5. Risk Aggregation

Organizations may use risk aggregation to combine several discrete or lower-level risks into a more general or higher-level risk. This approach can help manage the scope and scale of risk assessments across multiple information systems and mission/business processes that have defined relationships and dependencies.

Risk aggregation, typically conducted at Tiers 1 and 2 and occasionally at Tier 3, evaluates the overall risk to organizational operations, assets, and individuals, considering the set of discrete risks. For discrete risks, such as those associated with a single information system supporting a specific mission/business process, the worst-case impact provides an upper limit for overall risk to the organization.

However, this upper limit may not always apply, particularly when multiple risks materialize concurrently or the same risk recurs over time. In such cases, the total risk may exceed the organization's risk capacity, resulting in a greater overall impact on mission/business operations than initially assessed.

When aggregating risk, organizations consider the relationships among various risks. For example, if one risk occurs, it may increase or decrease the likelihood of another risk. Such relationships can be described as coupled or correlated, either positively or negatively, which can affect the overall risk level.

CSFaaS provides the ability to aggregate risk by conducting risk assessments that consider related risks, enabling a more comprehensive understanding of the organization's risk landscape.

(Source: NIST SP 800-30)