Application Portfolio Management (APM) Best Practices - Assess application risk - security, compliance, vendor, and operational risk

Application Portfolio Management (APM) Best Practices

Assess application risk - security, compliance, vendor, and operational risk

Overview

Application risk is multidimensional, and a risk assessment that considers only one dimension produces an incomplete and potentially misleading picture of portfolio risk. An application that appears secure may be supported by a financially unstable vendor whose failure would create immediate continuity risk. An application that is contractually compliant may run on end-of-life infrastructure that creates security and operational risk its compliance posture does not reveal. A comprehensive application risk assessment must consider all relevant risk dimensions simultaneously and aggregate them into a portfolio-level risk view that leadership can act on.

Best Practice

Assess each application against four primary risk dimensions as part of every rationalization review. Security risk addresses the application’s security posture: is it running on patched, supported technology; does it have known unresolved vulnerabilities; does it handle sensitive data with appropriate controls? Compliance risk addresses the application’s regulatory and policy obligations: is it subject to compliance frameworks and meeting them? Vendor risk addresses the risk embedded in the vendor relationship: is the vendor financially stable; is the vendor’s roadmap aligned with the organization’s direction; is there harmful concentration in the vendor relationship? Operational risk addresses the application’s reliability and continuity: what is its incident history; what are its key-person dependencies; what technical debt creates operational fragility?

Benefit(s)

Multi-dimensional risk assessment produces a portfolio risk view that is comprehensive enough to inform meaningful governance decisions. Applications that appear low-risk on one dimension but high-risk on another are identified rather than misclassified as low-risk based on partial assessment. Risk-informed portfolio decisions protect the organization from the consequences of risks that single-dimension assessments would miss. Leadership gains a credible, evidence-based portfolio risk picture that enables prioritized, proportionate risk mitigation investment.

Copyright for the International Foundation for Information Technology (IF4IT): 2008 - Present

Legal Disclaimers
Share:
Contact Us to Discuss →