What is the three tiered risk management approach?

What is the three tiered risk management approach?

The Importance of Continuous Risk Management

The HIPAA Security Rule, alongside NIST and other standards, mandates that risk analysis and management should be ongoing rather than a one-time task. The Office for Civil Rights’ “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule,” based on NIST SP 800-30 Guide for Conducting Risk Assessments, emphasizes the necessity for continuous, ongoing Cyber Risk Management.

Given the proliferation of healthcare data, systems, and devices across care delivery networks and the increasing sophistication of cyberattacks, healthcare organizations must make continuous assessment and management of cyber risks a priority. Monitoring organizational information systems and their environments will help verify compliance, determine the effectiveness of risk response measures, and identify changes that could impact risk.

A Multi-Tiered Approach to Risk Monitoring

In this discussion, we will explore the concept of a multi-tiered approach to risk monitoring strategy. For a more in-depth examination, consider accessing RiskImmune's on-demand webinar: "Assess, Manage, Monitor: 3 Key Elements to Cyber Risk Management."

NIST Risk Monitoring Key Elements

NIST outlines five essential elements for risk monitoring that organizations must incorporate into an effective strategy:

  1. Verifying Compliance with Policies and Procedures: Controls and monitoring activities must be linked to a solid background of policies and procedures. Technical solutions are valuable only when contextualized within these frameworks.
  2. Determining the Ongoing Effectiveness of Risk Response Measures: It's crucial to assess not only the presence of controls but their effectiveness in reducing risk.
  3. Monitoring for Risk-Impacting Changes: Organizations must be vigilant about changes in their systems and environments, including new information systems, ensuring these are included in ongoing monitoring.
  4. Integration with the System Development Lifecycle: Control implementation must be effective within the processes of the system development lifecycle.
  5. Determining the Efficiency of Risk Response Measures: Continuous evaluation of the efficiency of risk response measures is essential.

    Tiers to Drive an Integrated Risk Management Process

    NIST recommends a three-tiered approach to integrate risk management throughout an organization:

    Tier 1: Organization Level

    At the organization level, governance, risk management goals, and organizational risk tolerance shape the monitoring strategy. Senior executives establish risk tolerance, influencing policies, procedures, and implementation activities across all tiers. Criteria for monitoring are defined by the organization's risk management strategy, encompassing assessment, response, and oversight measures.

    Tier 2: Mission/Business Process Level

    The second tier focuses on continuous monitoring of information security, defined by how core mission/business processes align with organizational goals and objectives. This tier includes security controls that address the management of the organization’s information security program. Controls are deployed organization-wide and support all information systems, tracked at either Tier 2 or Tier 1.

    Tier 3: Information Systems Level

    At the information systems level, monitoring activities ensure all system-level security controls are correctly implemented, functioning as intended, and producing the desired security outcomes. This includes assessing and monitoring hybrid and common controls at the system level, with security status reporting encompassing alerts, incidents, and identified threats.

    Integrated Monitoring and Metrics

    Monitoring activities across all tiers should support risk-based decisions at the organizational and mission/business process levels. Data from system-level controls feed into higher-level monitoring, tailoring information for each tier and supporting informed risk-based decision-making across the organization.


    Implementing continuous monitoring is crucial for any successful risk management strategy. It alerts on individual and broader malicious events, simplifies remediation, and mitigates risk. Continuous monitoring is a major component of the Risk Management Framework outlined in NIST Special Publication 800-37, Revision 1, and it validates the Recommended Security Controls for Federal Information Systems and Organizations in NIST Special Publication 800-53, Revision 3.

    Continuous monitoring combines process and technology to detect and alert on operational and security issues, addressing a wide range of compliance and risk concerns.

    About RiskImmune

    RiskImmune's Third-Party Management solution enhances your organization's ability to work confidently with third parties by reducing blind spots across trust domains, accelerating onboarding, enhancing business resilience through continuous monitoring, and embedding data-driven decision-making throughout the third-party lifecycle.

    Back to blog