To ensure that business processes are fulfilled by information processing facilities in a secure manner, it is
necessary to conduct a comprehensive risk assessment of the detailed end-to-end solution. However, by the time
sufficient architectural, implementation, and operational details exist, it is possible that the project sponsor may
not be in a position to implement the findings of the risk assessment. (This may be due to constraints on finance,
time, technical solution, personnel, etc.) In some cases, this may not be a significant issue as the risk profile, i.e.
the shape and scale of the risk, is sufficiently self contained to allow the project sponsor to decide whether the
risk can be managed and take the project into production. However, where the risk profile potentially affects
those beyond the project scope, e.g. where other departments or Ministries also use the same information assets,
the project sponsor may be forced to halt their project (and write off significant funds). Performing a high level
impact based risk assessment at the time of project inception significantly mitigate against this exposure, and
provides a timely indication of the fundamental security requirements, i.e. before significant funds have been
consumed by the project.