Cyber and IT risks are pervasive. The scope can include potential risk events caused by any number of cyber or technology root causes — including threats or technology failures (i.e., cyber and IT risk exposures). These can impact not only the organization and its IT systems but also its customers and suppliers too. It is important to understand the scope to:

  • Further tailor the risk management processes to different elements of the scope; for example, approaches to assess risk for traditional on-premises systems managed in-house will differ compared with the use of a cloud service, where it is more reliant on the cloud service provider
  • Tailor the depth and approach to the breadth of the scope; for example, a broad scope in a complex organization will require a significant amount of resourcing or compromises on the quality of the assessment; conversely, a narrow scope may exclude risks that can significantly impact the organization