Risk scores and the underlying risk framework

We've established a robust risk management framework essential for facilitating seamless API integration and data exchange. This structured approach enables us to effectively identify, assess, and address potential risks associated with API integration.

Our risk framework not only provides a systematic method for evaluating risks, but also serves as a transparent means of communicating expectations to our API users from the outset. By carefully evaluating each unique use case against predetermined criteria, we prioritise our attention on those with higher potential risks to the organisation.

Moreover, we ensure that even lower-risk scenarios meet the necessary requirements to mitigate potential risks adequately. Our comprehensive risk assessment and scoring system is categorised into five key areas: Clinical, Privacy, Security, Identity, and Equity.

pyramid triangle with security at bottom than privacy and clinical at top pyramid triangle with security at bottom than privacy and clinical at top pyramid triangle with security at bottom than privacy and clinical at top

There are two parts to calculating a risk score.   

Part One 

The first part involves assessing all APIs that are listed on our Marketplace.  It allows us to set expectations of integrators so they are aware of the requirements they must meet even before they begin the onboarding process.   

Each API in our catalogue will have a risk score for the categories mentioned above (NOTE - equity is assessed at a governance level).  It categorises the potential harm that could eventuate if the API is exposed to unauthorised parties.  The risk score will determine the minimum controls a integrator must put in place to integrate with the API.  The higher the risk, the more controls must be put in place.  It allows us to streamline the onboarding process and focus efforts of all involved in the integrations we need to. 

part 1 table has calculated when api is listed in catalogue part 1 table has calculated when api is listed in catalogue part 1 table has calculated when api is listed in catalogue

  • Clinical

    Calculating Clinical Risk Score and minimum set of controls

  • Privacy

    Calculating Privacy Risk Score and minimum set of controls.

  • Identity

    Calculating Identity Risk Score and minimum set of controls.

  • Security

    Calculating Security Risk Score and minimum set of controls.

Part Two

The second part of the risk score is calculated when the onboarding forms are filled in and is for a specific organisation requesting access to a specific API to integrate with a specific application for a specific purpose.  The same categories mentioned above are used.  The API risk score found against each API is factored into your inherent risk score which is calculated when you fill in the form requesting access to a Test API.   

When the ‘Request for Production access’ form is filled in, we ask what controls you have in place to mitigate the inherent risk (calculated previously).  We will also determine whether you meet the minimum requirements as per the determined API risk.  If you meet the minimum requirements and have a satisfactory Net risk score, you will be approved to progress to the next stage of the application process. 

table showing request to access API table showing request to access API table showing request to access API