The VASP and VCDM Risk Management system is as simple as it is effective: it is built directly into the same backlog system we use to process other tickets from the SSA, and indeed any development backlog issue. The risk management system however uses its own dedicated security scheme in order to ensure the confidentiality of any risk tickets, and also has its own risk- specific workflow.
The methodology is the now very common risk = impact x likelihood methodology, with risk, impact and likelihood levels appropriate to Visma and our customers. In addition, the definition of risk includes information about the asset and/ or data being protected, its value, vulnerabilities and threats against it.
Once a risk is registered, it escalates up the management chain depending on its criticality and risk acceptance power schedules.
Visma firmly believes that risk management is a management responsibility.
If action is required by the product team in order to address the risk, the issue is assigned back to the team with instructions and a priority, and it flows back into the backlog.
The result is an appropriate level of security, which is based on both a general and specific risk assessment.