Syed Fahd Azam, CISA
Risk assessment has become an integral part of today’s organization as business operations are expanding and being diversified, resulting in increased risk exposure. In addition, the tightening of regulatory bodies across the globe has resulted in the emergence of assurance functions such as operational risk management, information security, internal audit, internal control and compliance. Each of these functions stresses the importance of risk assessment within the organization and performs independent comprehensive exercises within the specific domain.1
Generally, there is room for debate about integration among all assurance functions and the use of an integrated risk assessment program (IRAP). Most standards have mapping documents available that show control overlaps among various standards and best practices, but they are rarely followed and adopted by the assurance functions of organizations.2, 3, 4
The question arises: Is the integration of assurance functions really a need?
Generally, professionals working in compliance, audit, risk management or information security departments face the following issues that give rise to the need for an integrated risk management program:
Keeping these issues in mind, organizations could start considering integration of assurance functions by identifying the overlapping and redundant activities. Examples of areas of common interest include:
The assurance functions should synchronize and align with common activities with respect to their scope, objective and methodology. This would allow for the development of an IRAP. For risk assessment, international standards are used to ensure that best practices and controls are used to mitigate risk associated with systems, services and processes. An illustration of integrating two departments is depicted in the following figures, where one department uses ISO 27001:2005 and the other Basel II.5
Figure 1 identifies the steps to carry out risk assessment of different departments through integrated self-assessment.
Figure 2 specifies the factors for assigning the values for criticality, likelihood and impact.
Figure 3 is a demonstration of an IRAP.
The risk assessment integration could benefit the organization in the following ways:
The assurance functions in organizations should be closely associated with each function’s activities and risk findings, and mechanisms should be in place to keep abreast of these activities and risk findings. Based on overlapping activities, the functions should devise assessment strategies to work on potentially high-risk areas. Upon mutual consensus, it is critical to synchronize and align areas of engagement with the intent to strengthen the organization’s controls and improve risk posture.
1 PricewaterhouseCoopers, A Practical Guide to Risk Assessment: How Principles-based Risk Assessment Enables Organizations to Take the Right Risks, December 2008, www.pwc.com/en_us/us/issues/enterprise-risk-management/assets/risk_assessment_guide.pdf2 Wade, Jared; “Why Risk Management Should Collaborate With Internal Audit,” Risk Management, 19 April 2012, www.riskmanagementmonitor.com/why-risk-management-should-collaborate-with-internal-audit/3 Chickowski, Ericka; “Better Integrate IT Risk Management With Enterprise Risk Activities,” Security Dark Reading, 27 December 2012, www.darkreading.com4 Steinbart, Paul John; “The Relationship Between Internal Audit and Information Security: An Exploratory Investigation,” International Journal of Accounting Information Systems, vol. 13, issue 3, September 2012, p. 228–2435 ISACA, IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance, 2007, www.isaca.org6 Betbeder-Matibet, Nicolas; 6 Concrete Benefits of an Integrated GRC Initiative, Mega, September 2012, www.mega.com/en/c/resource/p/ebook/a/resource-ebook00127 ISACA Bangkok Chapter, “‘CEO Integrated Management—Audit’ Integrated Audit in Practice,” IIAT Annual Meeting, Swissotel Le Concorde
Syed Fahd Azam, CISA, is assistant vice president of information security at Meezan Bank Limited, Pakistan. He manages information security and compliance at the enterprise levels. He is involved in developing policies, performing audits and conducting awareness sessions. Azam has five years of experience in the field of IT governance. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.