Applications Inventory and Attributes - Risk attributes for the Applications Inventory

Applications Inventory and Attributes

Risk attributes for the Applications Inventory

Risk attributes capture the aggregate and dimensional risk profile of each application, enabling portfolio-level risk governance and investment prioritization grounded in evidence rather than opinion.

Attribute Name	Maturity	Description and Notes
Overall Risk Rating	Crawl	Description — A summary assessment of the combined risk exposure this application presents to the organization — expressed as Low, Medium, High, or Critical — reflecting the aggregate of security, vendor, operational, compliance, and data risk dimensions. Benefit(s) — The most important portfolio-level risk signal for triage and executive reporting. Without an Overall Risk Rating for every application, the portfolio cannot be sorted by risk, risk concentration cannot be reported to leadership, and the most dangerous applications cannot be systematically identified and prioritized for remediation. Source — Manually Entered — assessed by the IT Application Owner in consultation with the Security Owner. Examples — Critical (legacy ERP running on unsupported OS with known CVEs), High (CRM with recent security audit failures), Medium (HR portal with limited PII exposure), Low (internal wiki with no sensitive data) Notes — Valid values: Low, Medium, High, Critical.
Composite Risk Score	Run	Description — A single numeric score from 1 (lowest risk) to 5 (highest risk) that aggregates the qualitative risk ratings across all risk dimensions into a single comparable value. Benefit(s) — Enables quantitative portfolio risk analysis, risk-versus-business-value scatter analysis for rationalization prioritization, and threshold-based alerting when applications cross defined risk score boundaries. Source — Calculated from: Security Risk Rating, Vendor Risk Rating, Operational Risk Rating, Key Person Dependency Risk, End-of-Life Risk, Data Sensitivity Risk, and Regulatory Non-Compliance Risk within this record. Calculation methodology: weighted average of dimensional ratings converted to a 1–5 numeric scale per the APM Governance Policy.
Security Risk Rating	Walk	Description — An assessment of the security-specific risk this application presents — reflecting vulnerability exposure, access control maturity, patch currency, and security audit findings. Benefit(s) — Enables security risk to be governed separately from operational and vendor risk, which require different mitigation approaches and different accountability. High Security Risk Ratings identify applications requiring prioritized security remediation investment. Source — Manually Entered — assessed by the Security Owner. Notes — Valid values: Low, Medium, High, Critical.
Vendor Risk Rating	Walk	Description — An assessment of the risk arising from the organization's dependence on the application's primary vendor — reflecting vendor financial health, concentration risk, support status trajectory, and contractual exit rights. Benefit(s) — Identifies applications where the organization's operational continuity is exposed to vendor-side risk factors it cannot directly control. Applications with High or Critical Vendor Risk Ratings warrant specific vendor risk mitigation strategies including exit planning and contract restructuring. Source — Manually Entered. Notes — Valid values: Low, Medium, High, Critical.
Operational Risk Rating	Walk	Description — An assessment of the risk the application presents through its operational behavior — including reliability history, support model adequacy, disaster recovery posture, and dependencies on key operational personnel. Benefit(s) — Enables operational risk to be tracked and managed separately from security and vendor risk. High Operational Risk Ratings identify applications where investment in reliability, support model, or disaster recovery would produce the greatest reduction in operational exposure. Source — Manually Entered. Notes — Valid values: Low, Medium, High, Critical.
Key Person Dependency Risk	Walk	Description — An assessment of the risk arising from the organization's dependence on specific individuals whose departure would significantly impair the organization's ability to govern, operate, or maintain the application. Benefit(s) — Quantifies and makes visible the organizational vulnerability created when critical application knowledge is concentrated in one or two individuals. Key Person Dependency Risk becomes acutely visible only when the key person leaves — making proactive identification essential. Source — Manually Entered. Notes — Valid values: Low, Medium, High, Critical.
End-of-Life / End-of-Support Risk	Walk	Description — An assessment of the risk arising from the application or its technology stack approaching or having reached vendor End-of-Life or End-of-Support. Benefit(s) — Enables proactive EOL risk management with enough lead time to fund and execute remediation. Applications in Critical EOL status carry unresolvable security vulnerabilities and should be treated as immediate rationalization priorities. Source — Derived from: End-of-Life / End-of-Support Status within this record. Mapping: No Risk → Low, Approaching → Medium, Imminent → High, Expired → Critical.
Data Sensitivity Risk	Walk	Description — An assessment of the risk arising from the type and sensitivity of data the application processes, stores, or transmits. Benefit(s) — Applications that process highly sensitive, regulated, or personally identifiable data carry elevated breach impact and regulatory non-compliance risk that warrants proportionally greater security investment, access control rigor, and audit readiness. Source — Manually Entered — assessed in conjunction with the Data Owner and Security Owner. Notes — Valid values: Low, Medium, High, Critical.
Regulatory Non-Compliance Risk	Walk	Description — An assessment of the risk that the application is out of compliance with the regulatory frameworks applicable to its data, operations, or hosting environment. Benefit(s) — Identifies applications where regulatory compliance gaps are creating immediate or near-term legal, financial, and reputational exposure. Enables compliance remediation investment to be prioritized by actual risk exposure rather than by audit schedule. Source — Manually Entered — assessed by the Security Owner and Compliance function. Notes — Valid values: Low, Medium, High, Critical.
Business Continuity Risk	Walk	Description — An assessment of the risk to the organization's operational continuity if this application becomes unavailable for a period exceeding its defined Recovery Time Objective. Benefit(s) — Quantifies the operational exposure created by inadequate disaster recovery posture, availability SLA gaps, or insufficient backup infrastructure. Applications with High or Critical Business Continuity Risk that lack appropriate recovery capabilities represent a known organizational vulnerability. Source — Manually Entered. Notes — Valid values: Low, Medium, High, Critical.
Third-Party / Supply Chain Risk	Run	Description — An assessment of the risk arising from the application's dependence on third-party components, open source libraries, external APIs, or other supply chain elements outside the organization's direct control. Benefit(s) — Software supply chain risk has become one of the most significant and fastest-growing sources of enterprise security exposure. Applications with deep third-party dependency profiles carry risks that are invisible without systematic supply chain risk assessment at the application level. Source — Manually Entered — assessed by the Security Owner using Software Bill of Materials (SBOM) data where available. Notes — Valid values: Low, Medium, High, Critical.

Legal Disclaimers