Most of it is straightforward (a policy, an ITAM plan etc) but it also includes the need to define a risk framework which includes:
- Risk acceptance criteria
- Ensures that repeated IT asset risk assessments produces consistent, valid and comparable results.
This is a small set of requirements, but many people will not really know what it means, so I thought I’d explain for this month’s blog – but without going into too much detail about the risk management process itself.
If you want to know more about how to define a risk management process itself, you can either 1) purchase our ‘ITAM Risk Management Process; and/or 2) do a risk management course – in the UK I recommend Management of Risk (MoR) – it’s an excellent course, and changed the way I approach asset management completely. It was a revelation!
So… back to the topic.
What the ISO Standard doesn’t do is tell you that in order to define the risk acceptance criteria AND apply a consistent approach to assessing risk, you need to have a risk framework to help you categorise and prioritise your risks.
Most organisations use a very simple framework that can be summed up in the formula:
Probability x Impact = Risk Score
Most organisations utilise a simple 1 – 5 scoring technique for both probability and impact. Some organisations also include an estimate of proximity – how soon the risk may materialise and become an issue.
The risk acceptance criteria is often a simple number against which you apply the result of the risk formula. So for instance, organisations may say they will accept a risk if the risk score is 4 or under.
The trick is being consistent in your scoring, and this can be hard, especially if there are multiple people involved. Your risk scores may also drift over time, by which I mean that for a particular risk, your current risk score may not be the same as if you’d performed the analysis a year or two years previously.
In order to counteract this problem, some organisations provide detailed scales of probability, impact and proximity to help with the scoring. An example of an assessment scale showing all 3 aspects is below. In this case, you can substitute proximity for likelihood if that is easier to measure for the particular risk.
You can see that having more descriptive scales really helps quantify risks, reduces the chance of your assessments drifting over time, and also helps with the problem of comparing risks that may have very different impacts in the real world.
So should you build your own risk framework? Do this only if you are confident your organisation doesn’t already have one, or the one that it does have isn’t granular enough for you. Large and highly regulated organisations definitely have one, so if you can’t find it, push! It will be there somewhere!
You may find that very large organisations have such large impact scales that all your ITAM risks fall within the organisational risk acceptance criteria. If this is the case, this is your opportunity to develop your own (smaller) scales and also to define your own risk acceptance criteria to help prioritise your workload when it comes to analysing your risks and working out what to tackle first.
So there you have it, how to define a risk acceptance framework that allows you to comply with to have ‘risk acceptance criteria‘ and ensure you can produce ‘consistent, valid and comparable results’ over time.
