Attention: This article is part of the Application Risk beta program and this the associated use case is still under development. If you are interested in participating in the Application Risk beta test and you are an existing customer please contact your CSM.
In the Application Risk; Purpose, Scope, and Rationale we cover that the exposure of an application (or any other component if we choose to extend the model) to a risk is determined by the following calculation:
Risk Exposure = Risk Impact x Risk Likelihood / 5
Where Risk Impact and Risk Likelihood are expressed as integers on a scale of 1.0 to 5.0
The result is a Risk Exposure score on a scale of 1 to 25. We may choose to normalize this to a scale of 1.0 to 5.0, thus keeping all displayed scores within the same limits, though it is more common to retain the bigger scale for Risk Exposure. This keeps all numbers as integers and makes it easy to apply multiple thresholds. For example:
0.0 - 2.9
Accept the risk
3.0 - 3.9
Manage in local risk register
4.0 - 4.9
Manage in department risk register
Manage in corporate risk register
This works well when considering risk impacts individually, but if multiple risks apply to one application, it would be helpful to be able to show the cumulative effect on each application, and therefore rank or compare applications from a risk perspective.
The same concept can be applied to risks. With risks variously impacting different applications with different levels of exposure, a Risk Manager would wish to understand which risks present the greatest overall exposure for the estate and therefore might be considered the most pressing.
What are the options for aggregating multiple risk exposures, either in Risks or in Applications?
A single field that sums all of the risk exposure scores.
easy to compare - the bigger the score, the greater the total exposure
Doesn’t reflect the quantity of risks. Is one big risk better or worse than several small ones?
The range will not have much meaning. More risks will produce bigger scores. So we cannot judge whether a given number is good or bad on its own. It has relative meaning, but not absolute.
Take the aggregate and divide it by the total number of risks to which an application might be exposed (this might be the total number of risk components, or the total number of risk components that have at least one reference to an application)
A reduced range, compared with 1. above.
No longer an integer
More risks will produce a narrower range, increasing the significance of more decimal places
The introduction of new risks to the estate will cause most scores to go down. Whilst this is correct (exposure as a percentage of all possible risk has gone down), it will create a misleading impression that the risk associated with an individual application has reduced, when it has remained unchanged. Trend charts will move around as the quantity of risks changes, even when those that apply to an application don’t change. This won’t happen with 1. above.
Maximum Risk Exposure
Just take the max exposure score of all risks that an application is exposed to (“you are only as good as your worst risk”).
Remains on the same scale (1-25) as Risk Exposure, and the scale will be consistent across any model, irrespective of the number of risks or applications.
Cannot distinguish between an application that has a single risk of a certain level, and one that has multiple risks at the same level.
There are only 14 possible scores. Many applications will have the same score, so another variable will have to be used to separate the applications in a ranking
Quantity of Risks
Calculate the total number of risks to which the application is exposed.
A simple, understandable number. More risks = bigger trouble.
Crude: is an application exposed to many very low risks really at more risk overall than one that is exposed to a thumping big risk? The application with one big risk will be near the bottom of the ranking.
Quantity of Risks above a Threshold
Calculate the total number of risks to which the application is exposed that have an exposure score of 10 or more.
Blends quantity and exposure in a single score
An integer - easy to understand
The threshold is somewhat arbitrary. Something with many risks all just below the threshold will appear the same as something without any risks.
The highest risks will be distinguished ultimately by the number of risks, not their exposure (seriousness)
Use two measures, and plot them on two dimensions. Candidates include aggregate x max, aggregate x quantity, quantity x max, or just a matrix of likelihood x impact showing quantities. Effectively, means calculating multiple variables but not using any one to represent a total risk score.
Flexible. Outliers in either dimension are exposed and can be explored. It avoids the need to impose a weighting on each dimension - their importance may vary by context, and it is down to the user to determine this.
With more than two calculated variables, can be used for multiple visualizations to show different perspectives.
Cannot take automated action - it feeds one or more visualizations.
What do we mean by “worst” anyway?
Is an application that has a single huge risk better or worse than one that has several medium risks? Addressing multiple risks is likely to involve more effort than addressing just one risk. Perhaps the application that is exposed to a lot of risks is more a candidate for replacement rather than trying to address each risk to which it is exposed.
There is, perhaps, real danger in trying to come up with a single number that can “summarize” the level of risk for each application (or for each risk). The mix of quantity and exposure will have an influence on preferred actions. Some controls are able to address a risk for many applications, while others can only be applied to a subset of applications (e.g. those that are utilizing a particular technology).
Our recommendation is to use a combination of fields to truly determine the risk associated with an application and not rely on a single value.