Proactively identify, assess, prioritize and treat risks to align Technology Assets, Applications, Services and Data (TAASD)-related decisions with the organization's defined risk appetite and risk tolerance.
Organizations ensure business units and process owners understand their roles and responsibilities applicable to effective management of security, compliance, privacy and resilience risks, while cybersecurity and data privacy teams advise on risk matters and business stakeholders retain risk ownership.
Risk management in the SCF is a business function, not a security function that happens to produce reports for business stakeholders. The RSK domain governs how organizations identify, assess, prioritize and treat risks to TAASD in alignment with defined risk appetite and risk tolerance. The domain assigns risk ownership to business stakeholders and advisory responsibility to cybersecurity and data privacy teams.
The SCF's intent for RSK is that risk management is deliberate and must be owned by process owners. When security teams own risk, business units can treat risk decisions as someone else's problem. When business units own risk, they are accountable for the consequences of accepting, transferring, mitigating, or avoiding risks related to their operations. The cybersecurity team's role is to ensure business stakeholders understand the risks they're accepting, not to make risk decisions on their behalf.
RSK requires defined risk appetite and risk tolerance thresholds. Without those definitions, every risk decision is made on judgment rather than policy, producing inconsistent outcomes and making it impossible to demonstrate that risk decisions are intentional. RSK is the domain that gives the rest of the framework its prioritization logic: controls are implemented and maintained based on risk, not on a checklist.