A Case-Based Guide to Creating a Risk Framework

Risk is a demanding challenge for America’s national security watchkeepers. While staying ahead of possible risks is crucial for national security organizations—it is not always an easy task. 

The U.S. Government has finite resources to allocate toward protecting the nation, its people, and investments, so national security organizations are tasked to methodically, accurately, and cost-effectively define and mitigate risks.

In order to effectively communicate risks, security organizations need to build systems that produce a justifiable risk score that supports the user’s analysis while delivering a simple and reliable end-user experience.

To help the nation combat risk, U.Group provides transformative solutions to the United States’ defense, intelligence, and national security communities. We work with clients within the national security landscape to define mission-specific risks and create risk frameworks that can integrate into software applications, for automated quantitative scoring and decision support.

Our process to deliver risk solutions for national security organizations starts with U.Group’s Discovery Services. By drawing on U.Group’s recent work with a client, I will explain our Discovery Services to give an idea of how you can start to institutionalize a risk framework for complex national security issues.


Discovery Services

U.Group’s Discovery began with interviewing stakeholders across the organization to learn and document their current and future priorities. This uncovered several areas of agreement and many points in need of gathering a consensus. By including multiple voices into the initial discovery work, we were able to have confidence in our baseline understanding of how the client currently uses business risk assessment and lay the groundwork for our next steps.


We found that stakeholders’ views on business risk management were greatly informed by common factors and were interpreted in different ways, so we facilitated cross-functional workshops to increase communication across different suborganizations. Here, U.Group was able to build consensus around shared definitions of risk and risk factors.

Instead of delivering a standard report, we adopted an agile approach in our Discovery Services that enabled us to customize our deliverables to best suit the customer’s evolving needs. For example, we dedicated more time to discussing asset vulnerability risk factors as a business intelligence service, as the customer directly interfaces with industry and oversees their compliance in protecting classified information.

For this client:

Risk = ƒ (Threat, Asset Vulnerability, Impact)

  • Risk: The potential (or likelihood) for loss or damage in the event that a threat exploits an asset vulnerability.
  • Threat: A function of the intent, capability, and opportunity for a person or organization to take action to impair the national security.
  • Asset Vulnerability: Assets are tangible and intangible attributes or resources owned by an entity. Vulnerability is any susceptibility to adversarial attack.
  • Impact: An estimate of the potential effects on national security that could reasonably result from the exploitation of vulnerabilities by a threat actor.


Document and Iterate

U.Group uses an agile methodology and believes in constant improvement and iteration, so it was important to document findings and solicit feedback from the client.

Upon distributing our initial business risk assessment of existing risk methodologies, recommendations for improvement, and formalized risk framework, we proposed taking an iterative approach to finalizing this output to the customer. After each iteration, we sent out surveys, which allowed us to receive quantitative feedback on user satisfaction, and qualitative feedback on changes to the recommendations. As needed, we conducted follow-up interviews to get more in-depth feedback.

By refining the framework with the client, results showed that 92% of survey respondents believe the recommendations outlined by U.Group were achievable.

As a digital transformation company, we brought together team members and subject matter experts from data science, human-centered design, and engineering to advise our customer with actionable steps to achieve their strategic goals. By employing our Discovery Services, we didn’t lose sight of the client’s mission; only focus on existing technical challenges and were able to provide business risk management services by developing a deeper understanding of their organization’s unique environment and needs.

Ready to define and mitigate risk early? Let’s talk! And check out our current Discovery Services risk management tools

Get alerted to new job postings, events, and insights by registering for our monthly newsletter.