Konsulent Tobias Møller giver præsentation om risikoanalyse



Understand and reduce IT risks with SARA

SARA, our IT risk analysis approach, provide you with insight into your accumulated IT-risk level. This quantitative risk analysis method helps you understand, structure, and prioritize risk, enabling you to reduce risk to a known and acceptable level.

The process is suitable for four reasons. It is:

  1. Evidence-based
  2. Practical
  3. Proven
  4. Compliant with modern legislative requirements



SARA is short for Security Assessment, Risk Assessment

Reliable answers to fundamental questions

A risk analysis must be built on clear and consistent definitions. At ACI, we always work to ensure that everyone has the same understanding of definitions, context and correlations between risk, loss events, threat events, vulnerabilities, consequences, etc.

On a solid basis of metrics and clear definitions, we apply our quantitative IT risk management approach. It gives you concrete, transparent and evidence-based answers to essential questions about risk:

  1. How do you know if your risk management works?
  2. Would you know if it did not work?
  3. What would happen if it did not work?


Reduce risk by focusing on the right areas

Our quantitative IT risk analysis helps you identify the measures that provide the best risk reduction for the money you spend. Through a transparent and impartial process, your IT managers, executives, and key stakeholders will be equipped to be able to understand your threat landscape and act appropriately. It is not more complicated than what you already do, but it is more measurable and thus useful.

Our risk assessment provides you with:

  • An overview of your threat landscape, measured in probability of loss and the size of losses in monetary value
  • Predicted yearly losses within selected IT risk areas
  • Your organization’s risk level mapped and compared to your risk tolerance


Secure and systematic

IT security legislation is constantly being revised, and expectations are increasing among regulators and stakeholders when it comes to IT-compliance and documentation. In their assessments, authorities attribute great importance to the chosen method for analyzing IT risk.

The authorities have reviewed our quantitative IT risk analysis without comment. You can rest assured that our risk management method meets the requirements of current legislation and guidelines on risk management.

With SARA, you can always answer the following questions in regard to IT governance:

  1. What is the right thing to do?
  2. How do we do it?
  3. How do we prove we did the right thing?
Orange post-its hænger på hvid væg



“Rhythms and checklists are fundamental to all development. Without them, it will be colorful and fun, but you get nowhere.”
ACI dogma #4



Konsulent Frederik Thygesen skriver på whiteboard

A 12-step plan for overview, prioritization, and action

With the SARA process, we review and analyze your IT risk in a way that is evidence-based, practical, proven, impartial and in accordance with applicable legislation.

The end-product is a report and relevant governance documentation. You get an overview and insight into your vulnerabilities, including which are most expensive year-to-year, and which steps should be taken to reduce risk systematically and thoroughly.

The process consists of more than 100 internal activities divided into 12 steps, where you as a customer participate in approximately five workshops:

  1. Preparation
  2. Scoping
  3. Workshop bookings and practicalities
  4. Scenario structuring
  5. Risk register
  6. Security measurements
  7. Security analysis
  8. Estimation
  9. Simulation
  10. Mitigation plan
  11. Reporting
  12. Communication

Completion of the above SARA process will be tailored to your calendar and company, including reporting, etc., to ensure an efficient, thorough, and safe procedure.


Do you need a visit from SARA?

Try our 2-minute reflection exercise to determine if your current risk management provides you with satisfactory answers to essential questions.

Review the exercise here


An ideal choice for financial and utilities management organizations

The IT risk management method SARA can be used to great advantage by financial and utility companies. SARA ensures structure and overview, helping companies understand their actual IT threat landscape while following the current legislation and guidelines on risk management, e.g. Appendix 5 of the Executive Order on Management. We have worked extensively with projects specifically within the financial-, utilities- & energy sectors.



Want to learn more about SARA?

We would be happy to share more about how a SARA process can deliver value for you. Please reach out to our Director of Sales, Thomas Bang:

Telephone: +45 9360 5152

Email: tba@aci.dk