risk management engagement timeline

Average duration: 9-24 weeks
Scope impact: IT complexity, # of business units

1-6 weeks

collaborative workshops

We start with collaborative workshops and process walk-throughs with your subject matter experts and business stakeholders. We use these sessions to learn about your organization, culture, and business drivers, as well as to discover and validate your existing risk processes, tools, and communications.

2-4 weeks


We gather observations and document your current state environment. We typically document governance practices, operational practices, tools used to support the risk management program, and the technology landscape. We compare your environment to common criteria and recognized good practice derived from relevant standards and frameworks (e.g., NIST, COBIT, FAIR, ISO, etc.).

2-4 weeks

gap analysis

We articulate hypotheses for risk posture and risk appetite. We postulate a peer group for a basis of comparison, drawn from hundreds of previous engagements. We then identify gaps and risk indicators relative to industry good practice using our assessment method and tools. We document strengths and opportunities for improvement.

2-4 weeks


We develop risk-informed recommendations to address every identified gap. Recommendations are influenced by your business drivers, culture, talent, risk posture, risk appetite, risk exposure, current technology investments, current projects, and planned budget.

2-6 weeks

risk instrumentation

We tailor our collection of risk tools to your unique risk posture and appetite. Typical deliverables include:
• risk taxonomy & risk register
• risk assessment method and tools
• risk adjudication processes
• communication templates

Risk Practices                                                     

Governance, Oversight, & Communication
Policies, Guidelines, Standards, & Procedures
Risk Adjudication Process
Risk Assessment Methods
• Triage
• Lightweight
• Focused
Risk Disciplines
• Cybersecurity Risk
• Enterprise Risk
• Information Risk
• Technology Risk
• Third-Party Risk
Risk Statements  

Risk Technologies                                            

Communication Templates
Control Library
Metrics & Reporting
• Key Risk Indicators
• Key Performance Indicators
Operational Risk Repositories
Risk Assessment Tool
• Risk Profiling
• Risk Identification
• Threat Assessment
• Risk Assessment
• Control Assessment
• Business Impact Assessment
Strategic Risk Register
Threat Library