Tag Archives: framework

3-Step Framework to Manage COVID Risk

For insurance leaders, the full impacts of the COVID-19 pandemic will unfold over the coming months, but the rapid evolution of the crisis is forcing organizations to constantly evaluate how they are responding today.

Realistically, most business continuity procedures will prove inadequate. Very few would have planned and provided for a global crisis that kept virtually all of their workforce sequestered at home for weeks or months. Because there is no proven methodology for what we’re navigating today, organizations are having to collaborate virtually, sometimes on a global scale, to rapidly adapt business operations, frequently and simultaneously across several businesses on very short time cycles. Some solutions will succeed, and some will not. Others might not work until conditions change. Also, business decisions driven by the current situation will create unexpected demands on operation risk management. For example, several insurance carriers announced premium credits to their auto policyholders due to a significant drop in usage. Such decisions will require an ability to process large volume of one-time transactions, in a controlled yet customer-friendly manner.

In these conditions, insurers need a more comprehensive yet customizable approach to assess operational risk quickly and dynamicly and chart responses to COVID-19. 

Organizations should undertake a three-step approach to better understand the impact of the coronavirus on their operations, identify high-impact and high-priority areas, assess new and increased risks and develop actions to address business critical priorities.

Assess

Companies should use an integrated process-health check that brings together business continuity process and crisis management teams to define and implement targeted response decisions. A thorough assessment will identify gaps specific to the current pandemic, as well as heightened or new risks.

Some of the factors that have increased risks under COVID-19 and affect processes include:

  • Dependency on technology that is less effective when working from home 
  • Activities that require physical interaction, such as check printing and mail rooms 
  • Activities that rely on in-person interactions and meetings
  • Numerous process handoffs, particularly across functions 
  • Regulatory constraints such as time-sensitive and mandatory requirements

Insurers must quickly document processes severely affected by the current crisis and identify areas with a high number of manual touch points and mandatory in-person interactions. Companies need a framework agile enough to provide leaders with increased visibility into their processes, including changes to daily tasks, implications for working remotely and identifying tasks that cannot be handled without manual intervention. The right framework should also highlight regulatory risks for non-compliance and potential impact on quality assurance procedures.

Using strategies such as a lightweight, questionnaire-based approach, leaders can gather insights into their processes that account for the impact of COVID-19 in two to three business days and require minimal time from process owners. Responses to a well-designed questionnaire will not only identify process gaps specific to the current crisis but will also find candidates for future improvements and innovations. 

See also: Rethinking Risk Management in a COVID-19 World

Align

A centralized and purpose-based response structure works best to solve company-wide issues for many carriers. Key decisions related to organizational priorities, customers, employees and costs must be made in the face of uncertainty and incomplete information. Central ownership and accountability in the form of a dedicated response team will ensure a consistent, iterative approach and effective risk management.

The right framework captures this information and ranks it from both business criticality and risk perspectives. Once risks have been identified and prioritized, operation leaders should align on potential scenarios and recommended solutions. While recommendations will vary across organizations and functions, they will typically include:

  • Identify processes that have changed during COVID-19 and implement new process steps on an interim basis. Rapidly create or update existing process map documentation and communicate this information to relevant stakeholders
  • Identify new risks, controls and testing procedures. Develop plans to reinforce controls that have been relaxed in any transitions to work-at-home
  • Identify and recommend changes to employee responsibilities including deprioritizing non-business critical activities, and the strategic navigation of key business continuity process resources
  • Supplement processes with additional collaboration tools to enhance remote work output, such as digital check printing solutions, document sharing tools and other interventions.

Business leaders know they need to act now instead of waiting to design the perfect solution. Senior executives should communicate to business units and function leaders a broad outline within which solutions should be developed. Such guardrails are usually based on the organization’s vision, culture, business critical requirements and other non-negotiables. Then, the focus of operations leaders must turn to segmenting the overall organization response strategy into actionable plans for their responsibility areas. Clearly, action plans should be detailed enough to include ownership, timelines and measurable, expected outcomes.

