The goal of effective risk management is to align the amount of risk taken with the enterprise’s risk appetite to meet the strategic goals and objectives of the organization. Steps taken during risk assessment and continued risk management involve identifying an area of concern (threat or conditions) and determining the likelihood of the enterprise being impacted by the concern if the risk is realized and becomes an incident.
In a recent ISACA survey, 66 percent of respondents said their executive leadership team sees value in conducting IT risk assessments. This is great news because a risk assessment can demonstrate value to the organization by identifying areas of concern, potential threats, and vulnerabilities to the information, data and technology systems of the organization before a risk is realized and an incident occurs.
The surprising piece of the story is that the frequency with which those same respondents report they conduct risk assessments varies considerably. The top responses to the question of frequency of risk assessments was: Quarterly, 29 percent; Annually, 28 percent; Every 6 months (semi-annually) 18 percent; and Monthly, 14 percent, with other organizations somewhere between ad hoc/as needed/less frequent than once a year.
What might be the reason why enterprises have such variation in conducting IT risk assessments when senior leadership says they are very valuable? One consideration is that many risk assessments are combined with control assessments. Risk assessments and control assessments are both important but are not the same. Risk assessments are forward-looking and are designed to evaluate any uncertainty in scenarios that may or may not actually materialize. Control assessments are fact-based evaluations of whether controls are implemented – there is no uncertainty as to the presence or absence of a control or set of controls. Both the identification of risk and the identification of the control state are important, and often work together in the risk management process, but need to be addressed independently when deciding which response or treatment to apply.
This may mean that a thorough identification of risks and the conditions under which a risk may materialize need additional scrutiny so that the enterprise may properly plan and execute a risk response or treatment course of action. The presence or absence of a control or set of controls may be an audit finding, and may need some actions to be taken, but a control deficiency alone is not necessarily indicative of a risk.
Often there is not a proactive risk identification process in an organization, which means there is no way to raise an area of concern to the proper level in the organization for decision-making. In my work with boards or governance committees, risk is often raised up through the audit process rather than a proactive risk identification process. In every single realized risk, crisis, or incident that I have analyzed in my career, someone knew there was a condition or circumstance that could lead to something bad happening, but there was no way for them to articulate it or raise a concern that could then be subject to the analyses processes and requisite decision-making techniques. This is the real value of conducting a risk assessment.
The goal of effective risk management is to align the amount of risk taken with the appropriate decisions to keep the enterprise operating as intended. When risk is strategically and thoughtfully taken, there are opportunities for competitive advantage, entering additional geographic markets, or developing new products and services. Scenario analysis is helpful in this step of the process because it allows brainstorming, discussion and assumptions about risk scenarios to be transparent. The risk assessment is the first and most important step to a successful risk management program that adds value to an enterprise.