An Integrated Risk Assessment Program—A Cliché or a Need? 

 
Download Article Article in Digital Form

Risk assessment has become an integral part of today’s organization as business operations are expanding and being diversified, resulting in increased risk exposure. In addition, the tightening of regulatory bodies across the globe has resulted in the emergence of assurance functions such as operational risk management, information security, internal audit, internal control and compliance. Each of these functions stresses the importance of risk assessment within the organization and performs independent comprehensive exercises within the specific domain.1

Generally, there is room for debate about integration among all assurance functions and the use of an integrated risk assessment program (IRAP). Most standards have mapping documents available that show control overlaps among various standards and best practices, but they are rarely followed and adopted by the assurance functions of organizations.2, 3, 4

The question arises: Is the integration of assurance functions really a need?

Generally, professionals working in compliance, audit, risk management or information security departments face the following issues that give rise to the need for an integrated risk management program:

  • Risk assessments performed by assurance professionals are specific to their respective domain and do not give a holistic risk profile of the organization, which results in the presence of unmitigated and undetected threats.
  • Often, assurance functions need different departments to nominate representatives for their correspondence and coordination. Typically, a department can assign the responsibility to a single resource. The efforts of the nominee multiply as each assurance function forms its respective teams within the organization. The individual often ends up performing similar tasks, such as self-assessments, statistics reporting and call-tree updating, for different groups, resulting in duplication of effort and repetitive and redundant activities.
  • Management often misinterprets observations that are common across different reviews and audit reports because of the difference in severity level and recommendation. As a result, these observations are inappropriately treated and reappear.
  • The different audits and review exercises of the assurance functions often frustrate the auditee because of the constant information gathering and response requirements associated with these activities and performed in short intervals of time.
  • The auditee sometimes provides different resolution and target dates for observations that are similar to those reported by different assurance functions in their audit or review reports.

Keeping these issues in mind, organizations could start considering integration of assurance functions by identifying the overlapping and redundant activities. Examples of areas of common interest include:

  • Obtaining nomination for departmentwide coordinators
  • Conducting awareness sessions
  • Obtaining departmentwide asset inventory
  • Identifying business processes
  • Identifying internal and regulatory requirements
  • Performing business impact analysis
  • Assessing risk
  • Investigating incidents
  • Reporting to management

Figure 1The assurance functions should synchronize and align with common activities with respect to their scope, objective and methodology. This would allow for the development of an IRAP. For risk assessment, international standards are used to ensure that best practices and controls are used to mitigate risk associated with systems, services and processes. An illustration of integrating two departments is depicted in the following figures, where one department uses ISO 27001:2005 and the other Basel II.5

Figure 1 identifies the steps to carry out risk assessment of different departments through integrated self-assessment.


Figure 2 specifies the factors for assigning the values for criticality, likelihood and impact.

Figure 2

Figure 3 is a demonstration of an IRAP.

Figure 3

The risk assessment integration could benefit the organization in the following ways:

  • A holistic risk management approach—Effective coordination among assurance functions enables each function to understand the key risk areas of the organization. This, in turn, results in mitigation of risk based on consensus. Each assurance function evaluates risk with respect to its domain and views risk collectively to give an aggregated mitigation.
  • Synchronized risk assessment efforts—The departments can strengthen each other by providing assistance through knowledge and resource sharing. This could include performing joint risk assessment exercises for areas of common interest or sharing materials such as risk assessment reports and audit programs. This can reduce redundant engagement of resources and improve synergy across assurance functions.
  • Maximum risk treatment—When risk is analyzed from various perspectives, the likelihood of gaps within the mitigated control is greatly reduced. Maximum risk treatment results in minimal residual value, which can be accepted easily by the organization.
  • Standardized control across the enterprise—The mapping of international standards and best practices to identify controls enables the assurance functions to develop a control baseline that could be implemented across the organization.
  • Low-cost and enterprisewide coverage—The cost of carrying out continuous risk can be lowered if self-assessment is performed against the joint control baseline. This reduces the number of redundant activities and man-hours of different assurance functions.
  • Comprehensive and consistent risk reporting—The coordination among assurance functions results in identification of risk factors that might have gone unnoticed. Also, evaluation of risk from different perspectives helps in assigning appropriate priority with respect to impact on business area or service.
  • Follow-up and control resolution convenience—If similar or repetitive controls from various assurance functions are grouped together, their resolution by the auditee becomes simpler since he/she will have fewer observations and target dates to meet. It becomes easier even for the compliance department, as it will not have to follow up on controls separately.6, 7

Conclusion

The assurance functions in organizations should be closely associated with each function’s activities and risk findings, and mechanisms should be in place to keep abreast of these activities and risk findings. Based on overlapping activities, the functions should devise assessment strategies to work on potentially high-risk areas. Upon mutual consensus, it is critical to synchronize and align areas of engagement with the intent to strengthen the organization’s controls and improve risk posture.

Endnotes

1 PricewaterhouseCoopers, A Practical Guide to Risk Assessment: How Principles-based Risk Assessment Enables Organizations to Take the Right Risks, December 2008, www.pwc.com/en_us/us/issues/enterprise-risk-management/assets/risk_assessment_guide.pdf
2 Wade, Jared; “Why Risk Management Should Collaborate With Internal Audit,” Risk Management, 19 April 2012, www.riskmanagementmonitor.com/why-risk-management-should-collaborate-with-internal-audit/
3 Chickowski, Ericka; “Better Integrate IT Risk Management With Enterprise Risk Activities,” Security Dark Reading, 27 December 2012, www.darkreading.com
4 Steinbart, Paul John; “The Relationship Between Internal Audit and Information Security: An Exploratory Investigation,” International Journal of Accounting Information Systems, vol. 13, issue 3, September 2012, p. 228–243
5 ISACA, IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance, 2007, www.isaca.org
6 Betbeder-Matibet, Nicolas; 6 Concrete Benefits of an Integrated GRC Initiative, Mega, September 2012, www.mega.com/en/c/resource/p/ebook/a/resource-ebook0012
7 ISACA Bangkok Chapter, “‘CEO Integrated Management—Audit’ Integrated Audit in Practice,” IIAT Annual Meeting, Swissotel Le Concorde

Syed Fahd Azam, CISA, is assistant vice president of information security at Meezan Bank Limited, Pakistan. He manages information security and compliance at the enterprise levels. He is involved in developing policies, performing audits and conducting awareness sessions. Azam has five years of experience in the field of IT governance. He can be reached at fahd.azam@gmail.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.