Identification of scope is another key critical aspect of risk management. When conducting the risk identification process, a clear understanding of the boundaries of the analysis and the topics to be covered within the analysis should be agreed upon. What is inclusive and what is exclusive? This is particularly important when calculating the amount of loss or reward, as these will be directly affected by the amount and size of items in scope.
The scope may include technology, organizational, geographical or functional boundaries.
When analyzing key risk areas, definition of scope may be particularly important in order to work with manageable chunks of information (i.e., it may not be possible to gather data on the full impact of a regulatory law in a single risk identification session ” the scope may be too large ” and a decomposition of scope may be necessary). Stakeholder representatives may vary depending upon the scope of a particular assessment.
Examples of a scope statement for risk identification:
Includes all IT systems across the enterprise and includes systems internal to the company as well as those managed externally by suppliers, but excludes process control and computer systems
All computer systems of any type, IT, process control
All regulated IT computer systems, for example in pharmaceutical and financial companies