This Playbook describes the benefits of configuring and running the Application Risk Management Process, what it does and how it works. We explain how you can configure and run the process “out of the box”, and provide a range of ways you can adjust the process to match specific requirements.
All of the assets required to configure and run the process are included in the Application Risk Management Use Case solution. This process also connects to, and makes use of, the Application Ownership Process that is described in Process Playbook: How to automate Application Ownership, and forms part of the Application Lifecycle Management Use Case solution.
If your model does not make use of the 'Application Ownership State' field that forms part of that Application Lifecycle Management solution, you need to adapt or avoid three of the Broadcasts which rely upon that field to determine the ownership state of an Application. Further guidance is provided in Appendix I.
Table of contents
Who should use this Playbook?
This playbook is for Enterprise Architects who want to automate application risk management processes, improve their organization’s approach to application risk management and save considerable time and money for their organization.
Even though this document refers specifically to the application risk management process,, similar techniques can be applied in Ardoq to automate other governance processes.
Why you should configure and run this process
Effective IT Risk Management involves managing and maintaining a register of all risks that impact your application portfolio, and a library of the controls that mitigate exposure of your applications to those risks. This is often a manual process that involves tedious and time-consuming activities, however, by following this process Enterprise Architects can automate processes and clear time for higher value-adding activities.
The benefits include:
Avoiding a reality gap
Without continuous management, a Risk Register can quickly become a dusty relic. This automated process ensures that the Risk Register and Control Library stay alive and connected, both to each other, and to affected applications.
Improved responsiveness
The process ensures that your Risk Register is not a static list, but is proactively managed, with the impact of risks on applications regularly monitored, and controls deployed to reduce the exposure of your application portfolio to the constantly changing risk landscape.
Saving time and money
Managing a Risk Register the old-fashioned way consumes resources, often reducing those responsible to the role of spreadsheet data entry clerks. By enabling Ardoq to engage directly with risk and application owners, there is no longer a need for key resources to single-handedly run a slow and expensive process.
Reducing risk
The purpose of a Risk Register is not simply to document what might happen. This automated process ensures that risks are actively managed and progress is made to reduce the exposure of applications to them.
Increasing engagement
This automated process puts the words “Risk Management is everyone’s responsibility” into action. It automatically engages risk owners, those responsible for controls, and the owners of the applications that are exposed to risks. All have to contribute and collaborate.
What is the Application Risk Management Process?
This automated process, when configured and deployed, begins when a new Risk component is added to the Risk Register, and runs continuously in the background through the lifetime of the Risk.
It ensures that Risks always have Owners.
Where new mitigating Controls are proposed, it asks whoever is responsible for managing the Control Library to describe the Control and quantify its mitigating effects.
It asks Owners of Applications that are impacted by Risks to determine the right treatment and, where appropriate, develop a plan that might involve deployment of existing Controls to the Application to bring down the impact or likelihood of the Risk occurring for that Application.
Where a Risk remains above the Application’s risk tolerance threshold, it will ask the Application Owner to provide monthly updates.
New Owners of Applications (including new Applications) are asked to conduct a risk review to identify any known Risks that impact their Application.
Figure 1 below shows the process that is provided with the Application Risk Management Use Case. Details of how this can be configured and put into operation are provided later in this Playbook.
Figure 1: The Application Risk Management Process
The many perspectives of Risk Management
Responsibility for application risks and risk management varies considerably by organization. In some cases it is centrally controlled by a Risk Register owner who might, or might not, also be the owner of the Control Library. In others, it is devolved to application teams and application owners, and sometimes it is a joint effort among the Risk Register owner, a group of individual risk owners and the application owners.
This Application Risk Management Process caters for all of these perspectives. In particular, it allows links to impacted Applications and mitigating Controls to be identified and created by those who are recording a new Risk when they are creating it. But it also allows Application owners to review the Risk Register from the perspective of their Applications and create impact links from relevant Risks when they are reviewing their Applications. And Control owners can also manage the list of Applications which their Controls mitigate when creating or updating their Controls. Ten Broadcasts provide the choreography that automates the processes from these related perspectives. Not every organization will require the same balance of responsibilities and activities. Many may choose to deploy only some of the ten Broadcasts to focus the automated messaging on the people and cases where it matters most. You are strongly advised to read through this document, including the final chapter “Adapting the process to fit your organization”, before deciding how to set up and run the process to suit your organization.
