Skip to main content

Blog CESG Digital


Risk management at OFFICIAL: A compelling alternative

Posted by: , Posted on: - Categories: Risk management

A few weeks ago, CESG began using the approach set out in the Service Design Manual to help develop our services. We took a fresh look at how we were developing our strategy to support the security needs of the public sector.

We’ve done this sort of strategy exercise before, but this time we recognised that we were in danger of offering what we perceive our users want rather than really understanding their needs. Those of us in CESG who have worked with GDS and departments on some of the 25 exemplar services have seen the user-centric approach to design of digital services work very well, and we saw no reason why we couldn't borrow most of the approach to design and deliver the next generation of some of our services.

We've taken some liberties in how we've followed the approach because a lot of our services are 'physical' (e.g. our consultancy services) rather than digital, but it has worked well so far, so we thought we would share our experience.

user stories collected about risk management and OFFICIAL

At the end of our discovery, we had 15 potential new services or transformation projects we could have taken forward into alpha. Deciding which to pilot wasn’t easy, but looking at all the things we could do, their potential impact and the dependencies between them, there was one project that stood out – produce a compelling alternative approach to risk management for OFFICIAL.

Of all of the user needs we collected in discovery, there was a strong theme around the need for improvements to the way we apply security risk management in government. We want to promote a more pragmatic and effective risk management approach, that better supports the technology strategies of departments.

In the spirit of starting small and iterating, our risk management work will focus on the approach taken by three projects to building their OFFICIAL IT systems: Cabinet Office technology transformation programme, Cert-UK and the risk management decisions we make around our own IT for the alpha delivery team.

Sign up for email alerts for the CESG Digital blog.

During this alpha phase we'll be 'learning by doing' and exploring how existing good practice and new ideas can be used to help manage risk in a way that meets user needs. If you have experience of using our existing risk management and accreditation guidance we'd love to hear from you and understand how well it works for your organisation's needs. We’ll be blogging here for the duration of the alpha about our work on redefining an approach to risk management.

Sharing and comments

Share this page