Petrova digitální zahrada 🚀

DRS - Caselets Case Study

13 min čtení

Caselet homework - risk taxonomies for ATMO, GUP, GHSP

Solution to the three risk taxonomy caselets (4A, 4B, 4C). Each one follows the same two-step method from the course: identify the organisation’s strategic priorities, then translate those priorities into measurable impact criteria with rating scales.

Method - the two-step approach

Before each solution, a quick reminder of how this works (chapter 5 of the course notes): Step 1 - What is important to this organisation? The strategic priorities are usually stated in the mission and strategy sections of the caselet. Pull them out verbatim or summarise tightly. Step 2 - Translate priorities into measurable impact criteria, each with a rating scale 0-5. The criteria become the horizontal dimension of the taxonomy - the things that, if affected by a risk event, would matter to the organisation. Design rules to apply:

  • Use 6 rating levels (0-5), an even number on the non-zero side, so people are forced to commit rather than parking on the middle
  • Each rating level should be tied to a meaningful, qualitatively different consequence
  • Where possible make ratings measurable (percentages, monetary thresholds, counts) rather than vague qualitative words
  • Cover the strategic priorities completely - if a priority isn’t reflected in any criterion, the taxonomy has a gap
  • Don’t overdo it - the FAIR list has six criteria total, ISACA has more but they’re grouped. Five to six well-chosen criteria is the right ballpark

4A - ATMO Solutions

Step 1 - what matters to ATMO

ATMO is a designer and manufacturer of automotive electronics. Three strategic priorities, in order of importance:

  • Grow through innovation - higher-margin products focused on connected car, safety, location services, and environmental themes
  • Maintain high quality levels - consistent quality to protect customer confidence and reputation
  • Focus on prime car constructors - long-term customer relationships, speed of innovation, margin protection Reading between the lines: ATMO is a B2B supplier where safety-critical products go into other people’s vehicles. The dependencies that matter are customer relationships (a major OEM walking away is a strategic disaster), product quality (a recall is both expensive and reputationally fatal), innovation capability (without it the business model collapses), and financial performance (margins are mentioned twice in the strategy, signalling that the business case is margin-driven).

Step 2 - impact criteria with rating scales

Five criteria covering the four dimensions identified above. Innovation, quality, customer relationship, and finance get one each; reputation gets its own because in this industry a single high-profile failure can outlast individual customer relationships.

A. Innovation capability

Measures damage to the company’s ability to develop and bring innovative products to market - the core engine of the strategy.

  • 0 - No impact on innovation capability or pipeline
  • 1 - Minor delay (less than 3 months) on one non-strategic innovation project
  • 2 - Moderate delay (3-6 months) on a strategic innovation project, or capability to innovate slightly impacted but recoverable
  • 3 - Significant delay (6-12 months) on a strategic innovation project, competitive position weakened
  • 4 - Major innovation project cancelled or strategic capability seriously impaired; key talent/IP affected
  • 5 - Innovation pipeline collapses; competitive advantage through innovation lost, IP or key personnel permanently lost
B. Product quality

Measures defects reaching customers, with product recall as the central anchor since recalls are the public, measurable failure mode in automotive.

  • 0 - No quality incident; all controls effective
  • 1 - Quality issue caught in factory; less than 1% of production affected; no customer impact
  • 2 - Quality issue caught in factory; more than 1% of production affected; minor rework cost
  • 3 - Product recall post-production; less than 1% of fielded units affected
  • 4 - Product recall post-production; 1-5% of fielded units affected; significant remediation cost
  • 5 - Major product recall; more than 5% of fielded units affected, or recall involving a safety-critical failure that caused injury
C. Customer satisfaction (prime constructors)

Measures the health of the strategic customer relationships ATMO has explicitly prioritised. Anchored on relationship continuity, not on generic NPS scores, because losing a major OEM is the actual risk.

  • 0 - All key customer relationships strong; satisfaction ratings above 8/10
  • 1 - One key customer satisfaction rating drops to 7-8 range; no business impact
  • 2 - One key customer satisfaction rating drops to 6-7 range; verbal concerns raised
  • 3 - One key customer satisfaction rating below 6; written complaints or contract concerns
  • 4 - A key customer reduces orders or threatens contract termination
  • 5 - Loss of a key (prime constructor) customer
D. Financial impact

Measures revenue loss or unbudgeted cost. Strategy emphasises margins twice, so this gets its own criterion.

  • 0 - Less than 0.25% of annual revenue impact
  • 1 - 0.25-0.5% of annual revenue impact
  • 2 - 0.5-1% of annual revenue impact
  • 3 - 1-2% of annual revenue impact
  • 4 - 2-5% of annual revenue impact
  • 5 - More than 5% of annual revenue impact, or threat to going concern
E. Reputation

Reputation gets its own criterion because in safety-critical automotive supply, a public incident has effects beyond any individual customer or quality event. A bad headline can poison future business across the entire OEM market.

