ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Practical Recommendations for Better Enterprise Risk Management

Practical Recommendations for Better Enterprise Risk Management

Tracey Dedrick, ISACA board director
| Posted at 5:10 AM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (4)

Tracey DedrickBased upon my experience in Enterprise Risk Management, I was not surprised to see respondents to new State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity identify risk identification and risk assessment to be the most employed risk management steps in their organizations. Nor was I surprised to see that only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level for risk identification. In my experience, this happens often due to the suboptimal execution of the risk identification process.

As the report states in the Executive Summary, “Risk management is about optimizing risk rather than removing it entirely.” It has always been my belief that risk management serves two purposes. The first is to keep the enterprise from stepping unwittingly into a big pothole. The second is to provide the executive team with the last best piece of information required to optimize the use of risk capital across the enterprise.

In order to successfully deploy an enterprise risk framework across an organization, it is always best to be practical and expedient to the extent allowed by your regulatory environment. Where I have seen this go wrong most often is in the deployment of an enterprise-wide risk assessment.  I’ve seen instances where an enterprise assessment completely missed accounting for the biggest risks, usually produced by enterprises that do not have the right participation from top management. Further, I’ve seen enterprise assessments get so detailed as to tie the organization into knots. A friend in the consulting business told me of a project in which an unnamed regional bank was in the process of unwinding a risk assessment that had paralyzed the institution with 52,000 items of identified requiring remediation. A risk assessment run amok ties up valuable resources in an endless loop leading to the suboptimal allocation of resources within the business as well as risk management.

Below are several (what I hope are) practical recommendations to try to avoid this phenomenon.

1. Big risks can be ignored when the right people aren’t in the room for the conversation. Start at the highest level within the organization and get the people in the room that own the risk from the top down. This keeps the right themes in play and avoids the well-meaning though less informed from dragging the exercise down to a mind-numbing level of tedium. A risk assessment needs to be the business or operating function’s view, guided and respectfully challenged by risk management.  Including the right people in the process from the outset creates buy-in to and ownership of the results.

2. When constructing your risk assessment, keep to a five-box chart. Anything greater invites a significant amount of conversation parsing the shades of gray while providing immaterial benefit.

3. A risk assessment is NOT a SOX process. This is not about curing control deficiencies; this is about managing risk to an acceptable level after controls have been put into place.  After you have determined the Residual Risk Rating in a risk assessment, there should be an evaluation as to whether or not a risk is “worth” fixing from a financial, reputational or strategic perspective.

4.  In your enterprise risk framework, include a formal Risk Acceptance process. Here is where you may declare that as an organization any residual risks that end up in the lower-left quadrant may be risk accepted and no steps need be taken to cure. If this risk acceptance process is well documented, reasonable and supportable, it should pass muster with any regulator.  A risk assessment should be reevaluated annually to keep an eye on risk migration.

5.  Make sure that the Impact and Likelihood scales reflect the size and maturity of the organization and are clearly discussed and agreed upon by all participants through the risk governance process. This will help keep the minutia and disagreements from creeping into the process. Consult your finance team or head of investor relations (if publicly traded) to obtain a sense of what external constituents may feel is material when constructing a table for discussion. Another suggestion is to listen to your company’s earnings call, if publicly traded, and pay attention as to how earnings are discussed and the questions asked by the analyst community. It will tell you what rises to the level of materiality to your shareholders.

View large table.

6. Agree that the risks in the upper right-hand quadrant of the Residual Risk chart have the highest priority with regard to mitigation strategies and deal with those first. Provide a reasonable expectation and timeframe for the moderate risks.

7. Be sure that executive management and the board agree and sign off on the results of the final risk assessment, including the scales used in your charts and the risk acceptance process.

An appropriate risk assessment process is a valuable tool in managing enterprise risk. Improperly deployed, it can result in poor allocation of resources. I am confident enterprises would prefer resources spent on mitigating material risk issues rather than doing risk assessments that add little marginal value. Enterprise Risk Management should be a partner with the business in ensuring an appropriate risk-adjusted return is made for the entity’s constituency. It is inevitable that a natural tension exists in that relationship, but reasonability, transparency and participation create buy-in into the process and ownership in the results.


Parallel Assessments

Just out of curiosity, is it considered a common method of operation for organizations to conduct parallel risk assessments? While properly performed risk assessments are certainly scientific, they can also be highly subjective in large, complex organizations. This might particularly be the case when measuring against the Impact and Likelihood scales depicted above (especially when assessing technological risk). In some cases, the management of a particular risk could be exhaustive, time consuming, and expensive. If disparity occurs in the parallel assessments, deconfliction might be necessary.      
Kenya471 at 10/30/2019 2:34 AM

Parallel Assessments

Kenya471, I'm afraid I don't understand when you say "parallel risk assessments".  If I may be allowed guess what you are saying I would respond as follows.
In my experience there should be one "gold copy" of a risk assessment that is agreed upon by the line of business owner and risk management or the corporate support unit ( e.g., IT, Finance)and risk management. 
Risk Assessments are usually categorized under risk pillar and in the case of IT, it would fall under Operational Risk.
Frameworks (e.g., NIST, COBIT) and models (e.g., Economic Capital, VAR) are not omniscient and therefore you cannot escape the use judgement and the perils of subjectivity. This came evident in the crash of 2007 when there was much reliance on models.  People forget they are built on assumptions and didn't have an idea of how their models would fail in an extreme environment.
The best you can do is to be sure there is agreement all the way to the top on where/what judgement and subjectivity have been applied.
I hope this answered your question.
Tracey316 at 10/31/2019 12:20 PM

Re: Parallel Assessments

One “gold copy” makes perfect sense, thank you so much for the reply and follow-up!
Kenya471 at 11/4/2019 4:04 AM


How do you ascertain and quantify likelihood or probability when there is a lack of historical data for operational risks across a sector (causation, frequency, etc.) especially given the completely diverse nature of information stored/processed/transmitted, business processes, controls implemented, lack of root cause for incidents of other companies (presume similar but not required), the substantial level of heterogeneous technology in an company, varying levels of maturity in management of information and IT security?  Rather, presuming a company can actually quantify the consequence/impact of a system, application, business process, etc. in terms of financial loss and foregone income, why not simply evaluate that inherent or distressed value of the asset(s), determine the effectiveness of existing controls/safeguards as a means, based on testing/industry best practice, the reduction of that inherent risk to define what the residual risk to losses (estimated financial loss and/or foregone income) and evaluate that against a defined risk appetite (presuming that the Board has approved such an amount)?  This will lead to a clear and concise discussion on said alignment to risk appetite and if a gap exists, what the cost would be to remediate that gap and whether its fiscally prudent (business case) to remediate or revise the risk appetite to align with the company's current risk posture.  This too could incorporate a KRI/KPI for reduction in risk posture over a period of time by optimizing people, process, technology, and/or environment.  Note however, what brings substantial complexity to this effort is that some controls/safeguards are enterprise level (e.g., Opsec/Intelligence, network security infrastructure, email security, IAM, and on and on) while others may be expressly limited to the asset(s) being evaluated.  Your thoughts would be most appreciated.
marcsokol at 11/7/2019 12:57 PM
You must be logged in and a member to post a comment to this blog.