Over time, the term risk assessment has become so commonplace that it has almost lost its meaning and is now much maligned.
Organizations run helter-skelter carrying out risk assessments that eventually become exercises in futility. One wonders why well-meaning managers, highly paid consultants and C-suite members with years of experience, access to tons of research, and armed with the best intentions eventually end up with unusable outcomes?
Here are 6 key lessons from more than a decade of working with organizations across the board on risk assessments from various perspectives, including information security, application security, health and safety, and a project standpoint. They include:
- Strategize: The first step is to put in place a well-defined and articulated strategy which not only becomes a guidepost which can be revisited time and again, but which also can be the buoy you cling to when the time comes. A clear, well-articulated strategy can go a long way in ensuring successful risk assessments and driving outcomes.
- Keep it simple: Simple is the friend of the wise and can go a long way in ensuring effective risk assessments and outcomes. A simple risk assessment is aligned with strategy, has wide and deep buy-in, and can help keep things practical. Simple risk assessment approaches deliver results easily and enable stakeholders to use them to manage risks effectively. Characterized by very close alignment to the organization and its context, its culture and ease of use, keeping it simple can help ensure sustainable success.
- Buy-in, buy-in, buy-in: Irrespective of the reason for the risk assessment, effectiveness is determined by how deeply various stakeholders are involved, how much information is shared, and how the outcomes are perceived. Stakeholder buy-in can determine how the risk assessment is approached and how various stakeholders get involved; a sure shot way to achieve success. Buy-in is easier said than done and requires effective training and communication, transparency on all aspects relating to the risk assessment, a risk-aware organizational culture, and most importantly, visible management commitment.
- Perfect is the enemy of practical: Aiming for perfection is desirable, but in most organizations considering day-to-day requirements, the outcomes expected and constraints ranging from limited time, the need to take action as you go along on identified risks, the dynamic nature of risks, and the need to balance risks and costs involved, it is imperative to ensure that the focus is on the practical. Being practical means the risk assessment used is repeatable, reliable and produces consistent results over time. Remember: you want to be able to identify potential risks and take reasonable actions to mitigate and recover in case risks occur.
- Benchmark wisely: A key piece of advice on risk assessments is to benchmark. Assessing the outcomes of your risk assessment against what your peers in industry are doing can give your efforts a sense of stability and provide much needed navigational support. But it is worth remembering that your industry peers are as fickle as you are and no one wants to share information that is less-than-stellar. Very often benchmarking data comes with small print which simply means that the data is usable under certain standard test conditions and may be impractical if not outright nonsensical.
- Modeling is best left to the ramp: Ok, I know your eyebrows might have merged with your hairline, but the point is, unless models are chosen appropriately and customized to suit your organizational needs and the purpose you have in mind, off-the-shelf models can actually make things more difficult. If you must choose a model, keep it simple (see point 2 above).
Combine the above in the right proportions and your risk assessment is guaranteed to deliver results and go a long way toward achieving organizational objectives and strategies leading to effective risk management.
R.V. Raghu, Director, ISACA
[ISACA Now Blog]