Three-Factor Risk Assessment: An Example of SCS 9001 Measurable and Verifiable Criteria

Person using laptop with glowing security lock icon

By Bob Bretall, Lead Consultant, Information Security/Business Continuity, the DESARA Group, Inc.


The Telecommunications Industry Association (TIA) is leading the way on ICT supply chain security with the release of the global SCS 9001 standard that specifies verifiable and measurable criteria and uses a process-based quality management system (QMS) to bolster quality and transparency throughout the ICT supply chain. The architectural structure of SCS 9001™  builds on a certified QMS and includes Principles of Trust, Zero Network Architecture, and Asset Inventory Management. It then adds seven additional Supply Chain Processes, including Provenance, Secure Development, Software Usage, Counterfeit Parts, Risk Assessment and Mitigation, Technical Vulnerability Management, and Incident Management.

The Risk Assessment and Mitigation process is vital for organizations within the ICT supply chain to discover vulnerabilities and implement strategies to reduce the possibility of compromising the devices, equipment, and systems relied on by businesses and consumers around the world. The first step in a Risk Assessment and Mitigation process is for organizations to identify all the ICT assets they use or supply that have the potential to disrupt global ICT infrastructure in a way that threatens to endanger national security and public safety, disrupt business continuity, and degrade consumer confidence—all of which has vast economic and social consequences.

Identified assets are then analyzed and evaluated to understand potential vulnerabilities and risk. A common practice for analyzing a specific risk is to look at two primary factors—the likelihood of the risk happening, and the business impact should the risk happen. Many exiting security standards such as ISO 27001, Control Objectives for Information and Related Technology (COBIT), NIST SP 800, and others recommend this two-factor risk assessment method. However, to provide a more complete picture of risk that gives organizations within the ICT supply chain the ability to reduce vulnerabilities, the SCS 9001 requires a three-factor risk assessment that also takes countermeasures into consideration. Let’s take a look at how a three-factor risk assessment can make all the difference.

Effectively Calculating Risk

Since protecting every asset from every conceivable risk is virtually impossible, organizations need an effective means for prioritizing risks, so they know where to concentrate their efforts. If the likelihood of a risk happening is high and the impact is also high, it would seem that the risk should be a high priority of focus. However, without changing an organization’s business model and their assets, these two factors are not variable and generally cannot be modified. Only by adding in the third factor of countermeasures that are in place to guard against threats can a company truly prioritize and focus their efforts to improve supply chain security. For example, considering that the ultimate goal is to reduce the level of risk, it may not make sense to prioritize a risk if established and effective countermeasures are already in place to provide the required protection. In contrast, if countermeasures are nonexistent or weak, the priority level increases.

One way to effectively prioritize risks is to calculate an Risk Priority Number (RPN) for each risk based on all three factors:

RPN = Likelihood (L), Impact (I),  Countermeasures (C)

To calculate RPN, each risk is rated individually for likelihood, impact, and countermeasures. If the likelihood of a risk happening is rare, the L value will be low. If it’s certain that the event will occur, the L value is high. If the impact of the risk happening is insignificant and would have a negligible effect on the global ICT infrastructure and supply chain, the I value is low. If the risk would cause severe or catastrophic impact, the I value is high. Countermeasures on the other hand are rated on an inverse scale—the better the countermeasure in place, the lower the C value. For example, best-in-class countermeasures that provide the best known protection may have a C value of 1, while having no or very few countermeasures in place to prevent the threat will have a higher C value of 10.

Consistency is Key

Once the RPN value is calculated for each risk based on all three factors—likelihood, impact, and countermeasures—organizations can focus their efforts on those risk that have a high RPN value and mandate immediate and thorough response. In essence, the three-factor method turns risk assessment into true risk management. The RPN value also provides a benchmark for improvement—organizations can improve the countermeasures they have in place to reduce the C value and ultimately lower RPN for overall reduced risk. For similar types of ICT assets, RPN values can also be used for establishing industry benchmarking that allows organizations to understand how they perform in comparison to the industry and what improvements to initiate.

It’s important to note that the three-factor risk assessment method should be used consistently across an organization and its business units. For example, distinct departments within an organization may identify different assets and risks or they may calculate the likelihood, impact, and countermeasures differently for a given risk. That’s why it’s important for organizations to have someone that oversees the process and looks at all the assets and risks across an entire organization.

Calculating RPN values based on a three-factor risk assessment is just one example of how the new SCS 9001 standard specifies detailed, measurable, and verifiable criteria to identify trusted suppliers that will go a long way in reinforcing the integrity of the ICT supply chain.