  • 0 - No reputation impact
  • 1 - Internal awareness only; no external visibility
  • 2 - Industry trade press mention; limited reach
  • 3 - National general press coverage; recoverable
  • 4 - Sustained negative national coverage; multi-quarter recovery needed
  • 5 - International negative coverage; regulatory investigation triggered, or industry exclusion (blacklisted by an OEM consortium)

4B - Global United Parliament (GUP)

Step 1 - what matters to GUP

GUP is the democratically elected parliament of a union of nations, with a tightly controlled budget and a strong emphasis on integrity and reputation. The stated values are:

  • Integrity and reputation - the most important assets
  • Modesty and responsibility in use of public funds
  • Diligent handling of sensitive information
  • Safety of MPs
  • Operating within strict budgets (sometimes at the cost of innovation) This is fundamentally different from ATMO. GUP doesn’t have customers, products, or margins. It has citizens, legitimacy, and a fiduciary duty to spend public money well. The risks that matter are about public trust, leaked information, harm to MPs, and budget overruns - not about market share or competitive advantage.

Step 2 - impact criteria with rating scales

Five criteria covering reputation, MP/user satisfaction, information confidentiality, budget control, and physical safety. Note that “innovation” deliberately isn’t a criterion here - the caselet explicitly says GUP sacrifices innovation for budget discipline, so framing innovation gaps as risks would misalign with their actual priorities.

A. Reputation and integrity

The single most strategic asset per the caselet. Public institutions live and die on this.

  • 0 - No reputation impact
  • 1 - Internal awareness only; contained within the organisation
  • 2 - Limited national press coverage; brief news cycle
  • 3 - Sustained national press coverage; questions raised by member states
  • 4 - International press coverage; formal questions from member state governments
  • 5 - International scandal; loss of public trust requiring institutional reform or resignations
B. MP and user satisfaction

GUP’s internal users (MPs and their staff) and the citizens they represent are the equivalent of customers. Dissatisfaction signals operational failure of the supporting functions.

  • 0 - MP/user satisfaction above 8/10; no formal complaints
  • 1 - Satisfaction at 7-8; minor complaints
  • 2 - Satisfaction at 6-7; multiple formal complaints; internal escalation
  • 3 - Satisfaction below 6; coordinated complaints from MP factions; press attention
  • 4 - Formal political censure of internal organisation; MPs publicly criticise IT/support functions
  • 5 - Formal parliamentary action against the internal organisation leadership
C. Confidentiality of sensitive information

Per the caselet, GUP handles “very often very sensitive information” and pays “a lot of attention to protecting information against undue disclosure.” This earns a dedicated criterion.

  • 0 - No information disclosure incident
  • 1 - Minor non-sensitive information exposed internally; no external leak
  • 2 - Sensitive information exposed to a small internal group not authorised to see it
  • 3 - Sensitive information leaked externally but limited reach; no political fallout
  • 4 - Sensitive information leaked externally with material political consequences (negotiations compromised, sources identified)
  • 5 - Highly classified information leak with international diplomatic or security consequences
D. Budget impact

GUP operates on strict public-funded budgets and the caselet stresses modesty in resource use. Budget overruns are a direct hit to the institution’s credibility, not just a financial problem.

  • 0 - Within budget
  • 1 - Less than 5% overrun on a non-strategic line item; absorbable
  • 2 - 5-10% overrun on a non-strategic line item, or less than 5% on a strategic line
  • 3 - 10-20% overrun, or first politically visible overrun
  • 4 - 20-50% overrun, or supplementary budget request required
  • 5 - More than 50% overrun, or budget control crisis triggering audit/oversight investigation
E. MP and staff safety

The caselet explicitly mentions safety of MPs as an attention point. Public officials operate under heightened personal risk, and incidents affecting their safety have both human and political consequences.

  • 0 - No safety incident
  • 1 - Threat or incident reported, no harm
  • 2 - Minor incident affecting one person; no lasting harm
  • 3 - Incident causing temporary harm or requiring medical attention
  • 4 - Serious incident causing significant harm to MP or staff member
  • 5 - Fatal incident, or systemic safety failure affecting multiple persons

4C - General Hospital for Sick People (GHSP)

Step 1 - what matters to GHSP

GHSP is a large public hospital with a research mission, operating under Belgian healthcare law. Core values and strategic priorities:

  • Patient-centric high-quality care - the primary mission
  • Responsible use of resources / sustainable care - cost discipline
  • Supporting research and developing innovative treatments The dimensions that matter: patient safety (the existential one for hospitals), client and staff satisfaction (both patients and the medical staff retention/morale), financial cost (the resource responsibility commitment), innovation and quality (the research mission), and regulatory compliance (Belgian healthcare and privacy laws apply).

