What matters: asset identification¶

Duration: 30 to 45 minutes

Materials: index cards or sticky notes, markers, wall or large table

The exercise¶

Identify what your organisation depends on to deliver its services. Not everything, just what actually matters. The constraint is important: risk management that attempts to cover everything covers nothing well.

Step 1: Brainstorm assets (10 minutes)

Working individually or in small groups, write assets on cards, one per card. Think broadly across five categories: information (customer data, financial records, intellectual property, operational data), systems (applications, databases, websites, infrastructure, control systems), services (critical business processes, third-party services, supply chains), people (key personnel, specialised knowledge, relationships), and physical assets (facilities, equipment, hardware).

Do not self-censor at this stage. The narrowing happens in the next step.

Step 2: Cluster and categorise (10 minutes)

Group similar assets together into categories that reflect how the organisation actually thinks about its operations: customer-facing systems, internal operations, data repositories, infrastructure and platforms, third-party dependencies. Use the categories that are meaningful to the people in the room, not generic taxonomy.

Step 3: Identify critical assets (15 minutes)

For each asset or cluster, ask: if this were unavailable for a day, what breaks? If this were compromised, what would the impact be? Is this a single point of failure? Can the organisation operate without it?

Mark the ten to twenty assets that are genuinely critical. These are the focus of the rest of the exercises.

The “everything is critical” response that groups sometimes produce is a placating move: it avoids the discomfort of prioritisation by not prioritising. The facilitator can push back gently but firmly. Not everything is equally critical. If a group cannot identify which assets would cause immediate operational failure if lost, they do not yet have the shared understanding of the system that risk management requires.

Step 4: Document dependencies (10 minutes)

For each critical asset, note what it depends on: which systems it relies on, what data it needs, who manages it, which suppliers support it. Dependencies are where single points of failure hide.

Output¶

A list of critical assets of ten to twenty items, with categories, dependencies noted, and a shared understanding of why each matters. The shared understanding is as important as the list: a risk register built on a list that only one person actually understands is a risk register that only one person can maintain.

What this exercise is testing¶

Beyond the outputs, this exercise reveals whether the group has a shared and accurate model of what the organisation depends on. Disagreements during the exercise are findings: they indicate that different parts of the organisation are operating on different understandings of what matters. Those gaps are worth naming and resolving before the risk assessment proceeds.

Missing business context in an otherwise technical list is also a finding: it indicates that the risk management process is being conducted without adequate input from the people who operate the business, which will predictably produce a risk register that the business does not recognise as its own.

Related¶

• Vulnerability identification

• Risk assessment

• Adversary persona workshop

• ISO 27001 risk assessment