I’d like to propose the idea of adding a new Asset Type called “Business Process.”
In practice, business processes are the primary assets within an organization, they represent the core activities that deliver value. All other asset types (such as software, hardware, people, and data, …) are essentially supporting assets that enable these processes to function effectively.
If we had a dedicated “Business Process” asset type, we could then:
Use the “Related Assets” field to map all the supporting assets that a given process depends on.
Add a “Related Third Parties” field in the Asset register to link any vendors or service providers involved in the process.
This approach would simplify the relationship model in Eramba, as processes would act as the top-level entities. As a result, the Asset Risk Register and Business Risk Register could be merged into a single unified register. Essentially, this one risk register would be sufficient, just similar to what exists in the asset risk register but an extra treatment of type BCP, just similar to what currently exists in the Business Risks, and the input of course will be “Asset(s)”.
I’m just putting this forward as a suggestion, but I believe it could make risk and asset management more accurate, structured, and easier to maintain.
You may want to look into the Data Privacy module of Eramba (which apparently isn’t as popular as the other modules). It is documented in a way, that tailors it to use for GDPR compliance, but actually it supports a lot of what you suggested above. You can use it, even if you dont care about privacy at all.
It does support “Data Flows” (which are similar to what you call a “process”), which can then relate to an asset, and even different policies at different stages of a process.
There isn’t anything stopping you adding this in the settings? (Assets\settings\asset types) You wouldn’t get the direct third party association - but that could easily be done via the TP risk module? (‘Assets Shared with this Third Party’).
If I manually create or add a new asset type called “Process”, that alone wouldn’t achieve what I’m proposing, system-level changes would still be required.
The third-party association you mentioned, which links risks to assets and third parties, is not relevant here. In a third-party risk register, you don’t document how a process operates, you only document the associated risks.
Out of curiosity what would be the difference between creating the asset type and just labeling your “procedures” as “policies”? We effectively use “policies” as a bucket category for anything in that text-based regard, including procedures and standards.
Why would a Business process be an asset? it’s more of an IP..
It’s a documented (or should be) way of how you do things. And the reason that you have documented this, is because you want to do things in a certain way, in order to avoid issues, either with Quality, Financial, Legal etc. All these are risks that you have identified.
So you create the risks, and you treat them with your business processes (which you have added in the policy module as procedures). You also (should) have controls, to check that your BP are working as expected.
Another think about the separation of the Asset risks and business risks (which I found strange in the beginning), is that it helps more in the handling of tangible and non-tangible risks.