How does it work?
Just two types of asset combine to produce this quite complex process: Surveys and Broadcasts.
Surveys - forms that gather information from people in different steps of the process. Their answers are used to add information to the model. These may take the form of references (such as creating Mitigates links between a Control and the Risks they have a mitigating effect upon), or fields that add detailed information to a particular asset (such as the exposure score thresholds that determine whether a Risk is considered to be “red”, “amber” or “green” for a given Application).
Broadcasts - highly configurable messages that can watch for specific situations and, when they occur, trigger a message to a person, for example asking them to complete a survey about a particular asset, or warning them about a situation that has arisen. For example, a newly appointed application owner may be asked to conduct a risk review of their application to ensure that the list of Risks and Controls applicable to that Application are correct, and that the new owner is fully aware of the risk context for their Application.
Figure 2 below shows how the Application Risk Management Process of Figure 1 has been implemented with four Surveys and ten Broadcasts. An advantage of Ardoq’s distributed workflow capability is that individual Broadcasts can be enabled or disabled so that as much or little of this process can be put into action, depending on the specific needs of your organization.
Figure 2: The process in terms of Ardoq assets
The Surveys
Four surveys are used to support the Application Risk Management Process:
RM - Risk Details Survey: this survey is used to add a new Risk component to the risk register, or to edit the details of an existing Risk. The Survey also allows a Risk to be deleted. The Survey questions are:
Risk Name
Risk Description
Risk Category - select the parent Risk Category component to which this risk will become a child component (Strategic, Operational, Financial, Compliance & Regulatory, Knowledge or Information Security)
Risk Likelihood (on a scale of 1 - 5)
Risk Impact (on a scale of 1 - 5)
Mitigating Controls - Identify all existing or new Controls that can mitigate this Risk (creating a Mitigates reference to the Risk). If a new Control name is entered, the system will create a new Control component and add the Mitigates reference automatically.
Impacted Applications - identify all existing Applications that are impacted by this Risk and automatically create an Impacts reference link from the Risk to the Applications.
Risk Owner - name the Owner (a Person) of this Risk. The system automatically creates an Owns reference link from the Person to the Risk.
RM - Risk Owner Survey: this simple Survey is used to identify the Owner of an existing Risk. There is just a single question:
Risk Owner - name the Owner (a Person) of this Risk. The system automatically creates an Owns reference link from the Person to the Risk.
RM - Control Details Survey: this Survey is used to add a new Control component to the control library or to edit the details of an existing Control. The Survey also allows a Control to be deleted. The Survey questions are:
Control Name
Control Description
Identify all the Risks this control is capable of mitigating. The answer automatically creates Mitigates reference links from the Control to all identified Risks.
How does this Control reduce the likelihood of the Risks it mitigates? (on a scale of 0 to -4)
How does this Control reduce the impact of the Risks it mitigates? (on a scale of 0 to -4)
To which Applications is this Control being deployed (now or in the future)? This automatically creates Deploys To reference links from the Control to the Applications. And for each such Application:
Give the date when it was, or will be, deployed.
Does this Control realize any Policy, Framework or Standard requirements? Invites the user to select all policy, framework or standard requirements that the Control realizes. The system will automatically create Is Realized By references from the selected Requirements to the Control. Note that, by default, the list of Requirements offered for selection is restricted to only "leaf" node Requirements (i.e. those that do not themselves have child Requirements). This restriction can be removed by clearing the Advanced Search for this question in the Survey Builder.
Control Owner. Identify the Person who owns this Control. The system will automatically create an Owns reference from that Person to the Control.
RM - App Risk Details Survey: this Survey is used to review the Risks that Impact an Application component, and the Controls that are, or will be, Deployed to the Application to mitigate its exposure to the Risk. The Survey questions are:
What exposure score would represent a “Red Risk” for this application? (a scale of 1 to 26). This is a threshold against which an impacting Risk’s Current Exposure score will be measured. If exposure is equal to or greater than the threshold, the Risk will be considered “Red” for this Application. Exposure scores have a scale of 1 to 25.
