Citicus ONE reflects 20 years of research into what drives key areas of risk, how to manage risk successfully ... and how not to manage it. Insights from this research - and details of how our software equips you to build on it - can be found under the following headings:

  • Citicus ONE's underlying methodology
  • Organizing your risk programme
  • Conducting your risk programme
  • Presenting risk ratings
  • Customisation opportunities

Citicus ONE's underlying methodology

Citicus ONE equips you to measure and manage the risk posed by the full spectrum of assets, processes, facilities and external parties on which your enterprise depends, using a ground-breaking methodology called FIRM.

This was developed by the founders of Citicus for and in conjunction with over 300 of the world's leading organisations.

FIRM is designed to avoid the pitfalls and build on the secrets of success shown opposite.

These stem from case studies of real-world risk programmes and statistical analysis of massive volumes of data.

No risk programme can hope to succeed unless it takes account of them.

Citicus has an exclusive right to automate this highly successful methodology. Citicus ONE provides functionality that enables you to address all its fundamentals, plus an extensive list of enhancements devised since it was first published.

No other product does so this so well.

A topic paper summarizing the research findings shown opposite can be obtained by clicking Key facts about risk (PDF, 137Kb).

Further details of the research that underpins our approach can be found under Our research foundation.

Why risk programmes fail

  • Over-complex approaches to risk assessment
  • Inability to measure risk objectively
  • Turf wars between departments
  • Lack of tools to automate the process in a reproducible way
  • Lack of co-operation on the ground
  • Lack of resources to drive and run the risk management initiative
  • Immature processes and reporting structures.

Secrets of success from case studies

  • Keep risk fact-gathering simple
  • Ensure your risk programme is constructive rather than blame-oriented
  • Produce meaningful results that capture the attention of busy decision-makers
  • Show that incidents are not an inescapable feature of business life
  • Make risk management a personal responsibility
  • Cause pressure to filter down so it motivates others to act
  • Get the organizational arrangements right
  • Highlight where to focus scarce resources
  • Gain top management commitment

Statistical insights

  • It is what happens 'on the ground' that determines risk, and this is mainly driven by the business 'owners' of individual assets, processes, facilities and parties - not central staff.
  • Establishing a 'pretty good, all-round level of protection' is far more effective than a mix of strong, medium and weak controls (which is the norm).
  • Minor incidents are highly predictive of major ones.
  • Risk is heightened by special circumstances like scale, complexity, immaturity.
  • The business impact of incidents is easily assessed - but generally is not. That's why few organizations understand the 'business impact of insecurity'.

Organizing your programme

Citicus ONE is designed for deployment across an enterprise under the control of a programme director or manager, normally based at headquarters.

In a small organization, the programme director or member of his or her staff generally uses Citicus ONE directly to evaluate risk and compliance. In a larger enterprise, he or she generally orchestrates the process instead, using a network of local co-ordinators, as shown opposite.

Local co-ordinators become responsible for facilitating evaluations and progressing remediation activity within particular risk areas and parts of the enterprise.

This approach scales well in even the largest enterprise since the evaluation workload is divided up between members of a ‘virtual team’. Such teams have orchestrated hundreds, sometimes thousands, of evaluations in surprisingly brief periods.

Measuring and managing risk 'on the ground' with Citicus ONE


Members of the virtual team can be easily set up in Citicus ONE and can use the system to:

  • define the business applications, components of IT infrastructure, suppliers, sites or processes that they wish to assess
  • evaluate each one's criticality or risk status, in conjunction with its business owner

Orchestrating risk management activity with Citicus ONE

Using Citicus ONE, risk ratings can be presented to the owner concerned as soon as each evaluation is completed, and are easily updated (eg as weaknesses are remedied). Ratings can also be aggregated periodically to provide decision-makers with a continuing view of their organization’s risk and compliance status.


Citicus ONE enables you to manage risk from where most risk decisions are taken (ie 'on the ground') all the way up to Board-level.

A good 'virtual team' is crucial when evaluating key areas of risk across a large organization.

