Becoming a Risk Master
Many organizations are challenged with balancing risk management with compliance management. Risk management considers threats while compliance focuses on controls without context. Ultimately you need to look at both ends of the equation to determine your key controls as they are the investments and associated metrics you want to nurture the most.
But, what does this mean to the hundreds of other controls within the scope of your program or initiative? Are there compensating controls? Does the threat warrant more investment? How much investment?