Methodology

Our Methodoloy

Enterprise Risk Management is an enterprise approach to addressing the culture, processes and structures that are directed towards effective management of potential opportunities and adverse effects as they relate to risk. Taking control of informed risks allows for risks to be identified, analyzed, evaluated, treated, and monitored.

Tevora’s proprietary HyrdaRisk Model is founded on extensive experience in enterprise risk management. At Tevora, we believe that an ERM Program shouldn’t just define common terminology, rather be a holistic approach to encompass the ERM Lifecycle. This ERM Program Lifecycle consists of all components needed to implement a successful and sustainable ERM Program.

Our approach to ERM includes:

  • Comparing and analyzing risk across all business units allowing for risks to be linked across functional areas and addressed using a common approach.
  • Identifying opportunity risk to expose and capitalize on opportunities that may exceed the Company’s strategic objectives.
  • Enterprise prioritization of risk based on risk rating.

SEE HOW TEVORA CAN STREAMLINE YOUR COMPLIANCE EFFORTS TODAY »

Governance and Strategy Development

Governance Programs help evaluate the ecosystem within an organization and ensure that principles, policies and frameworks are in place, that they are aligned with one another and they measure to support the strategy of the organization.

Tevora’s Governance methodology is founded on extensive experience in ERM and GRC and built on the firm belief that a Governance Program shouldn’t just define common terminology, but instead be a holistic approach that aligns processes with the business.

SEE HOW TEVORA CAN ENABLE YOUR ORGANIZATION »

  • IT Governance
  • Information Security Governance
  • Risk Management Governance
  • Compliance Governance
  • Vendor Management Governance
  • Cloud Governance
  • Risk Scenario Analysis

ERM Program Development

ERM Program Development
ERM Program Development

  1. Risk Governance: ERM Governance starts with the Board. Governance sets the direction, ownership and tone for the entire ERM Lifecycle.
  2. ERM Program: The objective of the ERM Program is to embed the principles of risk management in all aspects of the organizational strategy and operations to provide a holistic approach to addressing risk.
  3. Risk Assessment: Defining the right risk assessment methodology begins with understanding the executive Management’s expectations. Tevora leverages COSO, ISO 31000, CAS, NIST and COBiT.
  4. Risk Rating: Risks should not be evaluated by just likelihood and impact factors. This does not equip enterprises with the information needed to make intelligent risk decisions. Tevora’s HydraRisk Decisioning Model uses five factors to assess key criteria to properly prioritize and respond to risks.
  5. Risk & Performance Linkage: As enterprises mature their ERM Programs they move from Foundational to Proficient to Innovative to Value Creation stages. The linkage between risk and performance indicators are key in this maturity.

Enterprise risk can’t be removed entirely, but it can be managed in a way that protects your organization from undue exposure. Tevora relies on years of experience to deliver a proven approach to enterprise risk management. Through our proprietary HydraRisk Model, we transition Risk Management into Risk Intelligence.

Tevora’s HydraRisk Model incorporates the industry standard ERM frameworks and pushes them further to create a risk intelligence ERM Program. The HydraRisk Model uses the factor of five to develop a comprehensive ERM Program Lifecycle.

ERM Program Development
ERM Program Development

Cyber Risk Advisory

M&A Cyber Risk Advisory Services

Considering cyber risk during mergers and acquisitions, as well as having strategies and actionable efforts to act on, is critical to several aspects of the process. Cyber risk can affect due diligence as well as the security of the actual assets being acquired. It’s critical that risk be assessed, and remedied if necessary, during this vulnerable time.

Tevora, through years of work with some of the nation’s most premier organizations, offers vetted cyber risk advisory services for organizations in the midst of M&A activities.

Vendor Risk Management

A centralized set of processes, policies, and controls makes a collaborative effort between multiple organizations successful. With an increase in outsourced systems, services, and development, Tevora can create a customized program that establishes expectations and protocols to effectively manage all vendors with access to your assets.

