Enterprise-Wide Risk Management Program Overhaul

Bringing Structure to Cyber Risk in a Growing Organization

Overview

As part of a security maturity initiative, I designed a scalable enterprise risk management (ERM) model tailored to a mid-sized organization preparing for rapid growth. The goal was to align technical risk activities with business strategy, using a structured and repeatable framework.

My Role

I developed a foundational risk management model based on industry best practices, contributing to policy alignment, internal control mapping, and executive reporting.

Key Contributions

• Developed a Tiered Risk Register: Built a working risk register with categories for IT, compliance, and operational risks, prioritizing based on impact and likelihood.

• Introduced Risk Scoring Logic: Implemented a simple yet scalable scoring matrix to help teams assess and communicate risk consistently.

• Connected Cyber to Business Risk: Helped map technical vulnerabilities to business impact, fostering better decision-making at the leadership level.

• Framework-Aligned: Used ISO 27005 and NIST RMF principles to guide structure and documentation.

What It Demonstrates

• Strategic mindset around risk and governance

• Understanding of enterprise frameworks and structure

• Ability to translate technical issues into business language

• Familiarity with building scalable, policy-driven approaches

Tools & Concepts Used

• ISO 27005 Risk Framework

• NIST RMF (Risk Management Framework)

• Google Sheets (Risk Register prototype)

• Internal policy documents

• Heatmaps for visual scoring