize risks, make informed decisions, allocate resources, and communicate risks using a tiered governance structure. Managerswho support executives in achieving strategic objectivesuse elements of FORTE to identify and manage risk in their divisions and departments. Practitioners learn to apply their subject matter expertise in a way that enhances their analysis and helps them communicate their greatest concerns to management. The process model guides organizations that are new to risk management in building an ERM program, and it helps mature organizations fortify their existing ERM program, making it more reliable, measurable, consistent, and repeatable. Besides describing the OCTAVE FORTE process, this report recommends methods and provides a sample risk management policy that organizations can refer to or adapt when writing their own policy. Supplemental materials contain templates that organizations can use when conducting many of the OCTAVE FORTE activities.
Document Details
- Document Type
- Technical Report
- Publication Date
- Aug 01, 2020
- Accession Number
- AD1110440
Entities
People
- B. A. Tucker
Organizations
- Carnegie Mellon University