Let Tevora help you with RISK MANAGEMENT »

Vendor Management Program

Tevora assists in the creation of a governance program to understand the risks associated with outsourcing arrangements for products and services, including technology services for the organization, how to measure those risks, categorization of vendors and assets, and understanding the overall due diligence process.

Vendor Security Requirements

We work with you to understand what controls are critical for service providers to have in place before they are permitted to conduct business with you. Partnering with you, we create survey questionnaires, weighting for each response, risk thresholds and escalation criteria.

Vendor Risk Assessment

Leveraging the program and survey questionnaire developed with your organizational needs, Tevora can do the heavy lifting and work with the service providers to complete the survey questionnaires. We act as an extension of your organization and ensure responses make sense and meet the needs established within the vendor security requirements.

Risk Assessments

Risk Assessments

An effective risk assessment should provide an organization with a clear view of the various variables, allowing an organization to identify which risks represent opportunities and which represent potential pitfalls. Tevora’s risk assessment do this by utilizing the HydraRisk Method. This method has evolved risk frameworks to rely on quantitative and repeatable processes that enable organizations to prioritize their risks based on greater insight and transparency. The identification and decisioning process of HydraRisk leverages five factors that allow an expanded view into the organization.

Risk Assessments
Risk Assessments

ISO Risk Assessment

ISO Risk Assessment

Tevora has trained ISO 27001 Lead Auditors that also understand and perform risk assessments. This knowledge combination ensures that the risk assessments include the level of rigor the ISO Registrars require. We can perform risk assessments according to:

  • HydraRisk
  • ISO 31000
  • NIST 800-30
  • COSO
  • CobiT
  • CAS
HITRUST

HIPAA Risk Assessment

Tevora has HITRUST Certified Security Assessors that also understand and perform risk assessments. This knowledge combination ensures that the risk assessments include the unique requirements set by HITRUST, including evaluating the maturity of the controls to understand residual verses inherent risk. We can perform risk assessments according to:

  • HydraRisk
  • ISO 31000
  • NIST 800-30
  • COSO
  • CobiT
  • CAS
PCI Risk

PCI Risk Assessment

Tevora has certified PCI QSAs and PA-DSS QSAs that also understand and perform risk assessments. This knowledge combination ensures that the risk assessments evaluate the asset categorization and cardholder data impact to the organization. We can perform risk assessments according to:

  • HydraRisk
  • ISO 31000
  • NIST 800-30
  • COSO
  • CobiT
  • CAS
Security Risk

Security Risk Assessment

As thought leaders in the ERM & GRC management space, Tevora consultants are a team of specialized and experienced individuals that come from various industry sectors and hold numerous certifications.

This knowledge combination ensures that the risk assessments are thorough and include out-of-the-box thinking to provide value add to your organization. We can perform risk assessments according to:

  • HydraRisk
  • ISO 31000
  • NIST 800-30
  • COSO
  • CobiT
  • CAS

Our Security Risk Assessments also evaluate the current maturity of the internal organization’s key security processes in order to provide thought leadership into maturity your internal risk assessment activities.

Enterprise Risk

Enterprise Risk Assessment

As thought leaders in the ERM & GRC management space, Tevora consultants are a team of specialized and experienced individuals that come from various industry sectors and hold numerous certifications.

This knowledge combination ensures that our risk assessments are thorough and include out-of-the-box thinking that provides a true value to your organization. We can perform risk assessments according to:

  • HydraRisk
  • ISO 31000
  • NIST 800-30
  • COSO
  • CobiT
  • CAS
Policy Framework

Policy Framework Development

Policies are key to the success and sustainability of any Information Security Program or Risk Management Program. They lay the foundation for expectations of users, vendors and third parties. Without this foundation, organizations are not be able to provide a consistent set of criteria to measure and report on the health of security to management.

