Software Engineering Institute

Pittsburgh, Pa., November 17, 2020—The Software Engineering Institute today released the latest model in the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) suite. The OCTAVE FORTE (OCTAVE For the Enterprise) model for enterprise risk management helps executives and other decision makers understand and prioritize the complex risks affecting their organizations. 

The OCTAVE FORTE process model helps organizations evaluate their security risks and use enterprise risk management principles to bridge the gap between executives and practitioners.

“Feedback from users of the previous models—OCTAVE and OCTAVE Allegro—helped us to recognize the need for a stronger connection between the front line and the executive level of an organization,” said Brett Tucker, cybersecurity risk management technical manager in the SEI CERT Division and creator of the new model. “We learned there was a disconnect between the bits-and-bytes analysis and the dollars-and-cents business case required to get the proper risk response.”

The new model involves all levels of an organization. Executives use information about risk to develop a governance structure, prioritize risks, make informed decisions, allocate resources, and communicate risks using a tiered governance structure. Managers—who support executives in achieving strategic objectives—use elements of FORTE to identify and manage risk in their divisions and departments. Practitioners learn to apply their subject matter expertise in a way that enhances their analysis and helps them communicate their greatest concerns to management.

The OCTAVE FORTE process model guides organizations that are new to risk management in building an enterprise risk management program, and it helps mature organizations fortify their existing ERM programs, making them more reliable, measurable, consistent, and repeatable. The model also may be used in conjunction with the previous OCTAVE and OCTAVE Allegro models by organizations already familiar with OCTAVE processes.

“When we talk about risk, we’re really talking about uncertainty,” said Tucker. “We tend to concentrate only on the downside of risk, but risk also opens us up to opportunity.” 

Uncertainty affects how organizations operate and meet their strategic objectives. A fast-paced, uncertain environment creates risks and can preclude organizations from making long-term plans because these plans can quickly be rendered obsolete.

To cope with this situation, organizations should focus on managing their risks and using risk data to make decisions that help them meet their strategic objectives. When an organization manages risk, it ensures that it takes only the risks—in the form of opportunities—that help it achieve its strategic objectives while controlling the risks that threaten those objectives.

When risks are realized in an organization, business continuity can be disrupted, potentially affecting the organization’s critical assets and bringing the organization’s critical services to a halt.

OCTAVE FORTE helps organizations succeed in managing downside risks—such as loss of critical assets and disruptions in business continuity—and in dealing confidently with opportunity.

“Our goal in OCTAVE FORTE,” said Tucker, “is ultimately to build resilient organizations that are prepared for any eventuality.”

Download the SEI technical note Advancing Risk Management Capability Using the OCTAVE FORTE Process from the SEI website. For more information about OCTAVE FORTE or how to start using it in your organization, contact info@sei.cmu.edu.