Traditionally, cybersecurity risk analysis has focused heavily on financial losses and reputational damage to the company. While these are crucial, a growing need exists to consider the broader impact of security breaches. This is where Duty of Care Risk Analysis (DOCRA) comes in, offering a fresh perspective on managing cybersecurity risks.

DOCRA, as outlined by the DOCRA Council (, emphasizes a broader stakeholder approach. It pushes organizations to move beyond solely mitigating financial and reputational risks to considering the potential consequences for:

  • Employees - Data breaches can expose personal information and financial details, leading to identity theft and significant personal repercussions.
  • Customers - Compromised customer data can have severe financial and privacy implications, damaging trust and loyalty.

  • Partners - Security incidents can disrupt operations and damage the reputation of partner organizations.

  • The broader community - Large-scale breaches can impact critical infrastructure and public services, causing widespread disruption.

Here's why DOCRA is a game-changer

  • Focus on "reasonable safeguards" - DOCRA advocates for implementing proportionate security measures based on the potential harm a breach can cause. This ensures a balance between robust protection and the feasibility of controls.
  • Alignment with legal expectations: By demonstrating a comprehensive understanding of potential risks and the measures taken to mitigate them, organizations can better align with legal requirements and the "duty of care" principle.
  • Improved decision-making: A stakeholder-centric approach fosters a more holistic view of cybersecurity risks, enabling organizations to prioritize controls that safeguard financial interests and the well-being of individuals and communities.

Why is adopting DOCRA essential?

  • The evolving threat landscape: Cyberattacks are becoming more sophisticated, targeting financial data, personal information, and critical infrastructure.
  • Heightened regulations: Data privacy regulations are becoming stricter, placing a greater onus on organizations to protect personal information.expand_more
  • Building trust and resilience: A proactive approach prioritizes stakeholder well-being, fosters trust, and strengthens an organization's overall resilience.

Taking Action:

  • Conduct a DOCRA-inspired risk assessment: Evaluate potential threats, considering the impact on various stakeholders.
  • Implement proportionate safeguards: Focus on controls that mitigate the identified risks without creating undue burdens.expand_more
  • Communicate effectively: Communicate cybersecurity policies and the measures taken to protect stakeholders.

DOCRA is not just a framework; it's a call to action. 

By embracing this broader perspective on cybersecurity, organizations can move towards a more responsible and sustainable security posture, safeguarding their bottom line and the well-being of the individuals and communities they interact with. Safe practice is one of the best ways to start making this change. Go through a tabletop exercise or virtual cyber incident and take the opportunity to make choices based on DOCRA. See how it changes your decisions and actions. You might be pleasantly surprised by the results.