Overview[]
The Duty of Care Risk Analysis Standard (“DoCRA” or "the Standard") presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. As organizations engage in public life they offer benefits and potential harm to themselves and others. As legal authorities and the public hold those organizations accountable for harm, the basis for determining whether the organizations bear responsibility and liability often centers on the concepts of a "duty of care" and "due care." Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves.
DoCRA describes processes for evaluating risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities — such as regulators and judges — and to other parties who may be harmed by those risks. Regulators expect that the burden of safeguards should be balanced against an organization's mission. Attorneys and judges similarly use balancing tests to determine whether foreseeable harm could have been prevented by safeguards that would pose a reasonable burden. Conventional risk analysis has neglected to include these significant perspectives. DoCRA describes how these perspectives may be included in conventional risk analysis methods.
In summary, DoCRA presents principles and practices for analyzing risks to establish reasonable security controls based on an organization's mission, objectives, and obligations.
CIS RAM leverages the DoCRA methodology which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.