What exposure score would represent a “Green Risk” for this application? (a scale of 0 to 25). If the Risk’s Current Exposure score for this Application is less than or equal to the threshold, the Risk will be considered “Green”.
Impacted Risks and their treatment and plan details. Identify all Risks that impact this Application. The response automatically creates an Impacts reference link from each selected Risk to the Application. For each such risk, provide:
The agreed treatment to deal with this risk for this application (Reduction, Removal, Transfer, Retention, Share);
Optionally, a URL link to the Risk Plan.
Which Controls have been, or are planned to be, deployed for this Application? The response automatically creates a Deploys To reference link from each selected Control to the Application. For each such Control:
When will the Control be operational for this Application (the Deployment Date)?
The Broadcasts
Ten Broadcasts are used to send the surveys for completion:
RM - Risk Register Review: this Broadcast asks a central authority (the owner of the Risk Register) to conduct a periodic review of all the risks in the Application Risk Register. They are sent a list of the RM - Risk Details Survey for every risk in the register, inviting them to update any that have changed. They can delete any risks that are no longer applicable, and also use the survey to create any new risks that are identified. Such a review is often conducted as a Risk Workshop with a group of IT, Security and Risk leaders. By default, the Broadcast will run once every six months.
RM - App Owners Risk Review: this Broadcast asks all application owners to conduct a periodic review of all risks that impact, or might impact, the application they are responsible for. They are asked to use the RM - App Risk Details Survey for each of their applications, where they can review any risks currently recorded as impacting their applications, and add links from any new risks that may now be applicable. They can also review the list of Controls that have been, or are planned to be, deployed to reduce the exposure of their applications to risks. By default, the Broadcast will run once every six months, two months after the RM - Risk Register Review broadcast (allowing time for revisions to the Risk Register and Control Library to be published).
RM - Control Library Review: this Broadcast asks a central authority (the owner of the Control Library) to conduct a periodic review of all the controls in the Control Library. It invites them to edit the RM - Control Details Survey for every control in the library, confirming that its details remain correct. They can delete any controls that are no longer available, and also use the survey to create any new controls that have been, or are being, introduced. By default, the Broadcast will run once every six months, one month after the six-monthly review of the Risk Register.
RM - Unowned Risks: this Broadcast looks for Risks that don’t have an owner, and asks a central authority to assign an owner. The filter rules use the calculated checkbox field Owned, which determines whether the Risk has an Owns reference coming from a Person. It selects only those that don’t, and sends the RM - Risk Owners Survey to the nominated authority. By default, the Broadcast will run daily.
RM - Incomplete Controls: by default, the RM - Risk Details Survey allows the user to create new Controls in addition to referencing existing ones when asked to indicate which controls can mitigate the risk. If this happens, a new Control component will be created that does not contain a description, nor values for its Impact Effect and Likelihood Effect. This Broadcast detects this situation, and to ensure that all Controls are complete, the broadcast sends the RM - Control Details Survey to a central authority for completion (it is assumed that there is an authority who is responsible for management of the control library). The Broadcast’s filter selects any Control component that lacks a Description, or values for either Likelihood Effect or Impact Effect. By default, the Broadcast will run daily.
RM - New App Owner Risk Review: owners of newly acquired or developed Applications should evaluate their application against the current risk register when their application is ready to go live. With this Broadcast, we’ve gone a step further, and proposed that any change of application ownership is an ideal opportunity for fresh eyes to examine the Risk Register from the perspective of their application. This situation will, of course, occur when a new application is created with its owner, but it will also occur if ownership of an existing application is transferred from one Person to another. The filter conditions are quite complex, to ensure that we only catch the relevant applications:
The RM - App Risk Details Survey has not been updated in the past month
The Application Ownership State is either Owned or Managed (this field is automatically set by the Application Ownership Process in the Application Lifecycle Management Use Case)
Incoming Owns references have been updated within the past 2 months (note that the Rule can identify an Owns reference but cannot tell that it comes from a Person. The Rule will therefore trigger whenever an Owns reference coming from any component type has been recently updated.) If you permit Owns references from component types in addition to Person (e.g. Organizational Unit) you might wish to change this Broadcast to avoid "false positives". One option would be to replace it with a Broadcast the looks for recently created Application components that have an owner.
