Frequently Asked Questions

What is Digital Risk Management?

Digital Risk Management (DRM) is a prescriptive, applied set of knowledge, business processes, and measurements for optimizing the management of digital business risk. DRM enables organizations to balance the need to protect the organization with the need to run the business. DRM has been defined, and continues to evolve, based on the input and collaboration among innovative business, technology and security leaders who are focused on managing digital risk from the business perspective.

What is the DRM Institute and what are its objectives?

The Digital Risk Management (DRM) Institute is a nonprofit organization led by business executives, risk officers and security executives to analyze industry-specific digital failure scenarios, create standard DRM knowledge, and promote best practices for managing digital business risk. Our mission is to serve our members and our profession by defining a decision-making framework that creates and sustains business value by balancing the need to protect the organization with the need to run the business. The Institute’s objectives are to publish a generally accepted set of DRM knowledge and best practices across various industries and facilitate benchmarking against those practices.

Why was the DRM Institute created?

The Institute was created to provide guidance and business acumen in measuring and managing digital risk. Business executives, risk officers, CIOs, and CISOs have had no definitive source of applied knowledge (i.e. industry failure scenarios, business-aligned operational processes, use cases, etc.) on how manage digital risk from the business perspective and rally their organizations around it.

Why should I become a member?

The DRM meetings (working groups, panel discussions, conferences) and funded research initiatives (i.e. DRM Framework, DRM Scorecard) will help you rapidly mature your ability to manage digital risk from the business perspective. Digital risk has acquired executive and board-level visibility, given the disruptive impact cyber threats can have on increasingly digitalized businesses in terms of operational continuity, financial and reputation losses. It is now expected that business executives, risk officers, CIOs and CISOs understand the risk profile of their business on an ongoing basis and know what risk mitigation initiatives will have the greatest impact on protecting the business, based on a set of shared knowledge, risk measurement and management best practices.

If you are a business leader or a risk officer, you will be able to better balance the need for protection of the organization with the need to run the business, to make more informed decisions on what risk mitigations initiatives to invest in, and improve your reporting to the board and to the auditors.

If you are a technology or security executive, possessing DRM knowledge, demonstrating business acumen, and creating business-aligned risk mitigation plans may be the surest way for you to improve credibility with your business partners.

Additionally, the network of members who are participating in the Institute are outstanding business and technology leaders and innovators in each of their vertical markets. You will be able to leverage this network and the business relationships that it affords for both you and your organization.

How do I become a member?

The DRM Institute provides a unique opportunity for business-focused executive education and collaboration. To safeguard the value of our executive conferences, preserve the integrity of our research and encourage interactions between our members, membership is limited to executives that meet the following criteria.


General members must be current or recent senior-level executives with organizations that spend at least $25 million per year on IT or business technology. They should work in the line-of-business, office of the CIO, risk management, legal, corporate finance, the CISO office or line-of-business technology departments.

Qualifying titles from these organizations often include COO, Head of Line of Business, Risk Officer, Digital Risk Officer, Enterprise Risk Manager, CIO, CISO, Chief Enterprise Architect, VP of Business Applications/Systems. Executives with a title or department different than those listed above may also be qualified.

Multiple qualifying executives from the same organization are welcome to join. Read the General Member Agreement.


Charter membership is limited to those that meet the general membership requirements. Because the basis of charter membership is direct contribution to and participation in our research and publications, charter members must also be willing to contribute time and effort to one or more programs.

Independent experts such as university professors, industry analysts, researchers and others who demonstrate executive-level expertise in the digital risk management field may also apply to join as a principal member. Their active contribution to our research programs will be expected and welcomed.

If your company qualifies, we invite you, and your immediate direct reports to join the Institute.

Become a member now >

What is the cost of participating in the DRM Institute?

There is no cost to become a member; however, there are restrictions and qualifications for membership.

Apply here >

Who sits on the Board of Directors and what is their role?

As with any entity, the Board of Directors leads the organization in its efforts to fulfill its mission. Unlike the typical for-profit corporation, our Board members are highly visible members of the community that strive to increase awareness and understanding of DRM knowledge and principles and to play a pioneering role in shaping those principles and best practices.

See the Board of Directors

What workgroups have formed and how can I participate?

The Board of Directors have created several workgroups to further advance DRM:  the DRM Framework, the DRM Scorecard, the DRM Conference, and Industry Workgroups. These workgroups have formed to provide collaboration on resources. If you are interested in becoming a workgroup participant, please submit your contact information through this registration form with the specific workgroup you are interested in participating in.

What is the DRM Conference and why should I attend?

The DRM Conference provides an opportunity to learn how other leaders employ DRM to create digital resiliency and deliver greater business value. Industry thought and practice leaders from some of the most reputable companies and government organizations will share their stories of measuring digital business risk, prioritizing risk mitigation initiatives, and optimizing investments based on business impact.

What is the relationship between the DRM Institute and Waverley Labs?

As the founding entity of the DRM Institute, Waverley Labs is committed to the development and furtherance of Digital Risk Management. Waverley Labs’ commitment is substantiated by the fact that it continues to act as the technical advisor to the DRM Institute, by its sharing of Intellectual Property with the Institute and its active involvement in determining who will lead and participate in the DRM Institute, the projects it pursues, and the IP it develops and distributes. Please see the FAQ below regarding data collected by the DRM Institute, and if you would like additional information regarding Waverley Labs’ involvement, please feel free to contact

What about any data collected by the DRM Institute entity?

It is expected that the Institute will collect what is referred to in the privacy policy as “Profile Information”. That information will not be shared with third parties except to the limited extent provided in the privacy policy, and may only be used as permitted or consented to by you. Other information you provide, such as answers to survey questions that create the DRM Scorecard, input about the industry, or other information that does not identify you personally, may be used by the DRM Institute or Waverley Labs for commercial purposes.