Cyber Security is going ERM.

The US Department of Energy (DOE) released for public comment the Electricity Subsector CyberSecurity Risk Management Process.  You can download it at:

(http://energy.gov/sites/prod/files/RMP%20Guideline%20Second%20Draft%20for%20Public%20Comment%20-%20March%202012.pdf

It may be a game changer in risk frameworks.  Most risk frameworks are linear risk assessment processes.

The DOE standard is ERM process based, inputs  => activities => outputs, hierarchal (tiered), and follows a novel cycle.

Let’s discuss a few of these:

The RM model is tiered: 1. Tier 1: Organization; 2. Tier 2: Mission and Business Processes; and Tier 3: IT and Industrial Control Systems.

The RM model has a cycle of: Frame => Assess => Respond => Monitor.

Each tier follows a process, much like the Project Management Institute Body of Knowledge (PMBOK)

Different RM model.  ERM based.  Interesting.  Novel.  Check it out.