Adapt

Response managers must also establish feedback loops to monitor the efficacy of their response strategy and tweak it as required. New challenges will emerge. Unanticipated situations will develop, and a significant percentage of responses will at least partially fail to meet their objective. In these scenarios, an agile, test-and-learn approach allows leaders to adapt to changing requirements as quickly as possible. Following are a few agile principles that would allow leaders to strike a balance between business support and risk management, and move forward with speed:

  • Build and deliver working solutions, with a preference to short time cycles 
  • Learn and change. Be creative and promote non-standard solutions 
  • Set up cross-functional and diverse response teams 
  • Clearly define ownership and outcome expectations 
  • Hyper-track progress, using frequent touch points

Every crisis presents opportunities, and some companies will come out of this crisis stronger. Post-crisis, speed and agility to adapt will differentiate the leaders from laggards in this new normal. According to a McKinsey study, companies that managed the 2008 financial crisis with speed, discipline and resiliency saw 30% increases in revenue and big reductions in operating costs during the recovery. 

See also: 7 Biases Customers Have About Risks  

There is an opportunity to accelerate an agenda advancing the future of work as companies consider an environment that promotes virtual teams, provides online collaboration tools to employees and uses digital operational capabilities to supplement human workers. As operations stabilize and the new normal takes hold, the response team should pivot and identify opportunities to continue to transform. This will allow companies to leverage learnings from the current crisis and build stronger crisis response capabilities.

An adaptive risk assessment framework approach requires a strong alignment among functional and operations leaders. It also requires a status cadence that allows a quick rollout of actionable recommendations, rapid reviews of their impact with process owners and the ability to course correct frequently. 

Innovation: ‘Where Do We Start?’

Before “insurtech” becomes the next over-used buzz-phrase to hate, let’s step back for a moment and consider the truly unprecedented scope of opportunity for growth facing those in the various risk management sectors who embrace the inevitable reinvention of this trillion-dollar industry.

As the whirlwind of start-ups and innovation occurring across insurance business models evolved into viral global gold rush, many existing insurers and VCs still struggle with how to participate. Many who understand the reality of disruption as a means of growth struggle even more with the most basic questions:

  • Where do we start?
  • Do we have the expertise?
  • How can we pick the best among the thousands of startups and “smart-ups?”

Most of the established firms I coach are consistently surprised by two lessons learned that have been captured at some point after working through these key strategic questions.

First, they are surprised at the ease with which they were able to answer the one question that can be truly paralyzing: “Where do we start?” Second, they often voice relief at how easily the rest of the core, up-front answers seem to just fall into place. These experiences can be distilled down to a rather straightforward single question: “How do we get unstuck?”

See also: Insurtech and the Law of Large Numbers  

Two timeless bits of wisdom can provide the first steps toward converting chaos into actionable clarity:

  1. A picture is worth a thousand words. Frameworks and models do help create clarity.
  2. A little education goes a long way. This is code for: check as many assumptions as possible at the door and ask, “What if..?”

Here are some pictures that can be useful:

Source: Startupbootcamp, what is an insurtech? [Infographic], 2015

The “4 Ps” model from Matteo Carbone and the Insurance Observatory

Insurtech Landscape by AGC Partners

All three frameworks for understanding insurtechs are solid models by which an audience, subscriber group or client company can gain greater insights. But insurance companies, venture capitalists and regulators need to understand how to use them.

The insurtechs in these models represent but the center of a much larger landscape of forces requiring consideration if you want to be an insurer that defines the rules that all others will have to follow.

Innovation Framework

The reinvention of insurance is simultaneously happening from the inside-out (insurtechs) as well as from the outside-in (exponential technologies). In other words, insurtechs are revolutionizing HOW insurers will manage risk and consumers. Exponential technologies will fundamentally redefine the WHAT—i.e., the very risks that insurers manage.

Now, this raises an important question: How do we define these larger external forces? One organization influencing many of these breakthrough, or exponential, technologies is Singularity University in Sunnyvale, CA. Singularity U coined the phrase “10(9)” Opportunities.” These are opportunities to leverage a technological capability, or domain, to improve 1 billion lives (9 zeros) within a single decade.

Some may question whether this vernacular is more aspirational than attainable. But among the best-kept secrets in the insurance industry is the reality that exponential markets waiting to be discovered outnumber those currently being addressed by existing insurance product lines. So, here is a possible goal: “By year-end 2027, we will have grown by improving the lives of 1 billion or more people by creating products that leverage the technological application of___________________.”

Incumbent insurers must understand how these converging forces relate to discover clarity and scalable growth. A short list of essential questions leading to viral growth strategies needs to include: Which insurtechs will feed my strategy to grow _________ opportunities?

