Comparing Risk Across the
Enterprise
Over the course of time, many different Risk
Assessments have been performed in response to
different regulations or simply to employ best
practices. These range from Business Continuity
Assessments, Information Security Assessments, etc.
to specific regulatory requirements such as HIPAA (Health
Insurance Portability and Accountability Act),
BSA (Bank Secrecy Act), OFAC (Office of Foreign
Assets Control), GLBA (Gramm-Leach-Bliley
Act), etc.
These Risk Assessments are driven by a variety of
perspectives including the FFIEC (Federal Financial
Institutions Examination Council), state regulators,
and could be based on third party methodologies or
performed internally. They most likely have
different formats and are based on some variation of
High-Medium-Low (H-M-L) rating scheme.
Now the board and the external auditors are
requesting to be able to consolidate and compare
risks across these diverse risk applications. This
is necessary for the organization to allocate
critical resources where they can be most
effectively and efficiently used.
Developing a completely new set of Risk Assessments
or questionnaires that allow these diverse risk
applications to be compared would be a laborious and
costly exercise. Also, management and the auditor
have gained expertise and a certain comfort level
with the previous risk assessments and the
corresponding logic associated with the ratings from
previous risk assessments. Developing a methodology
that allows current Risk Assessments and
questionnaires to be compared appears, on the
surface, to be the conservative approach to take.
Although that approach may appear on the surface to
be difficult, remember that Risk Assessments are
usually composed of three factors:
·
Probability of a Risk occurring;
·
Impact of a Risk on the
organization;
·
Actions to be taken to mitigate the
risk.
If we use those factors in the different risk
assessments, we will then get closer to being able
to compare risks from those different applications
across the organization. Those Risk Assessments are
usually in the form of: Yes/No, H-M-L or open ended
questions.
Most of those diverse Risk Assessments are usually
concerned with probability since they generally
focus on:
·
If a particular risk event
happened in the past;
·
Is there a particular control or
best practice in place to mitigate a risk.
Now, with that in mind we now need to develop a
mechanism that translates the number of “good” or
“bad” responses within a particular risk assessment
to a score that can be compared to other risks in
the organization.
If the organization has experienced risk events in
the past or they have not employed a best practice
control, it most likely increases the probability of
the risk occurring in the future. The problem is
finding a mechanism that can be used across the
different risk applications consistently. A
consistent enterprise probability score should be
based upon the likelihood that the risk will occur
in a particular timeframe (will occur in a year,
will occur in a 5 year horizon, etc).
To remove subjectivity, you can even consider
translating the number of “good” or “bad” responses
into a specific time horizon. However, this may
prove to be difficult since each risk area most
likely has a different number of best practices and
the fact that all controls are not created equally.
To accomplish a translation of “bad scores” to a
time horizons, you may need to develop a weighting
system for each control that is used to mitigate the
risk. Initially, you may simply elect to
subjectively translate the previous score of H-M-L
to a time horizon. The auditors may not respond
favorably to this approach, so it is important to
document the logic used in this translation.
Documenting the logic will also allow a ‘sanity
check’ to be performed on your logic. Remember,
there is always going to be a certain amount of
subjectivity or judgment associated with each and
every risk assessment, the trick will be to reduce
it to the lowest level practical and to be able to
show support and have an intelligent discussion
about the logic employed and not have the score be
the result of “gut feel”.
A scoring mechanism should also be developed to rate
the impact of a risk at an enterprise level. As
mentioned previously, most of the individual risk
assessments are more concerned with probability or
best practice than cost or impact. If the detail
risk assessment did have an impact factor, you need
to consider if the H-M-L impact score was limited to
a particular organization or the entire enterprise.
An impact of High in the Information Technology
Department may not necessarily have a High impact
score for the entire enterprise.
Remember developing support for your scores will be
necessary not only for the board and external
auditor to have confidence in your Risk Assessment,
but it will also increases the likelihood that the
Risk Assessment will be based on reality rather than
the assessors view of reality.
Our Value
