Many risk models focus on security and view risk management from the perspective of maintaining hardware and data security and integrity. One example is the Office of Government Commerce (OGC) Risk Analysis and Management Methodology (known as CRAMM). Another example would be the use of business impact analysis methods and techniques to assess the impact on the business due to the loss or degradation of service.


Sanctioned by the Information Technology Infrastructure Library (ITIL), CRAMM was developed by Insight Consulting. CRAMM is a structured, three-step process embodied in a software package for assessing risks to information systems and identifying appropriate countermeasures. CRAMM asserts that risk is dependent on asset values, threats, and vulnerabilities. The importance of these parameters is assessed by the CRAMM team in a series of interviews with the business owners of the assets, the users of the systems and services, the organization's security department, suppliers and partners, and the in-house support teams. The outcome of this CRAMM review is an analysis of current risks and a set of recommended countermeasures that are deemed appropriate to the classification of risk and to the IT infrastructure.

Business Impact Analysis

Business impact analysis (BIA) is a controlled method of analyzing and determining the immediate and ongoing impact of the loss of a service (or part of a service) to business resources and business processes. Once these are understood, then the financial impact can be determined. BIA is a key discipline within the MOF IT Service Continuity Management SMF, and together with the service catalog (from the Service Level Management SMF) and the risk assessment (from the Availability Management SMF), provides an essential view of how IT supports and enables the business. Additionally, when added to the costing and charging models (from the Financial Management SMF), this method can provide financial information about the cost of downtime and loss of service. By working with the business, the IT service provider can, through the use of BIA, identify which services must be recovered, in what order, over what timescale, and to what level.

Beyond Security

CRAMM and BIA are valuable approaches, but the MOF Risk Management Discipline broadens the scope of potential risks beyond security or business impact to include risks related to people, process, and technology. The MOF Risk Management Discipline provides guidance and stresses continual review of security risks in six steps: identifying, analyzing, planning, tracking, controlling, and learning. Moreover, MOF recognizes that security management is just one component of managing risks in the operations environment. The MOF Risk Management Discipline takes a comprehensive view of risk management that includes risks associated with agility, performance, and cost-in addition to security. From the business perspective, an IT operation can have an effective security structure but still could fail if it does not address the risks inherent in agility, performance, and cost.