The RM - App Risk Details Survey is sent to the owners of the selected Applications. The Broadcast runs monthly.
RM - App Risk Details: this Broadcasts looks for Applications that are impacted by Risks but don’t yet have a recorded Risk Treatment. The Risk Treatment is specific to each Risk/Application combination, and is a list field on the Impacts reference between the two. The filter selects only those Applications that have an incoming reference with an empty Risk Treatment field and a Current Impact field value greater than zero. The RM - App Risk Details Survey is sent to the selected application owners. The Broadcast is run daily.
RM - App Risk Review: the RM - App Risk Details Survey invites responders to identify the Controls that will be deployed to bring down the exposure of their Application to a Risk. They are required to provide a Deployment Date, and once Controls have been deployed, any mitigating effects they have on the Risk will be applied, and the Risk’s Current Exposure for that Application will reduce. If it remains equal to, or above, the Application’s Risk Red Threshold, this Broadcast will send a monthly request to the owner to review the Risk and confirm that they are doing everything they can to reduce their Application’s exposure to the Risk. The Broadcasts filter will select all Applications with a Risk Current Red Count above zero, and send the RM - App Risk Details Survey to the Applications’ owners. It runs monthly.
RM - Unowned Apps without Risk thresholds: if an Application is impacted by Risks yet has no owner, it is likely that nothing is being done to address the Risk from the perspective of that Application. This message broadcast sends a warning to Risk owners in this situation, so that they can take steps either to get an Owner assigned to the Application, or to take action themselves to review the exposure of that Application to their Risk and agree a treatment plan and identify any relevant Controls that might be deployed to reduce the effect of the Risk. The Broadcast filter rules look for Applications whose Application Ownership State is Unowned, are impacted by Risks but have incomplete Red or Green thresholds. It sends the warning message to the relevant Risk owners. It runs weekly.
Note: This Broadcast relies upon the Application Ownership State field in Application components whose value is set in the Application Ownership Process (see Process Playbook: How to Automate Application Ownership for details).
RM - Unowned Apps with Red Risks: If an Application has “Red” Risks yet has no owner, there is an especially serious concern that nothing is being done to address the Risk from the perspective of that Application. This message broadcast sends a warning to Risk owners in this situation, so that they can take steps either to get an Owner assigned to the Application, or to take action themselves to review the exposure of that Application to their Risk and agree a treatment plan and identify any relevant Controls that might be deployed to reduce the effect of the Risk. The Broadcast filter rules look for Applications whose Application Ownership State is Unowned, and that have a Risk Current Red Count greater than zero. It sends the warning message to the relevant Risk owners. It runs weekly.
Note: This Broadcast relies upon the Application Ownership State field in Application components whose value is set in the Application Ownership Process (see Process Playbook: How to Automate Application Ownership for details).
How to configure and run it
This section describes the few steps needed to configure the Surveys and Broadcasts and make the whole process live.
Edit each of the four Surveys and add a suitable contact email address in the General information Section. Save each Survey, ensuring they are made Live.
Edit each of the ten Broadcasts and in the Compose message section, add a suitable Sender’s email address and review the message content to ensure that it suits the culture and style of your organization.
In addition, when editing the RM - Unowned Risks and RM - Risk Register Review Broadcasts, in Select audience choose the central authority that has responsibility for allocating owners to risks as the recipient of the survey links (the owner of the Application Risk Register).
Ensure that you are happy with the intervals between the Broadcasts RM - Risk Register Review, RM - Control Library Review and RM - App Owners Risk Review. A gap of one month between each broadcast allows time for updated information to be available for the respondents of the next survey (revised Risk Register for the owner of Controls, and revised Risk Register and Control Library for Application Owners).
When editing the RM - Control Library Review and RM - Incomplete Controls Broadcasts, in Select audience choose the owner of the Control Library.
Select Launch Broadcast to make each Broadcast live.
That’s it! Your Application Risk Management Process process is now running.
Adapting the process to fit your organization
The authority to create or delete Risks
Responsibility for identifying and recording new risks varies from organization to organization. Sometimes the application risk register has an owner who will organize a regular review of the content, adding some new risks, adjusting existing ones and removing any that are no longer applicable. They might lead a collaborative workshop to do this. In other organizations the responsibility for identifying risks that impact applications is devolved to the application owners. Access to the RM - Risk Details Survey, which bestows the power to create, update or delete Risks, needs to be controlled in line with the organization’s policy. Can anyone in the organization add a new risk to the risk register or update or delete an existing one? Or is this the sole duty of whoever owns the risk register?
