Processes vs. Systems
In the Financial Exposure section we discussed the reliance on monetary loss as an objective, commonly accepted method for assessing risk. A similar issue arises in determine what should be assessed. A risk assessment can look at the risks associated with computer systems, buildings, data or other assets. Instead, the Simple Risk Method focuses on the primary processes within an organization ("Core Processes"), since the major risk to the business is a failure of its processes, not its assets. For example, a business may maintain an Internet server that hosts an application that customers can use to purchase products from the business. What is the risk if the application contains a programming error that sends the products to the wrong customers? The risk resides in the customer purchasing process, not in the computer or the application. These assets are merely facilities used by the process. In effect, the assets inherent the risk from the process. Put another way, what is the risk for an application server used in the business for the customer purchasing process versus the same type of application server used to maintain the company's internal phone directory? They are the same assets, but they have different risks based on the processes they support.
The focus on processes in the risk assessment process is supported by the the way most businesses are organized. If you look at a business organization chart (a high level representation of how the business organizes and prioritizes its resources), you will not see assets. You will see high level or core processes. That is where the risk is found and for this reason the Simple Risk Method assesses processes, not assets.