Most OT risk assessments end up as thick reports that gather dust on a shelf. Before you commission yours, stop and ask a harder question first: what do you actually want it to do for you?

Most OT risk assessments end up as thick reports that gather dust on a shelf. The findings are accurate. The methodology is sound. And six months later, nothing has changed on the plant floor.

If you are about to commission a risk assessment, or you have just received one and feel vaguely disappointed, stop and ask yourself a harder question first. What do you actually want this assessment to do for you?

The four things people usually want (but rarely articulate)

In my consulting work, I see four distinct intents hiding behind the same three words “OT risk assessment”:

1. A compliance tick-box.You need a document to show the regulator, the insurer, or the board. The exercise is real, but the primary deliverable is the report itself.
2. A prioritised action list.You know you have gaps. You want a ranked, budget-aware plan that tells your team what to fix first, next, and later.
3. A business case.You need numbers (likelihood, impact, expected loss) that a CFO will accept when you ask for an OT security budget.
4. A baseline for a long-term program.You are maturing. You want a repeatable measurement so that next year’s assessment shows improvement you can defend.

These are four different engagements. They share some activities, but the output format, the depth of interviews, the tools used on site, and the way findings are written are genuinely different.

Why this matters before you sign the scope

A consultant optimising for (1) will give you a beautifully structured IEC 62443-aligned gap report. A consultant optimising for (2) will give you a heat map with owners and dates. A consultant optimising for (3) will push hard on consequence quantification, which many OT teams skip because it is uncomfortable. A consultant optimising for (4) will push back on your asset inventory and insist you fix it before anyone scores anything.

Tell your consultant which of the four you want. If you want two of them, say so, and be ready for a longer engagement, because the interview scripts are not the same.

A quick test

Before you approve the scope of work, answer these three questions on one page:

• Who reads the final report, and what decision do they make because of it?
• What would make me say this assessment was worth the money six months from now?
• What is the one thing I already suspect is wrong, that I want this assessment to confirm or refute?

If you cannot answer these, you are not ready to commission the assessment, and no methodology will rescue you from that.

Where RelyBlue comes in

At RelyBlue, we start every OT risk assessment engagement with a scoping conversation that forces these answers into the room. It is not a formality. It is the difference between a report that changes your security posture and one that sits on the shelf.

If you are planning an assessment and want to talk through what you actually need from it, get in touch.