A topic paper summarizing this method of organizing your programme - and the steps involved in introducing Citicus ONE into your enterprise - can be obtained by clicking Implementing Citicus ONE in your organization (PDF, 423 KB).

Conducting your risk programme

Citicus ONE equips you to measure and manage risk in a way that:

  • scales well
  • treads lightly on your organization
  • delivers value at each phase of the programme
  • provides results ordinary people can understand and relate to
  • can be embedded into your organization so it becomes 'part of the way we do things round here'.

Although every programme is unique, successful ones usually progress through the four phases illustrated and outlined below.

Phased approach for conducting a Citicus ONE risk programme

Phase I: Discovery

As illustrated opposite, the process starts with its 'discovery phase'. This is where the assets, processes, facilities and / or external parties that fall within the scope of a risk programme are identified and set up in Citicus ONE, along with details of their business 'owners'.

This can be done in a variety of ways (eg by consulting documentary sources, uploading data from external data sources).

Perhaps the best is for a local co-ordinator to sit down with the general manager of his or her part of the enterprise and its local subject expert (eg head of IT, purchasing manager) and ask What are the assets, processes, facilities and / or external parties that are most important to our part of the enterprise?

This gives your local co-ordinator an opportunity to introduce the programme to the business and local subject expert, gets them thinking together and ensures that the programme starts from a business perspective.

Phase I of your Citicus ONE risk programme

Phase II: Assessing criticality

Once the assets, processes, facilities and / or external parties that fall within the scope of your risk programme are identified and set up in Citicus ONE your programme can move to the 'criticality assessment' phase.

This involves the business 'owner' of each 'target of evaluation' completing a simple,1-page form that records the 'owners' judgement about the worst that could happen to your enterprise if his or her target of evaluation was compromised in some way.

Note: Citicus ONE does not take probability into account when assessing criticality. That comes later. Instead, the emphasis is understanding what's at stake for the enterprise if the worst happens. It is the failure to prepare adequately for the 'worst case' that precipitated the 2008 collapse of the financial services sector.

Criticality assessment forms can be completed in minutes (15 minutes is more than adequate in most cases).

To avoid subjectivity, a harm reference table is presented to help 'owners' employ a common scale for considering harm, and to consider all possible types of harm that the enterprise could suffer. This can be easily configured to suit the concerns of your organization.

The criticality assessment form can be completed on paper, by typing directly into the system (which can be used for this without training) or - best of all - by a facilitator sitting alongside the business 'owner'. This takes more effort (2 x 15 minutes or so) but offers an opportunity to explain the programme and help the 'owner' think through his or her worst-case scenario.

Once the assessment is submitted, Citicus ONE will present the 'owner' with a Criticality status report and the 'owner's criticality ratings can be ranked with others that have been completed. See Results produced for a closer look at Citicus ONE's outstanding reporting capabilities.

Phase II of your Citicus ONE risk programme

Phase III: Assessing risk and compliance.

The Criticality league tables produced by Phase II provide an excellent, factual basis for determining which assets, processes, facilities and / or external parties warrant full evaluation. We recommend that you focus your resources on the assets, processes, facilities and / or external parties that are ranked at the top end of your corporate Criticality league table(s).

For each of these, we recommend that risk is evaluated by bringing key people together at a 3-hour risk workshop to complete a risk scorecard under the guidance of a trained facilitator. Normally, this will be the local co-ordinator of the part of the enterprise of risk area supported by the asset, process, facility or external party.

It's crucial he or she involves the right people: starting with the business 'owner' concerned. He or she will generally be able to advise who else should be present. Ideally, this should be people with first-hand experience of running or working with the target of evaluation.

Completing the scorecard entails jointly reviewing the criticality ratings that have previously been entered and then assessing the status of four other factors that determine or indicate risk, namely:

  • status of controls (ie the arrangements made to protect the enterprise from incidents that could disrupt the asset, process, facility or services provided by an external party)
  • special circumstances that apply (eg complexity, scale, immaturity)
  • level of threat as indicated by experience of incidents
  • the business impact of such incidents

These factors have been found to be fundamental to any assessment of risk.

