Advancing Risk Management Capability Using the OCTAVE FORTE Process
November 2020 • Technical Note
OCTAVE FORTE is a process model that helps organizations evaluate their security risks and use ERM principles to bridge the gap between executives and practitioners.
Software Engineering Institute
OCTAVE FORTE (Operationally Critical Threat, Asset, and Vulnerability Evaluation FOR The Enterprise) is a process model that helps executives and other decision makers understand and prioritize the complex risks affecting their organization. It also helps organizations identify, analyze, prioritize, and mitigate risks that could impact them.
The Software Engineering Institute (SEI) developed the OCTAVE FORTE process model to help organizations evaluate their security risks and use enterprise risk management (ERM) principles to bridge the gap between executives and practitioners as decision makers. Executives use information about risk to develop a governance structure, prioritize risks, make informed decisions, allocate resources, and communicate risks using a tiered governance structure. Managers—who support executives in achieving strategic objectives—use elements of FORTE to identify and manage risk in their divisions and departments. Practitioners learn to apply their subject matter expertise in a way that enhances their analysis and helps them communicate their greatest concerns to management.
The process model guides organizations that are new to risk management in building an ERM program, and it helps mature organizations fortify their existing ERM program, making it more reliable, measurable, consistent, and repeatable.
Besides describing the OCTAVE FORTE process, this report recommends methods and provides a sample risk management policy that organizations can refer to or adapt when writing their own policy. Supplemental materials contain templates that organizations can use when conducting many of the OCTAVE FORTE activities.
Watch Brett Tucker and Matthew Butkovic discuss the OCTAVE FORTE process in an August 2020 webcast. Attendees learned about the fundamental steps of the process and how they might apply them in their own organization.