SEI releases OCTAVE FORTE model for enterprise risk management

The Software Engineering Institute has released the latest model in the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) suite. The OCTAVE FORTE (OCTAVE for the enterprise) model for enterprise risk management (ERM) helps executives and other decision-makers understand and prioritise the complex risks affecting their organisations.

The OCTAVE FORTE process model helps organisations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.

“Feedback from users of the previous models—OCTAVE and OCTAVE Allegro—helped us to recognise the need for a stronger connection between the front line and the executive level of an organisation,” said Brett Tucker, cybersecurity risk management technical manager in the SEI CERT Division and creator of the new model.

“We learned there was a disconnect between the bits-and-bytes analysis and the dollars-and-cents business case required to get the proper risk response.”

The new model involves all levels of an organisation. Executives use information about risk to develop a governance structure, prioritise risks, make informed decisions, allocate resources, and communicate risks using a tiered governance structure.

Managers—who support executives in achieving strategic objectives—use elements of FORTE to identify and manage risk in their divisions and departments.

Practitioners learn to apply their subject matter expertise in a way that enhances their analysis and helps them communicate their greatest concerns to management.

The OCTAVE FORTE process model guides organisations that are new to risk management in building an ERM program, and it helps mature organisations fortify their existing ERM programs, making them more reliable, measurable, consistent, and repeatable. The model may be used in conjunction with the previous OCTAVE and OCTAVE Allegro models by organisations already familiar with OCTAVE processes.

“When we talk about risk, we’re really talking about uncertainty,” said Tucker. “We tend to concentrate only on the downside of risk, but risk also opens us up to opportunity.”

Uncertainty affects how organisations operate and meet their strategic objectives. A fast-paced, uncertain environment creates risks and can preclude organisations from making long-term plans because these plans can quickly be rendered obsolete.

To cope with this situation, organisations need to focus on managing their risks and using risk data to make decisions that help them meet their strategic objectives. When an organisation manages risk, it ensures that it takes only the risks—in the form of opportunities—that help it achieve its strategic objectives while controlling the risks that threaten those objectives.

When risks are realised in an organisation, business continuity can be disrupted, potentially affecting the organisation’s critical assets and bringing the organisation’s critical services to a halt.

OCTAVE FORTE is designed to help organisations succeed in managing downside risks—such as loss of critical assets and disruptions in business continuity—and in dealing confidently with opportunity.

“Our goal in OCTAVE FORTE is ultimately to build resilient organisations that are prepared for any eventuality,” said Tucker.