These types of questions can map the insurtechs within the industry and near term to the longer-term, much broader landscape of opportunities. Clarity of these exponential forces—then mapped back to the products, services, and new business models among insurtechs—will open the door to achieving four significant deliverables:

  1. Improve the solicitation, selection and vetting of new ideas generated internally and collaboratively;
  2. Improve the returns on early-stage investments;
  3. Improve the vision, focus and identification of M&A opportunities;
  4. Improve the expectations and returns on new products and services developed and launch by internal innovation teams.

Strategic Framework for Member Services

The world outside of insurance looks into this industry with skepticism with respect to innovation. What is so often misunderstood is that three of the most significant societal shifts of the past 200-plus years were essentially enabled by insurance innovation: homeownership in the late 18th century, the viral adoption of the car and advances in medical treatments as an outgrowth of adoption of health insurance. The DNA for exponential innovation resides within this industry.

Seeing insurtechs as a means to fulfill a longer-term innovation strategy is where the opportunities are being discovered by those who will lead this industry for decades to comes.

See also: Insurtech Is an Epic Climb: Can You Do It?  

To provide feedback, ask for additional information or learn how to apply these concepts, contact Guy Fraker, guy@insurancethoughtleadership.com.

Do you want to follow Guy Fraker’s commentary and insights, and be notified as new posts are added?

Subscribe to Guy Fraker's blog

10 Building Blocks for Risk Leaders (Part 5)

Important things in life are not easily reduced to 10 steps. Nevertheless, this series provides a list of 10 building blocks to achieving long-term success in risk management from someone who has spent more than 25 years striving to carve out the most satisfying career possible, while never losing sight of the attributes attached to the bigger picture. Part 1 is here, Part 2 here, Part 3 here and Part 4 here. This is the fifth and final part.

9. Advance the Profession by Finding or Creating Personal Vision

The concept of innovation is directly and explicitly tied to risk and risk management. Put simply, there is no innovation without risk. Part of this paradigm is taking personal risk to move the discipline forward to places others may not have imagined. In the realm of risk management, settling for the status quo is to be avoided at all costs . Nothing stays the same for long, and a core competency of a true risk leader is having the gumption to push back on owners, which sometimes means questioning authority.

Just as the overall business environment is ever-evolving, the myriad internal and external drivers that can affect the risk profile of organizations must be carefully monitored. It is in this monitoring where the willingness to challenge conventional thinking and the status quo can lead to change, and risk-taking behaviors can be shifted to be more in line with risk appetite and tolerances. A vision for more innovative processes, tools and techniques can be developed, as well as an enhanced view into the murk of risk itself. Importantly, this demonstration of risk leadership will lead to the evolution of risk leaders’ personal vision for more effective risk management for their organizations.

If we haven’t learned anything else since that fateful day on Sept. 11, 2001, we’ve learned that new risks emerge with increasing regularity and seem to have increasing relevance to enterprise success. Furthermore, these new and emerging risks often fall into the strategic category, so they are often not easily measured or mitigated. All this speaks to the need for continuous improvement and innovation in how risk management is practiced and how it affects the design and execution of the organization’s risk framework and model. While personal vision for risk management is necessary — for personal satisfaction and the long-term success of the firm — no two frameworks or models are exactly alike, just as no two firm risk profiles are identical.

By crafting risk strategy, framework and model around the continuously evolving needs of the firm, risk leaders’ vision for risk management will take shape. As it is successfully implemented, this vision will also drive the risk profession forward, through benchmarking, networking and professional external collaborations, allowing all risk practitioners to improve, as well. This is the perfect segue to the last element of a personal risk leader success profile.

10. Give Back

Giving back to the next generation and to communities and nonprofit organizations (some of which can’t afford the cost of risk expertise, e.g., churches and civic organizations) is essential to developing a well-rounded leader and person. But giving back goes well beyond even service to the community and to nonprofits. In the larger context, giving back includes various strategies to help others. Examples include employing interns on a regular basis and taking the time to coach and mentor them well. Too often, intern programs are mismanaged or even abused as sources of raw labor out of which no real development or education occurs. This destroys the attraction to enter the risk profession. Because these programs—done well—can be the source of exceptional talent, it behooves all risk leaders to take advantage of intern sourcing when feasible and include it as a key component of long-term resource planning.

Giving back is also accomplished by bringing the risk leaders’ considerable knowledge to various forums, such as at conferences and industry meetings, through presentations and participation in efforts to discover new solutions to problems. While the primary goal should be to help others, it almost always includes mutual benefit. Many of my colleagues say they actually get more out of this effort than they put in. That has certainly been true for me.

