Like the business model canvas, the Risk Model Canvas has nine building blocks. It describes the company context in line with the business model canvas. The third step involves challenging the items related to each block to identify potential risks. However, gathering management’s initial thoughts is beneficial before starting the structured analysis. Present the canvas and ask:
After that, proceed to discuss the availability, integrity, and confidentiality issues related to the items in each block of the canvas. Here are some guidelines. Don’t forget the meaning of ‘high risk’ defined in step 2!
- Customer Segments: Identify the target customers for the business. Ask questions like: Are there any blocking requirements from customers, such as compliance requirements?
- Value Proposition: Determine the unique benefits the business offers to its customers. Consider potential threats to the business proposition. From an information security standpoint, focus on working with large amounts of personal or confidential data, especially customer data.
- Channels: Explore the ways the business reaches and interacts with its customers. Assess if there are any threats to the ideal customer reach. Consider whether legal requirements, such as EU direct marketing, SPAM, cookie, and privacy laws, are interfering with the channels.
- Customer Relationships: Identify the types of relationships the business has with its customers. Recognize that doing business with end-consumers may involve privacy and marketing law risks, while business-to-business relationships may present lower risks in this area.
- Key Resources: Determine the critical resources necessary for the business to operate. Ask questions like: What if a resource becomes unavailable? What if a resource is corrupted? What if the confidentiality of a resource is compromised?
- Key Partners: Recognize the key partners and suppliers that the business relies on. Consider potential risks associated with partners, such as their ability to deliver or maintain a high-quality service. Assess if partners have access to confidential data and the implications if they were to breach confidentiality.
- Key Activities: Identify the most important activities the business must perform to succeed. Assess the potential consequences if an activity is disrupted for a short or extended period. Consider the impact of a decline in activity quality. Determine if certain activities require confidentiality and the risks associated with confidentiality breaches.
- Revenue Streams: Identify the sources of income for the business. Financial risks will be evaluated differently. However, understanding the major revenue streams can help focus risk discussions. Recurring revenues may indicate the need to thoroughly assess availability and quality risks associated with the value proposition and key activities linked to those revenues. Project revenues combined with recurring revenues may highlight the need for customization in a standard product or service. This presents the risk of maintaining customization while further developing the standard offering.
- Cost Structure: Consider the costs associated with operating the business. Financial risks will be evaluated differently. However, knowing the major revenue streams can help guide risk discussions. For example, a company with 80% employee costs may indicate the need to examine risks related to human errors.
Experience shows that this method leads mostly to 10 to 20 risks defined. This is completely fine. Don’t forget it is a high-level risk analysis with the management. Keep them involved; don’t get too detailed.
Note that the method is fit to address any risk. If used, for example, for the ISO27001 standard on information security, label the applicable risks.
You can find a template risk matrix at the provided link.