Note that, by default, the RM - Risk Details Survey allows a respondent to create a new Risk, and update or delete an existing one. A more controlled approach could limit the survey to editing existing ones, leaving control of creation and deletion to the risk register owner. Two versions of the survey might be used: one for widespread use that limits users to editing existing Risks, with the other allowing a few users the wider power to create, update or delete Risks. Alternatively, the current survey could be kept, but restricted to just the owner of the risk register.
The power to create and delete components, in addition to editing existing ones, is set in the Define the data section of the Survey Builder:
You can change the default permissions to access the survey by selecting permissions for that survey from the survey overviews page in Ardoq:
The authority to create or delete Controls
A similar question arises concerning the management of the Control Library (the collection of Controls that has been defined in Ardoq). Again, by default, the RM - Control Details Survey gives the respondent the power to create, update or delete Controls. You should consider carefully how access to this Survey should be managed.
By default, the RM - Risk Details Survey allows respondents to create new Controls during the process of adding a new Risk, or editing an existing one, when answering the question “What controls do we have, or can we implement, that can mitigate this risk?”. Some organizations may prefer to limit this power to the owner of the Control Library, and restrict the Survey question to selecting from among existing controls only.
This can be done easily by unchecking the Create components checkbox in the Survey builder for RM - Risk Details Survey under question 6 Mitigating controls.
Reviews: what to review and how often
We suggest that the three core elements of the Use Case: Risks, Controls and Applications should each be regularly reviewed. These are in addition to actions that are triggered by specific circumstances (e.g. asking an Application Owner to respond to the impact of a newly identified Risk). We propose that the three reviews can be synchronized, so that each is able to take into account recent influencing revisions. The logical sequence of this synchronization is:
Risk Register -> Control Library -> Applications
We propose a six-monthly set of reviews, with a gap of one month between each element (Risk Register, Control Library, Applications). This should give sufficient time for content to be updated before the successor review. This is how the three review Broadcasts have been set up by default: each to run at 6-monthly intervals, with a month’s gap between each.
Some organizations may prefer a faster or slower pace, or may wish to change the overall frequency of review, perhaps to quarterly, or to annual. If there are very many applications, the frequency of application owner reviews could be varied by business criticality, to allocate the overall effort involved in risk management appropriately.
To change the frequency of a Broadcast, edit it and navigate to Section 5 Select schedule and reminder. Here you can select a start date, interval, and decide whether a reminder should automatically be sent to recipients who have not updated their surveys within a given number of days. The Start date fields of each of the three connected broadcasts can be set to your desired sequence and gap between them.
Of course, you do not need to make all three of these reviews live. You could choose, for example, to disable the RM - App Owners Risk Review. The rest of the Application Risk Management Process will continue to run provided the remaining Broadcasts are live. New Applications will be picked up and Owners will be asked to review the relevant Risks and Controls for them with the RM - New App Owner Risk Review Broadcast, and any affected Application Owners will have to respond to new Risks thanks to the RM - App Risk Details Broadcast.
And in some organizations, the six-monthly review of the Risk Register might also incorporate a review of the Control Library. New Controls can be created automatically when adding or updating Risks, and so these combined activities may render a separate review of the Control Library unnecessary. In such a case, the RM - Control Libary Review Broadcast may be disabled. Much depends on how ownership of the Risk Register and Control Library is allocated in an organization.
Risk and Control ownership
As with Applications, this Use Case provides for the allocation of owners (of type Person) for RIsks and Controls. We have made it mandatory for Risks, so that there is an escalation path in the situation where Risks are impacting unowned Applications. Without it, the Risk Register is reduced to the role of being a record of impending disaster, rather than a proactive tool for managing risk. So the RM - Unowned Risks Broadcasts will find unowned Risks and request the Risk Register owner to allocate an owner to them. It will do so daily, so unless the Risk Register owner responds within 24 hours, they will get another reminder the next day. The frequency of this Broadcast can be changed, as with all Broadcasts, in Section 5 or the Broadcast Builder, Select schedule & reminder, under Interval.
