Programmatic Risk Assessment
"Organization adequately assesses programmatic insider risk."
This capability evaluates whether the organization has the ownership, process, evidence, methodology, and oversight needed to manage this area of insider-risk assessment.
What This Capability Means
Programmatic Risk Assessment assesses whether the organization has a defined, repeatable, and evidence-supported approach to this risk-assessment capability. This includes the methodology, roles, workflows, data sources, risk artifacts, documentation practices, stakeholder inputs, and oversight needed to make the capability operational.
Why This Capability Matters
This capability matters because insider-risk programs need more than activity; they need a defensible way to identify exposure, compare priorities, and decide what to fix next. Weaknesses can create blind spots in Governance & Oversight, Process & Procedural Gaps, Risk Prioritization & Scoring, inconsistent residual-risk decisions, delayed investment, and weak executive evidence. A mature capability helps the organization move from informal concern to repeatable, risk-informed assessment and action.
AI & Automation Context
AI can help identify patterns and normalize evidence, but assessment scoring should remain governed, calibrated, reviewable, and explainable. The public framework should not expose RiskTKO® scoring formulas, weighting logic, or model relationships.
Weakness vs. Maturity Indicators
- Technology or scoring is used without clear governance, evidence quality review, calibration, or explainable decision support.
- Risk assessment is informal, undocumented, or dependent on individual judgment.
- Scope, ownership, cadence, criteria, and evidence expectations are unclear.
- Assets, users, threats, vulnerabilities, impacts, and controls are assessed in isolation.
- Residual risk decisions are not clearly documented, accepted, assigned, or reviewed.
- Assessment outputs do not consistently drive risk register updates, roadmap actions, or resource decisions.
- AI-enabled workflows, AI-use expectations, or AI-assisted threat patterns are not reflected in assessment practices.
- Components, capabilities, and key factors defined; each capability scored 0-5.
- Weightings documented; output generates overall maturity tier (Initial → Optimised).
- Results drive roadmap milestones and resource allocation.
- The capability has a named owner, documented methodology, defined evidence expectations, and clear governance support.
- Assessments connect assets, users, threats, vulnerabilities, impacts, controls, residual risk, and business-owner decisions.
- Assessment results are reviewed by appropriate stakeholders across Security, HR, Legal, Privacy, IT, business units, and executive risk governance.
- Outputs are connected to risk register items, prioritized recommendations, roadmap actions, and control improvements.
Questions Leaders Should Ask
Question 1
Who owns RA.8, and do they have authority to define scope, evidence, cadence, and escalation?
Question 2
Which assets, users, insider pathways, business processes, and third parties are in scope?
Question 3
How are threat, vulnerability, impact, control effectiveness, and residual risk connected?
Question 4
What evidence shows this assessment practice is operating, reviewed, and kept current?
Question 5
How are AI-enabled workflows, AI-use expectations, and AI-assisted threat patterns reflected in the assessment?
Question 6
How do results drive risk register updates, roadmap actions, funding decisions, and executive reporting?
Evidence Examples
Evidence Type
Risk assessment methodology and scope statement
Evidence Type
Insider-risk strategy or program procedures
Evidence Type
Asset inventory and critical asset classification records
Evidence Type
Risk register entries and exposure narratives
Evidence Type
Threat, vulnerability, impact, and control-effectiveness inputs
Evidence Type
Business-owner reviews, risk decisions, and residual-risk acceptance records
Evidence Type
Assessment reports, heat maps, dashboards, or executive summaries
Evidence Type
Roadmap actions, milestones, and control-enhancement records
Evidence Type
Version history, review logs, and triggering-event update records
Evidence Type
Tool configuration summaries, scoring calibration notes, data-quality reviews, and human review records
Mapped Standards and Framework References
| Standard / Framework Reference | How It Relates to This Capability |
|---|---|
| ISO 27002, 6.1.5(b) | Reference mapping for RA.8; validate applicability based on assets, workforce, legal, privacy, data, AI-use, and operational context. |
| CERT CSG, 2.1; 6.1 | Reference mapping for RA.8; validate applicability based on assets, workforce, legal, privacy, data, AI-use, and operational context. |
How RiskTKO® Operationalizes This Capability
Assessment evidence
Methodology, scope, asset records, risk inputs, control reviews, scoring records, stakeholder decisions, workflows, or documents used to evaluate current capability.
Risk evidence
Risk register items or exposure narratives connected to asset priority, threat conditions, vulnerability gaps, residual risk, AI-enabled workflows, or control effectiveness.
Roadmap evidence
Recommended actions, owners, milestones, dependencies, control improvements, reassessment cycles, and completion status.
Executive evidence
Summaries showing current state, priority exposure, progress, remaining gaps, risk decisions, and risk reduction over time.
Assess, Prioritize, and Report with RiskTKO®
Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.