Board Risk Committee: Mission, Goals, Objectives, and Composition
This sample artifact describes the board risk committee mission, goals, objectives, and composition as identified in Article 2: Defining an Effective Enterprise Security Program, Table 1 and Article 3: Enterprise Security Governance Activities. This artifact is not meant to stand alone — rather it should be interpreted in the context of these articles. We hope business leaders will find it useful as an aid in building a governance-based security program.
Board Risk Committee (BRC) Mission
The mission of the board risk committee (BRC) is to protect
- the investment of the organization’s shareholders
- the organization's assets (both physical and digital), people, operational processes, products, and reputation from internal and external risks
The BRC determines the organization’s tolerance or threshold for risk acceptance, avoidance, and mitigation. They also ensure that all risk plans align with corporate policies and strategic plans.
In carrying out its mission, the BRC shall achieve the following goals:
- Establish a culture of risk management and security that permeates throughout the organization.
- Exercise oversight of enterprise risk management and security activities.
- Manage identified security risks according to asset criticality, likelihood of occurrence, and magnitude of harm and impact.
- Ensure an enterprise security program (ESP) is established and sustained with appropriate and adequate resources.
- Protect personnel, operations, information, and investments by emphasizing organizational resiliency.
The BRC shall accomplish the following objectives in meeting these goals:
- Establish an ESP governance structure for the organization, allocate responsibilities, and ensure segregation of duties according to industry best practices.
- Set the organization’s cultural and managerial tone for risk management and security through top-level policies.
- Ensure that personnel with ESP responsibilities have the requisite experience, qualifications, and education.
- Determine risk acceptance, avoidance, and mitigation thresholds that align with strategic and operational goals.
- With senior management, ensure that security risks, threats, and vulnerabilities are regularly assessed and reviewed by using accepted methodologies and best practices.
- Oversee the development and regular review of a risk management plan (RMP) that addresses security risks.
- Exercise oversight of key ESP activities, including
- development of the Enterprise Security Strategy (ESS)
- categorization of digital assets
- selection of controls
- identification of key performance indicators
- development and testing of core ESP plans (incident response, crisis communications, business continuity and disaster recovery (BC/DR) and training and implementation).
- Review and approve the enterprise security plan and security business case and funding requirements.
- Ensure formal reviews of the ESP are conducted on a regular basis and that identified weaknesses are addressed.
- Obtain board approval of the RMP and security budget.
The BRC shall be comprised of seven 2 members. Four of the members shall be independent, non-executive directors with experience in risk management, enterprise security, establishing cultures and instilling expectations of compliance, and information technology management.
The BRC shall be comprised of three executive directors:
- Chief executive officer (CEO) or chief operating officer (COO)
- Chief financial officer (CFO)
- Chief risk officer (CRO) or chief security officer (CSO) 3
Artifacts Produced by the BRC
The BRC has responsibility for ensuring that the following artifacts are produced from activities related to its goals and objectives:
- BRC mission, goals, objectives, and composition
- X-team mission, goals, and objectives
- Organizational chart depicting ESP lines of authority
- Roles and responsibilities for the ESP
- Top-level ESP policies
- Board-approved budget for the ESP
1 The mission and composition pertain to all BRC responsibilities. The goals and objectives of this sample artifact, however, apply only to the security of information, applications, and networks, and their grouping into systems. Supplemental goals and objectives would ordinarily be added for physical and personnel security.
Copyright 2006 Carnegie Mellon University.
Last updated April 30, 2007