Another example of giving back is the Spencer Educational Foundation’s Risk Manager in Residence Program. This program provides funding for risk experts to bring that expertise into higher educational institutions through a series of lectures and teaching done with the collaboration of selected professors whose goal is to bring diverse experiential learning to students pursuing risk and insurance degrees. This program has been instrumental in highlighting for students the opportunities available in the risk discipline.

There are many opportunities to serve other organizations through volunteer board and advisory positions, where risk experience and expertise is made available to help these organizations, particularly with risk governance. A residual benefit of this activity is broadening the network of contacts and relationships outside the industry, where a clear demand for risk expertise is almost always needed, but infrequently recognized or acted upon.

Last, but certainly not least, is the ever-present opportunity to mentor and coach others to help them achieve their career goals. This is a fundamental responsibility of every manager of people. But it really gains traction with others when those outside the immediate work circle ask for mentoring or coaching, as they recognize and value the deep and broad expertise they can learn via a mentoring program. Usually accompanying that is a keen understanding of the political, social and cultural aspects of work life that those with less experience often find challenging to navigate. One benefit of this activity is a deep and lasting gratitude that is too infrequent in day-to-day business interactions. The related personal satisfaction is often immeasurable and certainly lasting. Personal brands are enhanced, and those being mentored can close the loop on what a true risk leader profile looks like.

Conclusion

There you have it—my list of 10 building blocks for long-term success in risk management. All functions need great leaders to achieve high performance, and risk leaders have more than their share of hurdles to overcome in the process. And yet, those who stick their necks out and take the personal risk associated with doing extraordinary things often succeed in doing so. I urge you to think big about the possibilities of a career in risk and consider these 10 important things that can help define the correct path to take.

After all, no risk, no reward.

Cyber Challenges Under NIST's Framework

On Feb. 12, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity together with a companion Roadmap for Improving Critical Infrastructure Cybersecurity.The framework is issued in accordance with President Obama’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0., which gave NIST the task of developing a cost-effective framework “to reduce cyber risks to critical infrastructure.” The companion roadmap discusses NIST’s next steps with the framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.

The framework applies to organizations in critical infrastructure. But, given the pervasiveness of cybersecurity incidents, and the ever-present, increasing and evolving cyber risk threat, all organizations should consider whether their current cybersecurity risk management practices would pass muster under the framework. In addition, although the framework is “voluntary”—at least so far—organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the framework provides a de facto standard for cybersecurity and risk management even for noncritical infrastructure organizations. One thing that companies should consider as they review the framework is what “tier” of cybersecurity risk management they wish to achieve. The tiers—which range from “informal, reactive” responses to “agile and risk-informed” are addressed below, together with an overview of the framework and additional detail regarding certain of its key aspects.

Overview

At a high level, as its name indicates, the framework provides a structure for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed to progress toward a desired target state of cybersecurity risk management and to internally and externally communicate efficiently about cybersecurity and risk management.

Building from global standards, guidelines and practices, the framework provides a common taxonomy and mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.
NIST has emphasized that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” In addition, NIST properly notes that the framework “is not a one-size-fits-all approach” to managing cybersecurity risk, given that organizations” have unique risks—different threats, different vulnerabilities, different risk tolerances.

In releasing the framework, NIST explained that it provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs and “a common language to address and manage cyber risk in a cost-effective way” based on business needs, without placing additional regulatory requirements on businesses.” NIST also notes that organizations can use the framework “to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity.” Moreover, because it refers to globally recognized standards for cybersecurity, the framework can also be used by organizations located outside the U.S. and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.

Although applying to organizations in critical infrastructure, the framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk.

Three-Part Approach

The framework adopts a risk-based approach composed of three parts: the core, the profile and implementation tiers.
Framework Core

The framework relies on existing global cybersecurity standards, guidelines and practices as a basis to build or enhance an organization’s cybersecurity risk management practices.

The framework core presents five high-level “functions,” which, as stated by NIST, “organize basic cybersecurity activities at their highest level.” The five functions are: (1) identify, (2) protect, (3) detect, (4) respond and (5) recover. NIST explains that these five high-level functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk” and will provide “a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines and practices.”

