Most OT programs fail because they rank vulnerabilities, not risk.

Flip it: start with your assets and credible threats, then decide which vulnerabilities actually matter enough to fix this week.

When every finding is “critical,” nothing gets done. The backlog becomes political, and engineering, IT, and operations debate severity instead of impact.

A simple, repeatable model breaks the stalemate:
Risk = Threat × Vulnerability × Asset

Turn that into a weekly loop:
1) Asset: Pick the top systems that keep product moving and people safe (not everything).
2) Threat: Agree on the few credible scenarios that could realistically hit those assets (not theoretical CVSS fear).
3) Vulnerability: Only then map weaknesses that enable those scenarios.
4) Score: Use a consistent 1–5 scale for each factor. Multiply. Rank.
5) Commit: Fix the top 5–10 items this week. Everything else waits.
6) Review: Capture what changed in the environment, threats, or compensating controls and rescore next week.

Outcome: shared language across OT engineering, IT security, and operations, and a prioritized plan tied to real-world impact.

If your OT backlog feels permanent, stop asking “Which vulnerabilities are worst?”
Start asking “Which asset-threated paths are most likely and most damaging this week?”