Categorised plans

Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.

This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.

I've shown the vendor information risk landscape divided into 4 equal quadrants: you may prefer a different number of categories, perhaps of different sizes.  

I've suggested annual periods: these could be longer or shorter. Potentially, very high/existential risks might justify 'continuous RA' i.e. the risks are constantly monitored, reported and proactively managed in near-real-time, somehow.   

As with the Deming cycle (Plan-Do-Check-Act), the approach lends itself to maturity with sequential/repeating activities allowing gradual process improvement. The real trick is to identify and solidify the improvements worth making and keeping, systematically.

The approach is simply an outline, a suggestion, a concept. Being an obsessive highly-caffeinated over-thinker, I foresee various practical concerns and questions when it comes down to putting it into practice, such as:

• Who assigns things into the segments?  How?  When?  On what basis?  What information is needed for the assessment planning step?  Do we need a pre-planning overview assessment?
  
  
• Are the risk assessments essentially the same in each quadrant, or should the high-risk assessments be more thorough as well as more frequent?  
  
  
• Should we use self-assessments (e.g. supplier security questionnaires) as well as, or instead of, facilitated RA in any/all segments?   
  
  
• What happens to things at or straddling the segment boundaries, or those with some high-risk elements in an otherwise medium or low-risk context? Do we even need boundaries, or would a continuous gradation work, a risk spectrum?
  
  
• What about things that are diffuse or dynamic, or are inherently unknowable (including Don Rumsfeld's unknown unknowns)?
  
  
• What about new things that arise or are only recognised after the rest have been planned?  Should our plans include contingency/flexibility, and if so how much?
  
  
• Re the negligible category: what if we are wrong in our planning assumptions and the risks are greater than we thought?
       
• How are novel or 'strange' things to be classified?   Do we need a further 'holding' segment for these, or maybe dot them around outside the circle?
  
  
• What if it turns out that things have been mis-classified e.g. if an assessment reveals unexpectedly good or bad results?
  
  
• Who has the authority to propose, develop, authorise, pursue, review and revise the approach, plans, results etc.?
  
  
• How should we manage, propose and approve changes to the plan?  
  
  
• How do we avoid systematic bias, prejudice and other issues (e.g. political interference) in the assessment and/or planning, as well as the execution?
  
  
• How often should we update, review and re-approve the plan? When reviewing and approving, what are the objectives and criteria we should apply?  Would metrics help? 
  
  
• This is just a planning approach: obviously we'd need suitable, sufficient resources to do the planned work, assessment procedures etc. and proper management of all that!  

Provided we can make it work in practice the structured/tiered and periodic approach can be valuable in other contexts, such as:

• Assessing cyber risks, internal risks, safety risks, financial risks, environmental risks, operational risks, technological risks, compliance risks, project risks, market risks ...  
  
  
• Evaluating and reviewing incident probabilities (or threats and vulnerabilities) and impacts, or incidents of varying severity levels
  
  
• Evaluating business processes and activities, or for assurance planning in general e.g. various audits, reviews, tests, inspections, self-assessments
  
  
• Business planning e.g. the quadrants might involve developing/reviewing strategic, tactical, operational and contingency plans
  
  
• Managing stuff - where instead of different review periods, each quadrant reflects differing intensities or types of management oversight, direction, control, assurance etc.
  
  
• Identifying, evaluating and responding to various types of business opportunity with high/medium/low/no potential
  
  
• ... ?  Has this thread stimulated your creative juices too? Have I nailed it or lost the plot? Comments welcome, as always.