For risk management purposes, the value of a physical asset should be based on

Last time we talked about the benefits of an ISMS. The cornerstones of an ISMS are knowing what your assets are and then conducting Risk Management processes based on the value of those assets versus the value of the control against a likelihood and consequence matrix.

Firstly, what do we mean by some of these things? “Information Asset” is bandied around pretty loosely and could mean a lot of different things because it is a subjective term. For the purposes of this article, and for most of the work we do, here is how we move the terms from subjective to objective:

An asset is anything that has value, including:

  • Systems or groups of systems (did I hear classes?, more on that later)
  • Physical Things
  • People including their experience and qualifications
  • Reputation
  • Software

Information is meaningful data, the structure of which, is unimportant.

The Elephant Problem

  • Assets should be defined at a level of detail that allows them to be managed
  • Too much granularity creates elephants to eat, large unwieldy tasks that are hard to consider
  • Too little detail reduces effectiveness

For risk management purposes, the value of a physical asset should be based on
So…. how do you eat an elephant? One bite at a time?**

Divide and Conquer

One of the hardest things to get started on is managing risk where assets are poorly defined. Quite often people start with a individual device based database and work from the ground up. Applying a risk assessment to every single network device, server, endpoint, door etc gets kind of silly and almost always fails.

If you had a handful of things to assess initially, wouldn’t that be easier?

The Asset Class

The idea of an asset class is to roll up groups of platforms, systems and infrastructure into more manageable constructs. Less that 10 for a first pass is ideal. The classes will depend on your organisation, your structure and your appetite for Risk Management. Initial candidates for Asset Classes are:

  • Core financial systems and associated infrastructure
  • HR systems and associated infrastructure
  • IT and associated infrastructure
  • Source code systems
  • Corporate systems
  • Physical assets which underpin any classes including buildings and data centres
  • Key people

For risk management purposes, the value of a physical asset should be based on

While we still use spreadsheets or proprietary GRC tools to carry out our risk component, managing complexity allows us to:

  • Get started quicker
  • See results in a timely fashion
  • Not get “lost in the weeds” of detail
  • Make changes to the approach early without having to change large datasets of information

**Footnote, no elephants were harmed in the production of this article, it’s a metaphor, we like elephants, please don’t flame us on it.

Recommended textbook solutions

For risk management purposes, the value of a physical asset should be based on

Human Resource Management

15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine

249 solutions

For risk management purposes, the value of a physical asset should be based on

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

For risk management purposes, the value of a physical asset should be based on

Service Management: Operations, Strategy, and Information Technology

7th EditionJames Fitzsimmons, Mona Fitzsimmons

103 solutions

For risk management purposes, the value of a physical asset should be based on

Operations Management: Sustainability and Supply Chain Management

12th EditionBarry Render, Chuck Munson, Jay Heizer

1,698 solutions

What are the physical asset risks?

[10] have classified the asset management risks in six categories including physical failure, operational failure, risks associated with natural environmental events, risks associated with factors outside of the organization's control, stakeholder related risks and asset life-cycle phases.

What is asset in risk management?

Asset Risk — the measure of an asset's default potential or market value fluctuation. For example, assume a firm's investment portfolio includes grain futures purchased on the Chicago Board of Trade (CBOT).