Cyber Security is going ERM.
The US Department of Energy (DOE) released for public comment the Electricity Subsector CyberSecurity Risk Management Process. You can download it at:
(http://energy.gov/sites/prod/files/RMP%20Guideline%20Second%20Draft%20for%20Public%20Comment%20-%20March%202012.pdf
It may be a game changer in risk frameworks. Most risk frameworks are linear risk assessment processes.
The DOE standard is ERM process based, inputs => activities => outputs, hierarchal (tiered), and follows a novel cycle.
Let’s discuss a few of these:
The RM model is tiered: 1. Tier 1: Organization; 2. Tier 2: Mission and Business Processes; and Tier 3: IT and Industrial Control Systems.
The RM model has a cycle of: Frame => Assess => Respond => Monitor.
Each tier follows a process, much like the Project Management Institute Body of Knowledge (PMBOK)
Different RM model. ERM based. Interesting. Novel. Check it out.