Once completed, the system will generate a risk status report along with other results that record the discussion. See Results produced for more details.

Once criticality assessments have been completed, you can move on to the 'risk and compliance evaluation' phase.

Phase III of your Citicus ONE risk programme

Please note: while it's common to hear of 'questionnaire fatigue' in global businesses, this complaint is not often heard at risk workshops supported by Citicus ONE, as indicated by the following representative comments:

"The process has been excellent in gaining a common understanding of the risk we face"

"I'm very pleased with the education and communication that came out of this"

"I can’t remember the last time we sat down together like this (it’s all been in silos)"

Comments recorded at end of real evaluations

Phase IV: Business as usual

Citicus ONE supports a continuing risk and compliance management process. Thus, once the initial risk evaluations have been completed, the focus shifts towards 'business as usual'. This principally involves:

  • updating scorecards and criticality assessments as things change (eg new 'owners', experience of incidents,
  • completion of remediation activity)
  • monitoring progress in completing remediation activity and individual asset, activity, process or supplier level
  • identifying remediation activity that is best carried out at part of enterprise or enterprise level (eg awareness programmes, stronger policies, better continuity planning).
  • reporting on progress at local and enterprise level
  • arranging criticality assessments and risk evaluations for new assets, facilities, processes or external parties.

Citicus ONE provides excellent facilities to help you with the 'business as usual' phase. For example, risk evaluations can be updated in minutes by issuing a fresh scorecard, automatically populating it with the results of previous evaluation. All the completer has to do then is to vary the rating that's changed. Results will then be recalculated and presented in a way that shows the improvement over time.

Similarly, its oversight facilities enable you to review remediation activity as a whole or within parts of the enterprise under your control; and it offers first-rate facilities for consolidating, reporting and exporting ratings. See Results produced for more details.

How risk ratings are presented.

Risk ChartTo manage risk wisely, 'owners' need to know how critical is their asset, process, facility or supplier to the enterprise and whether the status of its controls provide a 'pretty good all-round level of protection' (statistical evidence for this is provided under Our research foundation.

In addition, 'owners' need to understand:

  • if any special circumstances (eg scale, complexity) apply which intensify risk
  • the number of incidents suffered to date (this is highly predictive of the chance of suffering a major incident in future)
  • the business impact of incidents to date (which is often highly revealing).

Measuring these five factors is therefore essential when evaluating key areas of operational risk. Citicus ONE equips you to evaluate them by presenting criticality assessments, risk scorecards and incident assessments for completion by users of the system. Responses are used to calculate a rating for each factor.

Ratings can be presented graphically in the form of easy-to-understand risk charts designed to encourage 'owners' to drive risk down to an acceptable level. They can also be condensed into an overall risk rating presented in risk dials.

Customization opportunities

Citicus ONE can be used ‘out of the box’ to evaluate information risk, supplier risk, site risk and data privacy.

You can vary the precise issues probed when evaluating particular areas of risk by:

  • selecting a particular compliance framework from among those built into the system (see opposite)
  • varying any of the ones provided to suit your particular needs
  • importing a basis or bases of evaluation of your own into the system. These can influence virtually every feature of the criticality assessments / scorecards presented by the system.

You can also set up 'target types' of your own (for example, business unit, business process). Once set up, you can define how you wish these to be evaluated using the options listed above. In addition, you can:

  • set up attributes that record issues of particular concern to your organisation
  • set up data exchanges with external systems
  • vary settings that control the behaviour of the system and its presentation (colour scheme, branding and so on).

Further details can be found under Software capabilities.

Compliance frameworks built into Citicus ONE

  • ISO 27001:2005 and 2013 checklists *
  • PCI DSS checklists plus recommended tests *
  • ISF Standard of Good Practice (SoGP) *
  • COBIT 5 control objectives *
  • Citicus information risk checklist
  • Citicus industrial control system checklist
  • Citicus supplier relationship checklist
  • Citicus supplied products / services checklist
  • Citicus site security, health and safety checklist
  • Citicus privacy checklist

* Provided under licence from copyright owner.