Brainstorming on  

Participants:

Definition:

Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. [1]


Here is a summary of risks that is already gathered by other Work Items:




1ecosystem use cases
  • compatibility issues (technical, policy)
  • cannot solve compatibility and end up with silos
  • we cannot cope with the "stability" of paper (issuance, but also verification)
  • we cannot provide good enough usability → silos for fixing this
2credential flow
  • other standards and architectures are imposed on us, requiring us to change a lot
  • not good enough user-friendliness makes the wallet-ecosystem fail as a whole
  • GAFAMs to impose their way (including browsers as "their" tool, interference with their business interests)
3credential governance
  • how about other governance models being forced upon us?
  • intermediaries trying to keep their influence
  • overcoming national borders might impose barriers
  • failing to communicate the new "VC world" to end users and those engaged in the process
  • if usability is missing, the trust governance cannot be communicated appropriately
4Wallet and protocol governance
  • Most EU standarisation is behind closed doors and politisized
  • Unclear how EUDI will be goverened in the future
  • Unclear how much impact EUDI will have. If it does not go beyond Government based data, our sector will maybe create a parallel ecosystem

Based on the above definition and the risks mentioned in the table, this classification is presented. That includes other aspect of risk as well.

Suggested Risk Categories:

  • Financial
    • Companies with centralized Identity on the way of decentralization (GAFAM)
    • Competing technology
    • Marketing
    • Environmental cost
    • Funding
  • Legal
    • Governments Rules
    • International Compatibility (ex. GDPR)
    • Misusing of DID
    • User Responsibility
  • Strategic
    • Dependency 
    • Intermediaries
    • Exposure to Governance Rules and standards
    • Usability
    • Acceptance
    • Interoperability (Standards and Protocols)
    • Integration
    • Ontopiness
  • Security
    • Protecting data
    • Losing data
    • Dark Net
    • Trust Infrastructure

[1] What is Risk Management? | IBM

  • No labels

2 Comments

  1. For our risk management exercise in Karlsruhe, I propose this methodology (similar to one used at Switch many times). Given the size of the group, I think we can do that together:

    1. Scoping:
      • Setting the scene on the asset under examination and the flight-level
        • Proposed asset: we are focussing on our capability as a community to support relevant use cases involving the transfer of identity related information
        • Proposed flight-level: we are looking for risks on a rather high flight-level and don't intend to go beyond 20 identified risks
    2. Identification:
      • Starting with the risks identified in the individual tasks (as collected above) we will conduct a short brainstorming for additional risks
      • The rapporteurs explain the risks they contributed - potentially clustering at the same time
    3. Risk evaluation:
      • qualitative, relative assessment in the dimensions "probability of occurrence" and "potential damage" in 4 (+/- 1) categories each (e.g. low, medium, high, very high):
        • rough consensus: we place the risk in a 2-D risk map
        • no consensus: separate pile
      • negotiation phase with the no-consensus-pile
      • if the risks are tightly clustered on the map: re-negotiate relative placements to make better use of the real estate
    4. Identify the top-right risks
    5. propose measures to manage the top-right risks:
      • The proposed measures fit most likely one of the following categories:
        • Accept:  acknowledge the risk, but do not take any action before it hits
        • Mitigate: take measures to reduce the probability of occurrence or the potential damage
        • Avoid: do something else without this risk, e.g. nothing
        • Transfer: let someone else take care of it, e.g. insurance
        • (Deny the risk: not allowed to choose, but many managers do this nevertheless...)
    6. We're done!

    Any thoughts?

  2. Thank you for this roadmap Christoph Graf . I created a Risks Assessment Page and tables based on your suggestions. They might be useful by brainstorming. I added some other new information about financial and strategic risks as well. Some general suggestion for controlling risks find you here too.