Ensuring that IT risk management; including quantum risk; is integrated with enterprise risk management and that risk decisions are aligned with business objectives.

• Establish and Maintain Quantum Risk Culture; Vision and Mandate - RG.1

  Define the organization's quantum risk culture; vision; and mandate for IT risk management; ensuring alignment with overall enterprise strategy and PQC transition goals.

• Integrate Quantum Risk Management with ERM - RG.2

  Ensure that quantum-specific IT risk management processes are fully integrated with the organization's broader Enterprise Risk Management (ERM) framework.

• Define Quantum Risk Appetites and Tolerances - RG.3

  Establish and communicate clear risk appetite and tolerance levels for quantum-related IT risks; approved by relevant stakeholders and aligned with 'Q-Day' timelines.

• Establish Quantum Risk Management Roles and Responsibilities - RG.4

  Clearly define and assign roles; responsibilities; and authorities for quantum IT risk management activities; including a quantum readiness task force and quantum risk lead.

• Communicate and Report on Quantum Risk - RG.5

  Implement effective communication and reporting mechanisms to ensure relevant quantum risk information is shared with stakeholders; including executive briefings and staff training.

The systematic process of identifying; analyzing; and prioritizing quantum-related IT risks; including assessing the likelihood and impact of post-quantum cryptographic (PQC) threats.

• Collect Quantum Risk Data - RE.1

  Gather relevant and sufficient data to support comprehensive quantum IT risk identification and assessment activities.

• Create a Cryptographic Inventory - RE.1.1

  Catalog all systems and applications using cryptography (e.g.; RSA; ECC); classify data by sensitivity; and assign retention periods.

• Gather Quantum Threat Intelligence - RE.1.2

  Collect and analyze current and emerging threat intelligence related to quantum computing capabilities and cryptographic breakthroughs.

• Identify Cryptographic Vulnerabilities - RE.1.3

  Identify internal and external vulnerabilities in existing cryptographic implementations susceptible to quantum attacks.

• Review Past Cryptographic Incidents/Failures - RE.1.4

  Analyze past cryptographic incidents; weaknesses; and near-misses to identify patterns and lessons learned relevant to quantum resilience.

• Analyze Quantum Risk - RE.2

  Conduct thorough analysis of identified quantum risks to determine their potential likelihood and impact on business objectives and data confidentiality.

• Determine Qualitative Likelihood of Quantum Threat - RE.2.1

  Assess the qualitative likelihood of quantum risk events occurring based on quantum computing advancement forecasts and expert judgment.

• Estimate Qualitative Impact of Quantum Attack - RE.2.2

  Estimate the qualitative impact of potential quantum attacks (e.g.; 'harvest now; decrypt later') on confidentiality; integrity; availability; and business operations.

• Quantify Financial Impact of Quantum Breach - RE.2.3

  Where feasible; quantify the potential financial impact (e.g.; revenue loss; regulatory fines; reputational damage; recovery costs) of high-priority quantum risk scenarios.

• Determine Probability Distributions for Q-Day - RE.2.4

  For quantitative assessments; determine or model probability distributions for 'Q-Day' (when quantum computers can break current encryption) and related attack scenarios.

• Perform Monte Carlo Simulations for Quantum Exposure - RE.2.5

  Utilize Monte Carlo simulations or other quantitative techniques to model aggregated quantum risk exposure and potential losses over time.

• Assess Quantum Interdependencies - RE.2.6

  Analyze interdependencies between different IT systems and their cryptographic components; and their cascading effects in a post-quantum world.

• Calculate Data Sensitivity & Migration Action Thresholds - RE.2.7

  Calculate data sensitivity (x); migration time (y); and collapse time (z - Q-Day forecast) to prioritize assets where x+y>z.

• Maintain Quantum Risk Profile - RE.3

  Develop and maintain a current IT risk profile that consolidates all identified and assessed quantum-related risks.

• Prioritize Quantum Risks - RE.3.1

  Prioritize quantum risks based on their assessed likelihood; impact; and alignment with quantum risk appetite.

• Develop Quantum Risk Register - RE.3.2

  Maintain a comprehensive and up-to-date quantum risk register that documents all relevant risk information; including asset; scenario; x; y; z; SLE; ARO; and ALE.

• Update Quantum Risk Profile Regularly - RE.3.3

  Regularly review and update the quantum IT risk profile to reflect changes in quantum computing advancements; threats; vulnerabilities; and NIST PQC standards.

Implementing appropriate actions to address quantum IT risks; including post-quantum cryptography (PQC) migration; acceptance; transfer; or avoidance.

• Articulate Quantum Risk - RR.1

  Clearly and concisely communicate identified quantum IT risks and their potential implications to relevant stakeholders; emphasizing urgency and strategic importance.

• Manage Quantum Risk - RR.2

  Develop and implement appropriate quantum risk response plans to mitigate; accept; transfer; or avoid quantum-related IT risks.

• Select Quantum Risk Response Options - RR.2.1

  Evaluate and select the most appropriate quantum risk response options (e.g.; PQC migration; hybrid encryption; quantum-safe solutions) based on risk assessment results and cost-benefit analysis.

• Implement Quantum Risk Treatment Plans - RR.2.2

  Develop and implement detailed plans for treating identified quantum risks; including PQC algorithm integration; cryptographic agility; and secure key management.

• Monitor Effectiveness of Quantum Controls - RR.2.3

  Continuously monitor the effectiveness of implemented quantum-safe controls and PQC migration plans; including cryptographic agility assessments.

• React to Quantum-Related Events - RR.3

  Establish processes for timely reaction to quantum IT risk events and incidents; including response to cryptographic breaches and post-incident review for quantum preparedness.