The Use Case, as implemented, does not make the requirement to have an owner of each Control mandatory. The question is asked in the RM - Control Details Survey, but there it is optional and a failure to name an owner for a Control does not have any consequences as far as the Use Case is concerned. If you wish to require new Controls to always be given an owner, you can change the minimum Number of references that can be created to “1” under the question Who is the owner of this Control? In the Questions section of the Survey builder for the Survey RM - Control Details Survey.
You could also choose to implement a check, similar to that implemented for Risks, to ensure that all Controls have an owner. To do this, you would need to:
Add the calculated checkbox field Owned to the Control component type;
Create a survey, which you might call RM - Control Owner Survey, using RM - RIsk Owner Survey as your blueprint but with the Control Library Workspace instead of the Risk Register, and the Control component type instead of Risk.
Create a broadcast, which you might call RM - Unowned Controls, using RM - Unowned Risks as your blueprint, but looking for Controls with Unowned unchecked, and with the Control Library owner as the audience.
In this way, any Controls that become unowned, perhaps because their owner has left the organization, will be picked up automatically, just as happens with Risks ( and Applications in the Application Ownership Process).
Review responsibilities
You might wonder why the 6-monthly review of the Risk Register, and that of the Control Library, are sent to their respective owners rather than the owners of the individual Risks and Controls (given that each of them has a personal owner). After all, the 6-monthly review of risks by application owners is sent to each application owner, not a central authority responsible for all applications. The reason is that the reviews of Risks and Controls should not only review all the existing Risks in the Risk Register, and Controls in the Control Library, but look at the whole set in the light of the current environment, and consider whether some new Risks or Controls should be added to Ardoq. If each owner just receives a request to review their set of Risks (or Controls), there is a danger that they will not look beyond a review of what is in front of them. This explains the design choice we have made.
But it would be a simple change to send the review Broadcasts to the individual owners of each Risk and Control. To do so, in the relevant Broadcast builder, under Section 2, Select audience, choose Add audience, and select By predefined people query.
In the resulting popup window, select the Owns checkbox at the top. A preview appears, and if you are happy that it is correct, hit the Add to audience list button:
Appendix I - Dependency upon Application Ownership State field
The following Broadcasts in this Use Case solution depend upon the Application Ownership State field in the Application component type to be populated appropriately. This field, in turn, depends on the Ownership Accepted field being populated appropriately. If you have deployed, and are running, the Application Ownership Process in the Application Lifecycle Management Use Case solution, these fields will be present and populated automatically, through the operation of the process. Details of how to implement and run the process can be found in Process Playbook: How to Automate Application Ownership. If you have chosen not to deploy and run the Application Ownership Process, but wish still to deploy and run this Application Risk Management Process, you will need to amend the following Broadcasts before making them live:
RM - New App Owner Risk Review. The filter for this Broadcast includes Component field rules that ensure that only Applications with an Application Ownership State equal to “Managed” or “Owned” are included. This ensures that Applications in a state of “Nominated” are not included (since the nominated owner has not yet accepted ownership responsibility, and so should not be sent the survey yet). If you are not using the Application Ownership Process, you can remove the Component field rules but retain the Component reference rules, which select all Applications with an incoming Owns reference that has been updated in the past 2 months.
RM - Unowned Apps without Risk thresholds. The filter Component field rules include a rule to select Applications with Application Ownership State equal to “Unowned” (in addition to looking for missing threshold values and a Risk Total Count of at least 1). You can either choose not to make this Broadcast live, or you will have to use a field similar to Application Ownership State to detect the absence of an owner. One option for this would be to add the Owned field used in the Risk component type to the Application component type. You can then test this field’s unchecked state in the rule instead of the existing test of Application Ownership State.
RM - Unowned Apps with Red Risks. The filter Component field rules include a rule to select Applications with Application Ownership State equal to “Unowned” (in addition to looking for Applications with a Risk Current Red Count of at least 1). You can either choose not to make this Broadcast live, or you will have to use a field similar to Application Ownership State to detect the absence of an owner. One option for this would be to add the Owned field used in the Risk component type to the Application component type. You can then test this field’s unchecked state in the rule instead of the existing test of Application Ownership State.