Governance weighting profile
The governance weighting profile is the policy that turns intake signals into a risk tier. It is what makes risk tiering deterministic and explainable: the same inputs always produce the same tier, and the reasoning can be traced to a profile you control rather than a black box.
The six dimensions
Section titled “The six dimensions”A profile scores a system across six weighted governance dimensions. The defaults are:
| Dimension | Default weight |
|---|---|
| Business criticality | 0.22 |
| Autonomy level | 0.14 |
| Human impact | weighted |
| Regulatory sensitivity | weighted |
| Data sensitivity | weighted |
| External exposure | weighted |
Each dimension carries a weight, and the weighted combination produces a governance score for the system. Weights are configurable, so an organisation can express its own risk appetite, for example weighting regulatory sensitivity more heavily in a regulated sector.
Thresholds and tiers
Section titled “Thresholds and tiers”The score is mapped to a tier through configurable thresholds. The defaults are:
- Moderate at 45
- High at 65
- Critical at 80
Below the moderate threshold a system is treated as lower risk. Raising or lowering a threshold changes how readily systems are classified into each tier, again, a deliberate policy choice, not a hidden constant.
Floor rules
Section titled “Floor rules”Profiles support floor rules (enabled by default): hard minimums that force a system to at least a given tier when a specific high-risk signal is present, regardless of the weighted score. This prevents a genuinely sensitive system from scoring its way under the radar because other dimensions are low.
A profile is policy, and is owned
Section titled “A profile is policy, and is owned”A weighting profile is treated as governance policy in its own right. It carries a name, an owner, an approver, a review date and a status. The shipped default is explicitly marked as “current policy until formally approved or calibrated by accountable stakeholders”, the intent is that an organisation reviews and signs off its own profile rather than silently inheriting the default.
Why determinism matters
Section titled “Why determinism matters”Because tiering runs through an owned, weighted, threshold-based profile:
- Decisions are consistent. Two systems with the same profile inputs get the same tier.
- Decisions are defensible. A reviewer can see exactly which dimensions and thresholds drove a classification.
- Policy is adjustable in one place. Changing risk appetite means recalibrating the profile, not re-judging systems case by case.
- Intake & risk tiering: where the profile is applied.
- ACRS: the capability-risk model that complements the weighting profile.
- Assessments & control testing: what the resulting tier routes into.