Small Step Systems

No. 67: Risk Assessment of Essential Product Requirements: Documenting Risks

The CRA requires manufactures to document the risk assessment. Architecture decision records (ADRs) are the ideal means for that. They also facilitate good discussions about different mitigation options.

Dear Reader,

Sarah Fluchs hosted a CRA webinar named “Clarity of mind despite all uncertainty” with 250 participants. She polled the audience for the most important topics. The top-3 topics were: 20.6% - risk assessment and interpreting essential requirements; 17.9% - harmonised standards and additional guidance; 14.6% - legacy products.

The poll results confirm my assumption that manufacturers understand that the risk assessment of the essential product requirements is crucial for CRA compliance but don’t really know how to perform the risk assessment. That has been my motivation to write this series of newsletters: Prerequisites, Identifying Risks, Evaluating and Prioritising Risks and Mitigating and Reviewing Risks. This episode is the last about risk assessment - at least for now. I’ll use architecture decision records to document the five steps of risk assessment.

I have condensed the five newsletter episodes into one talk. I’ll present the talk “Risk Assessment of Essential Product Requirements by Example” at the following two events.

I’d be happy to meet you at one of these events in person. Let me know if you are there.

Enjoy reading,
Burkhard 💜

Share Share Share Share Share Email

Read next

Legal Disclaimers as CRA Mitigations

A device violates essential CRA requirements. Although simple state-of-the-art security measures are available, the manufacturer mitigates the violations with legal disclaimers. This goes against the intention of the CRA: improving cybersecurity in real life and not just on paper.