Align organizational objectives with the acceptable residual risk in the decision-making criteria.

Process or Activity


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


  • The risk classification and risk treatment steps are performed until the risk acceptance criteria of the organisation have been reached and the remaining risk ("residual risk") is thus in accordance with the organisation's objectives and specifications. (§ 6.1 ¶ 13, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The Board of Directors (the "Board") and Senior Management are responsible for setting and overseeing the firm's business strategy and risk appetite and should ensure that IT risk is considered in this context. In addition, Senior Management is responsible for the effective implementation of the fir… (1.1 ¶ 1, CBI Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks, September 2016)
  • Objectives should be consistent with the decision making criteria set for acceptable levels of residual risk, performance, and compliance in light of the stated mission, vision, and values and the frame of reference. (OCEG GRC Capability Model, v. 3.0, A2.1 Apply Decision-Making Criteria, OCEG GRC Capability Model, v 3.0)
  • Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required to: - ensure that risks are adequately considered when setting the organization's objectives; - understand the risks facing the organ… (§ 5.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • the results of the assessment of risks and opportunities (see and; (§ 6.2.1 ¶ 2 c) 2), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • take into account applicable information security requirements, and results from risk assessment and risk treatment; (§ 6.2 ¶ 2 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Strategy must support mission and vision and align with the entity's core values and risk appetite. If it does not, the entire entity may not achieve its mission and vision. (The Importance of Aligning Strategy ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Business objectives should also align with the entity's risk appetite. If they do not, the organization may be accepting either too much or too little risk. Therefore, when an organization evaluates a proposed business objective, it must consider the potential risks that may occur and determine the … (Aligning Business Objectives ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The development of risk appetite should align with the development of strategy and business plans, otherwise it may appear that goals and priorities are conflicting, or even creating tensions on the types and amounts of risk reflected in decision-making. (Aligning Strategy with Risk Appetite ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Evaluate threat decision-making processes. (T0685, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate threat decision-making processes. (T0685, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Risk must be analyzed in relation to achievement of the strategic objectives established in the Agency strategic plan (See OMB Circular No. A-11, Section 230), as well as risk in relation to appropriate operational objectives. Specific objectives must be identified and documented to facilitate ident… (Section II (B1) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)