Step 2 - impact criteria with rating scales

Five criteria. This taxonomy is the closest to the example given in the course slides because GHSP is the hospital case used as the worked example throughout the chapter. Where the slide version is a good fit, I’ve kept similar thresholds for consistency.

A. Patient safety

The single most important criterion for any hospital. Anchored on harm to the patient.

  • 0 - Patient safety not impacted
  • 1 - Minor injury or mistreatment of patient
  • 2 - Serious injury or mistreatment of patient without permanent consequences
  • 3 - Serious injury or mistreatment with partial recovery; some residual harm
  • 4 - Serious injury or mistreatment with permanent consequences
  • 5 - Patient life was lost
B. Client and staff satisfaction

Patients and medical staff both. Hospitals depend on both being willing to keep coming back. Anchored on a satisfaction score covering both groups.

  • 0 - Satisfaction rating of GHSP patients and staff both above 8/10
  • 1 - Satisfaction rating of patients or staff on average above 7.5
  • 2 - Satisfaction rating of patients or staff on average above 7
  • 3 - Satisfaction rating of patients or staff on average above 6.5
  • 4 - Satisfaction rating of patients or staff on average above 6
  • 5 - Satisfaction rating of GHSP patients and staff both below 6
C. Financial cost

GHSP commits to responsible resource use, so cost overruns or unbudgeted incident response is a direct hit to a stated strategic priority. Monetary thresholds calibrated to a large hospital scale.

  • 0 - Cost less than 10,000 euros
  • 1 - Cost between 10,000 and 50,000 euros
  • 2 - Cost between 50,000 and 250,000 euros
  • 3 - Cost between 250,000 and 1 million euros
  • 4 - Cost between 1 million and 2 million euros
  • 5 - Cost over 2 million euros
D. Innovation and quality

GHSP’s research and innovation commitment is part of the strategy. Damage to research capability or treatment quality matters strategically.

  • 0 - No impact on reputation or future innovative projects
  • 1 - Capability to innovate and maintain competitive advantage slightly impacted
  • 2 - Capability to innovate and maintain competitive advantage moderately impacted
  • 3 - Capability to innovate and maintain competitive advantage seriously impacted
  • 4 - Capability to innovate and maintain competitive advantage very seriously impacted
  • 5 - Reputation seriously damaged; competitive advantage through IP non-existent
E. Regulatory compliance

GHSP operates under Belgian healthcare and privacy laws. Accreditation is the central anchor because losing it would be catastrophic for a public hospital.

  • 0 - None or minor compliance infractions on laws and regulations
  • 1 - Small infractions on laws and regulations; no impact on accreditation
  • 2 - Substantial single or multiple smaller infractions on laws and regulations; no impact on accreditation
  • 3 - Multiple substantial infractions on laws and regulations; potential impact on accreditation
  • 4 - Multiple serious infractions on laws and regulations; likely impact on accreditation status
  • 5 - Multiple serious infractions on laws and regulations; certain impact on accreditation status

Cross-case observations

Looking at the three taxonomies side by side reveals what the exercise is actually testing.

What’s similar

All three taxonomies cover:

  • A financial / budget dimension
  • A reputation or stakeholder satisfaction dimension
  • A “primary mission” dimension - quality in ATMO, integrity in GUP, patient safety in GHSP This isn’t coincidence. Almost every organisation has these three things to lose. The differences are in the weighting and in what the primary mission actually is.

What’s different

The differences reveal the strategic identity of each organisation:

  • ATMO has innovation and competitive position as criteria because it’s a commercial business in a fast-moving B2B market
  • GUP has confidentiality and physical safety as criteria because it’s a public institution handling sensitive information and protecting elected officials
  • GHSP has patient safety (with death as the worst case) and regulatory compliance (with accreditation loss as the worst case) because those are the existential consequences specific to healthcare

The lesson

The point of this exercise isn’t to memorise a generic taxonomy. It’s to demonstrate that you can read an organisation’s strategy and derive the impact criteria that actually reflect its mission. A risk taxonomy that talks about “competitive advantage” for a hospital is a misalignment with its real priorities. A taxonomy that talks about “patient safety” for an automotive parts supplier is similarly wrong. The criteria must come from the organisation’s stated values and strategic priorities, not from a template.

How this would be applied next

A risk taxonomy is the foundation, not the end. Once defined, you’d use it to:

  1. Build risk scenarios using the COBIT 18 categories or FAIR scoping (chapter 7), specific to each organisation
  2. For each scenario, rate impact against every criterion in the taxonomy and take the max (chapter 8)
  3. Combine with a likelihood rating, plot on the risk map, compare to risk appetite
  4. Select responses (Avoid / Accept / Share / Mitigate) based on the parameters and prioritise via business case (chapter 9) The taxonomy is the vocabulary that makes all of that possible. Without it, every risk discussion devolves into “I think this is medium” with no shared meaning of what medium actually is.

Graf

Příchozí odkazy