Categorised plans

Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.


This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.


I've shown the vendor information risk landscape divided into 4 roughly equal quadrants: you may prefer a different number of categories, perhaps of different sizes.

I've suggested annual periods: these could be longer or shorter. Potentially, very high/existential risks might justify 'continuous RA' i.e. the risks are constantly monitored, reported and proactively managed in near-real-time, somehow.   

As with the Deming cycle (Plan-Do-Check-Act), the approach lends itself to maturity with sequential/repeating activities allowing gradual process improvement. The real trick is to identify and solidify the improvements worth making and keeping, systematically.

The approach is simply an outline, a suggestion, a concept. Being an obsessive highly-caffeinated over-thinker, I foresee various practical concerns and questions when it comes down to putting it into practice, such as:
  • Who assigns things into the segments?  How?  When?  On what basis?  What information is needed for the assessment planning step?  Do we need a pre-planning overview assessment?

  • Are the risk assessments essentially the same in each quadrant, or should the high-risk assessments be more thorough as well as more frequent?  

  • Should we use self-assessments (e.g. supplier security questionnaires) as well as, or instead of, facilitated RA in any/all segments?   

  • What happens to things at or straddling the segment boundaries, or those with some high-risk elements in an otherwise medium or low-risk context? Do we even need boundaries, or would a continuous gradation work, a risk spectrum?

  • What about things that are diffuse or dynamic, or are inherently unknowable (including Don Rumsfeld's unknown unknowns)?

  • What about new things that arise or are only recognised after the rest have been planned?  Should our plans include contingency/flexibility, and if so how much?

  • Re the negligible category: what if we are wrong in our planning assumptions and the risks are greater than we thought?
         
  • How are novel or 'strange' things to be classified?   Do we need a further 'holding' segment for these, or maybe dot them around outside the circle?

  • What if it turns out that things have been mis-classified e.g. if an assessment reveals unexpectedly good or bad results?

  • Who has the authority to propose, develop, authorise, pursue, review and revise the approach, plans, results etc.?

  • How should we manage, propose and approve changes to the plan?  

  • How do we avoid systematic bias, prejudice and other issues (e.g. political interference) in the assessment and/or planning, as well as the execution?

  • How often should we update, review and re-approve the plan? When reviewing and approving, what are the objectives and criteria we should apply?  Would metrics help? 

  • This is just a planning approach: obviously we'd need suitable, sufficient resources to do the planned work, assessment procedures etc. and proper management of all that!  
Provided we can make it work in practice the structured/tiered and periodic approach can be valuable in other contexts, such as:
  • Assessing cyber risks, internal risks, safety risks, financial risks, environmental risks, operational risks, technological risks, compliance risks, project risks, market risks ...  

  • Evaluating and reviewing incident probabilities (or threats and vulnerabilities) and impacts, or incidents of varying severity levels

  • Evaluating business processes and activities, or for assurance planning in general e.g. various audits, reviews, tests, inspections, self-assessments

  • Business planning e.g. the quadrants might involve developing/reviewing strategic, tactical, operational and contingency plans

  • Managing stuff - where instead of different review periods, each quadrant reflects differing intensities or types of management oversight, direction, control, assurance etc.

  • Identifying, evaluating and responding to various types of business opportunity with high/medium/low/no potential

  • ... ?  Has this thread stimulated your creative juices too? Have I nailed it or lost the plot? Comments welcome, as always.