- Corporate Security
- Governance, Risk, and Compliance
- Information Security
Governance, Risk and Compliance
By Brian Link Modified April 17, 2020
The primary reason for conducting a risk identification and assessment process is to help identify the key risks to achieving an organization’s objectives and to then determine the appropriate response(s) to be taken for these risks. The risk rating component of the process, in particular, can help participants leverage their experiences and insights to build a multi-dimensional profile of each risk that clearly informs these responsive actions. That said, the traditional approach of plotting inherent risk and likelihood on a heat map falls short of delivering a clear picture. Fortunately, better practices have evolved that we share below.
Have you ever been in a risk assessment workshop wherein participants were asked to rate risk impact on an inherent basis? You may have seen participants roll their eyes and protest the approach as too academic, pointing out that such a circumstance (no controls) would never exist in reality. Thereafter, you may have sensed participants becoming increasingly pessimistic and dismissive of the overall risk assessment process. This is unfortunate – there is an incredible potential for risk assessments to help organizations focus upon, and properly respond to, the key risks to achieving an organization’s objectives. The good news is that many organizations have adopted an alternative rating to inherent risk – and with great success.
Rather than suggesting that controls are completely absent, or may have all failed, the MFC approach gives license for participants to consider a plausible, worst-case scenario. Yes, controls are in place but, as history has proven time and again, things happen. As such, participants are asked to consider worst case scenarios that are plausible and to rate the potential impact of those scenarios. This approach tends to get folks thinking about key controls that may fail and/or the cascading effects of multiple controls that may fail in tandem or sequence – precisely the type of thinking and analysis that may reveal where management should focus their controls review, assurance and/or remediation efforts. By adopting an MFC approach, you’ll notice that participants become more engaged, thoughtful and, at times, quite impassioned about their views regarding key threats to the organization – and the actions that should be taken to address them.
To help bring even greater focus and efficacy to the risk assessment process, leading organizations are employing a third rating criteria, beyond the typical impact and likelihood ratings – namely, that of control effectiveness, management preparedness, or similar criteria. Most importantly, the addition of this third criteria dramatically enhances the ability to use the risk assessment process to help drive appropriate, responsive action. For example, a risk with both a high MFC rating and a high control effectiveness rating may benefit from independent, objective assurance through internal audit. Given the potential risk exposure, this can provide comfort to the audit committee that the key controls that management relies upon are indeed designed and operating effectively.
Conversely, risks rated with a low MFC and high control effectiveness ratings may be most efficiently monitored through control self-assessment (CSA). Finally, management can respond to risks with a low control effectiveness rating through review and/or remediation, prioritizing the actions based upon the MFC rating.
So, getting back to the aforementioned heat map – many organizations are now plotting impact (MFC) upon the Y axis, control effectiveness on the X axis, and representing likelihood by plot color or size. This approach yield quadrants wherein, at a high level, responsive activities can be determined. For example, the risks in the upper right quadrant are often considered for internal audit coverage wherein risks in the lower right quadrant may be served well through CSA. Risks plotted in the left hand quadrants are considered for review and remediation, with priority of that effort typically driven by the risk impact (MFC). Of course, other risk factors such as velocity and acceptability can be incorporated as well. That said, we’ve found that adopting MFC to rate impact, and adding a control effectiveness (or similar) rating criteria, can produce transformative results. Try it, and let us know what you think.