Compliance

Treat Your IT Risk Assessment as More Than a Checkbox Exercise

Treat Your IT Risk Assessment as More Than a Checkbox Exercise

“The most successful companies have a simple process in place to capture the root cause of issues, establish corrective action plans, [and] continually focus on improving the GRC environment,” a PwC study of IT risk programs states. The IT risk assessment is the first step as well as the cornerstone of this continual improvement process. Some benefits of performing an IT risk assessment include: 

  • Provides executive leadership and the Board with insight into the top IT risks that pose the greatest threat to the organization’s overall business objectives, and which can have the greatest impact on shareholder value and business performance.
  • Creates an ongoing dialogue for business leaders to discuss, vet, and ultimately achieve consensus on what the business’ top IT risk areas are — with input and approval from the Board. 
  • Produces an IT risk profile, aligned with the overall ERM program, that informs the risk management action plan.
  • Creates the basis for an IT risk register (risks, controls, action plans, etc) that can be iterated upon and improved as IT risks evolve along with and in response to the business’s priorities and strategic objectives. 

Despite the importance of the risk assessment, AuditBoard’s 2021 IT Risk Management Survey reveals that it is one of the most underdeveloped areas of IT risk programs, second only to data management and reconciliation.

Source: AuditBoard, 2021 IT Risk Management Survey

Moreover, AuditBoard’s IT Risk Survey also found over 28% of respondents said the risk assessment is treated as a checkbox exercise, typically performed only once per year. This cadence is insufficient for helping the organization continually identify, assess, and manage key IT risks in an effective manner.

Source: AuditBoard, 2021 IT Risk Management Survey

As businesses learned over the course of the COVID-19 pandemic, risks are constantly shifting and evolving — sometimes even overnight. As such, businesses that perform annual risk assessments run the danger of a program that does not accurately reflect the business’s top IT and security risks. Dated and unreliable risk data may also detract from business leaders’ ability to make informed strategic decisions, which can lead to further undesirable outcomes. 

Follow IT Risk Assessment Best Practices

Performing frequent risk assessments on a quarterly, or even monthly, basis contributes to an IT risk register that more accurately reflects the organization’s key risks as the IT risk landscape evolves in response to internal and external events. To facilitate this, it is important to have a continuous framework in place that can be easily repeated on a periodic or ad-hoc basis. This is especially important considering the meticulous nature of risk assessments; 18% of respondents in AuditBoard’s IT Risk Survey stated it is the most time-consuming process in their IT risk program. 

Source: AuditBoard, 2021 IT Risk Management Survey

Several widely-used and acceptable frameworks for performing the IT risk assessment are outlined in common information security standards, including ISO 27005 and NIST 800-30, as well as COSO’s Strategic Risk Assessment Process. Finally, enabling technologies with the appropriate underlying architecture can automate the distribution and aggregation of risk surveys, as well as automate the risk scoring process. This saves significant time and also allows for risk assessments to be deployed more efficiently and frequently, contributing to a more continuous risk monitoring process.

Implement a Common Control Set Aligned with Key IT Risks

Once the organization’s key IT risks have been agreed upon, it follows that these risks should be used as the basis for mapping out internal controls, policies, and standards against compliance requirements relevant to the organization (NIST, ISO, PCI DSS, HIPAA, SOC 2, etc). However, AuditBoard’s IT Risk Survey found that a surprising number of respondents only partially base their IT controls, policies, and standards on the key IT risks produced by the risk assessment process. 

Source: AuditBoard, 2021 IT Risk Management Survey

Source: AuditBoard, 2021 IT Risk Management Survey

This may be due to a lack of coordination among audit, risk, and compliance groups, as well as areas of the risk program that have been tacked on in response to new compliance requirements. Ultimately, inaccurate mapping of controls, policies, and standards to key IT risks result in inefficient risk management activities and an incomplete risk monitoring program overall. Technology solutions can also help to close these gaps by linking real-time IT risk data collected from risk assessments to controls and action plans throughout the solution, making it easier to see how each element of the IT risk program is mapped to a corresponding key risk. 

For a deeper dive into an integrated IT risk management approach, download the full 3 Fundamentals of Integrated IT Risk Management research report. 

You Might Like

Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.