Expertise

Tevora has the knowledge and experience to provide organizations guidance on applicable requirements that Policy Frameworks and Policies need to cover, including:

SOX, ISO, SSAE16, SOC II, PCI DSS, PA-DSS, FFIEC, HIPAA, FISMA.

Policy Frameworks

Tevora can assist your organization in selecting, developing and implementing a Policy Framework, leveraging one of the industry standards:

  • ISO
  • NIST
  • CobiT

 

LET TEVORA LAY THE FOUNDATION FOR YOUR SECURITY PROGRAM »

Control Framework

Control Framework Development

Controls are one of the pillars that support the Information Security Program to ensure they maintain the confidentiality, integrity, availability and privacy of the organization. Without the proper controls in place, there is nothing to measure, monitor and report.

 

Tevora provides expertise in identifying, designing and implementing a Control Framework that meets the needs of the organization and ensure they maintain compliance with the ever growing list of controls being added to regulations, laws, and standards.

 

Benefits

The end result is a framework and control library that can be used to identify key controls required throughout the organization and categorize them by preventative, detective and corrective controls.

This is the foundation for applying the Tevora Unified Audit Platform for testing once and ensuring it covers all applicable control areas.

Control Frameworks:

Tevora can create a customized Control Framework or leverage an industry standard framework:

  • ISO 27001/2
  • CobiT
  • HITRUST
  • NIST

 

SEE HOW TEVORA CAN ALIGN YOUR CONTROL NEEDS »

Procedure Development

Procedure Development

Standards and Procedures provide guidance and prescriptive instructions for practicing the Policies and Controls put in place. They allow users to understand their requirements and boundaries, while providing guidance for system configuration, usage and implementation.

Tevora can create, consolidate and align your standards and procedures in a centralized set of documents to meet all of your security requirements, yet tailor them to reflect your current operations and practices.

Tevora has the expertise to develop your customized Standards and Procedures including:

  • Disaster Recovery Plans
  • Baseline Configuration Standards
  • Key Management
  • Vulnerability Management
  • Patch Management
  • Risk Management & Assessment

 

SEE HOW TEVORA CAN ALIGN YOUR CONTROL NEEDS »

Attack Simulation

Attack Simulation

Attack Simulation is where Risk and Threat Management come together to create a real-life attack scenario for your organization. After understanding the biggest risk to your organization, we design a realistic scenario, based on your systems, applications and infrastructure, to conduct a tabletop exercise.

Along with your team, our Red Team runs through the attack scenario and covers the seven phases of incident response:

  1. Initial Incident Detection
  2. Incident Analysis
  3. Incident Notification
  4. Incident Containment
  5. Data Leakage Analysis
  6. System Data Recovery
  7. Post Incident/Root Cause Analysis

LET US PLAN YOUR NEXT ATTACK SCENARIO >>

Maturity Modeling

Maturity Strategy
Maturity Strategy

Curious how your organization measures against similar organizations or how you currently measure compared to the maturity level you would like to achieve? Tevora can measure your security, risk, governance or vendor maturity by leveraging industry standard capability maturity model index (CMMI).

    Tevora will:

  • Evaluate your organization based on key criteria
  • Measure your current maturity level
  • Compare your organization to similar organizations
  • Define your desired maturity level
  • Roadmap how to progress from the current maturity state to desire maturity state

eGRC Solution Design & Implementation

eGRC Solution Design
eGRC Solution Design
Tevora partners with leading eGRC solution providers to ensure that we can bring you an independent recommendation that truly meets your eGRC needs. Regardless of the solution selected, Tevora leverages a four phase approach that identifies the ideal state workflow, enabling eGRC lifecycle down to the users, while providing intelligence and insight to management.

Wether you are looking to mature your existing eGRC solution or select and implement one, Tevora can provide the knowledge and thought leadership to ensure you maximize the capabilities and efficiencies eGRC solutions provide.

MAXIMIZE YOUR eGRC SOLUTION TODAY >>