Risk scores and the underlying risk framework

We have established a robust risk management framework essential for facilitating seamless API integration and data exchange. This structured approach enables us to effectively identify, assess, and address potential risks associated with API integration.

Our risk framework not only provides a systematic method for evaluating risks, but also clearly communicates expectations to our API users. By carefully evaluating each unique use case against predetermined criteria, we prioritise our attention on those use cases with higher potential risks to the organisation.

Moreover, we ensure that even lower-risk scenarios meet the necessary requirements to adequately mitigate potential risks. Our comprehensive risk assessment and scoring system is categorised into five key areas: clinical, privacy, security, identity, and equity.

pyramid triangle with security at bottom than privacy and clinical at top pyramid triangle with security at bottom than privacy and clinical at top pyramid triangle with security at bottom than privacy and clinical at top

There are two parts to calculating a risk score.

Part one: risk score of a published API 

The first part involves assessing all APIs that are listed on the Digital Services Hub.  It allows us to set expectations of integrators so they are aware of the requirements they must meet even before they begin the onboarding process. 

Each API in our catalogue will have a risk score for the categories mentioned above (NOTE - equity is assessed at a governance level).  It categorises the potential harm that could eventuate if the API is exposed to unauthorised parties.  The risk score will determine the minimum controls an integrator must put in place to integrate with the API.  The higher the risk, the more controls must be put in place.  It allows us to streamline the onboarding process and focus efforts of all involved in the integrations we need to. 

Example below:

  

  

(2)  Criticality of API data 

  

  

1 

2 

3 

4 

5 

(1)  Use case 

5 

11 

16 

20 

23 

25 

4 

12 

17 

21 

24 

3 

13 

18 

22 

2 

14 

19 

1 

10 

15 

 

 

Legend:

Low

Medium

High

Extreme

  • Clinical

    Calculating clinical risk score and minimum set of controls.
  • Privacy and identity

    Calculating privacy and identity risk score and minimum set of controls.
  • Security

    Calculating security risk score and minimum set of controls

Part two: organisation risk score for accessing an API

The second part of the risk score is calculated when the onboarding forms are filled in and is for a specific organisation requesting access to a specific API to integrate with a specific application for a specific purpose. The same categories mentioned above are used. The API risk score found against each API is factored into your inherent risk score which is calculated when you fill in the form requesting access to a test API.   

When the request for production access form is filled in, we ask what controls you have in place to mitigate the inherent risk (calculated previously). We will also determine whether you meet the minimum requirements as per the determined API risk. If you meet the minimum requirements and have a satisfactory net risk score, you will be approved to progress to the next stage of the application process. 

table showing request to access API table showing request to access API table showing request to access API