Back to

Process Mapping and Risk Modeling


This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.


Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. [1] By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

Guiding Questions

    • What are the critical organizational activities?
    • What threats does the organization, its programs, partners, and beneficiaries face?
    • What would the impact of these threats be if they were to occur?
    • What adversaries (people or groups) may attempt to carry out threats?
    • Are those adversaries capable of carrying out these threats?

Operational Security

  • Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
  • Ensure that any digital recordings of this process are kept secure and encrypted.
  • Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.


    • Risk Modeling and Proccess Mapping exercises can be intense and challenging to facilitate. Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization. Prepare and review your exercises, and plan for how they will flow together. Note your specific desired outcomes to easily recover or re-direct the activity based on emergent needs.
    • Review the Frontline Defenders' Risk Assessment Activity


    • Maps of critical processes.
    • A list of organizational assets.

References and resources for Process Mapping and Risk Modeling