Assessing business and information risk, in most organizations, are often challenging and performed in silos. This is why risk experts are encouraging companies to take a closer look at their risk assessment strategies and think of ways to simplify, integrate, and collaborate on their assessment tasks across the enterprise.
Risk Assessment Frequency:
This topic is often debated; however, in my professional opinion, organizations should perform their risk assessments at least annually. The most common approach is that companies asses their enterprise business risks on a calendar year. I also recommend that most organizations review their risk assessment strategies on a quarterly basis as business processes, systems, strategies, etc, may also change during the course of the year. This way the annual risk assessment plan will account for those changes. I am also seeing organizations that have very inefficient risk assessment strategies and some without any at all. The only way to ensure that your organization is risk intelligent is to implement an effective risk assessment strategy that covers the entire organization. Risk assessment results should stored so that risk trending and analysis can be performed.
Tearing Down the Risk Assessment Silos:
The most challenging aspect of a successful enterprise risk assessment strategy involves “the silo approach to risk assessment”. If you search businesses today, you will find that a smaller percentage do not have a “central” ERM group or Chief Risk Officer that will collaborate business process leaders to consolidate risk assessment activities. In order to give BODs oversight of business risks, organizations should seek to improve their efforts by bringing risk assessment efforts under one “umbrella” for centralize management and reporting.
Measuring and Weighing Risks:
There are many ways that an organization can measure and weigh their risks. The most common measurement of risk is likelihood and magnitude of impact. I have also worked with clients that measured their risks based on complexity, speed of onset, and/or dollar value. The key here is to choose a measurement that is right for your business and modify over time or assessment needs change. As far as weighing or ranking risk, I prefer to use the NIST model or approach to do so. It relatively simple and do not require you to be a mathematician to rank and score your risks.
I would like to hear your views on the following:
- How do you measure and rate your risks?
- Do you have a centralized risk assessment strategy?
- Do you have a Chief Risk Officer?
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
No comments:
Post a Comment