For each of the five functions, the framework core identifies underlying key categories and subcategories of cybersecurity outcomes, then matches those outcomes with “informative references” that will assist organizations in achieving the outcomes, such as existing cybersecurity standards, guidelines, and practices. By way of example, categories within the “protect” function include access control, awareness and training, data security, information protection processes and procedures and protective technology. Subcategories under the “access control” category within the protect function include “identities and credentials are managed for authorized devices and users” and “[n]etwork integrity is protected, incorporating network segregation where appropriate.” “Informative references” for “identities and credentials are managed for authorized devices and users” include:

  • CCS CSC 16
  • COBIT 5 DSS05.04, DSS06.03
  • ISA 62443-2-1:2009 4.3.3.5.1
  • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
  • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
  • NIST SP 800-53 Rev. 4 AC-2, IA Family20

Figure 1 from the framework depicts the core:

NIST explains that the core “presents industry standards, guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”

Implementation Tiers

The implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The tiers range from partial (tier 1) to adaptive (tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and “the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” By way of example, considering the risk management aspect, at tier 1, “[o]rganizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.” At tier 2, “[r]isk management practices are approved by management but may not be established as organizational-wide policy.” At tier 3, “[t]he organization’s risk management practices are formally approved and expressed as policy” and “[o]rganizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.” At tier 4, “[t]he organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities” and “[t]hrough a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.”

Profile

In essence, the framework profile assists organizations to progress from a current level of cybersecurity sophistication to a target improved state that meets the organization’s business needs. As stated by NIST, a profile is used to “identify opportunities for improving cybersecurity posture by comparing a current profile (the “as is” state) with a target profile (the “to be” state).” Comparison of profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. NIST states that the framework profile “can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario.”
Framework Implementation

The framework is voluntary—at least for now. NIST also has explained that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” Organizations can use the framework as a reference to establish a cybersecurity program, or leverage the framework to “identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.” The framework recognizes that “[o]rganizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.”

Importantly, the framework can be used as a means to communicate an organization’s required cybersecurity standards to business partners. As stated by NIST, “[t]he framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure services,” such as the use of a target profile to “express cybersecurity risk management requirements to an external service provider (e.g., a cloud provider to which it is exporting data).” This is significant, because the cybersecurity shortcomings of “cloud” and other providers can have a profound impact on supply chains. As noted by NIST in the roadmap:

All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge and fragmented standards and best practices.

Incentives—and Cybersecurity Insurance

As-of-yet-unspecified governmental incentives will be offered to organizations that adopt the framework. The executive order directs the secretary of Homeland Security, in coordination with sector-specific agencies, to “establish a voluntary program to support the adoption of the framework by owners and operators of critical infrastructure and any other interested entities,” and to “coordinate establishment of a set of incentives designed to promote participation in the program.”

On Aug. 6, 2013, the White House previewed a list of possible incentives, including cybersecurity insurance at the top of the list. If cybersecurity insurance is adopted as an incentive, organizations that participate in the program may, for example, enjoy more streamlined underwriting and reduced cyber insurance premiums. As stated by Michael Daniel, special assistant to the president and cybersecurity coordinator, agencies have “suggested that the insurance industry be engaged when developing the standards, procedures and other measures that [make up] the framework and the program” and that “[t]he goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.” Mr. Daniel states that NIST “is taking steps to engage the insurance industry in further discussion on the framework.”

The placement of cybersecurity insurance at the top of a list of possible incentives underscores the important role that insurance can play in an organization’s overall strategy to manage and mitigate cybersecurity risk, including supply chain disruption. Adam Sedgewick, senior information technology policy advisor at NIST, stated that NIST views “the insurance industry as a major stakeholder [in] helping organizations manage their cyber risk.” All of this is consistent with the SEC’s guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage” for cybersecurity risks.

Going Forward

The framework is a “living document,” which states that it “will continue to be updated and improved as industry provides feedback on implementation.” As the framework is put into practice, lessons learned will be integrated into future versions to ensure it is “meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks and solutions.” NIST will receive and consider comments about the framework informally until it issues a formal notice of revision to version 1.0, at which point it will specify a focus for comments and specific deadlines that will allow it to develop and publish proposed revisions. In addition, NIST intends to hold at least one workshop to provide a forum for stakeholders to share experiences in using the framework, and will hold one or more workshops and focused meetings on specific areas for development, alignment and collaboration. Therefore, organizations will continue to have the opportunity to potentially shape the final framework.