Risk and control assessments are basic tools. Everyone uses them and most struggle with them. Ask five people at a conference and you will find that even the name is not uniform—risk and control self-assessment, risk control self-assessment, control self-assessment. These assessments can quickly become wasteful or distracting if key prerequisites are not met.
To avoid problems, ask yourself five key questions:
- Do we “know the business”? Many assessments are focused only on known risks, controls and weaknesses (“watched pots”); they miss weaknesses that are less apparent and those in the underlying process.
- How sound was the risk evaluation that led to the controls being designed and implemented? Assessments depend on properly completed prior steps in risk evaluation and response, including environment and enterprise capability evaluation, scenario analysis, root-cause analysis, dependency analysis, control design, and control implementation. If not sound, it is likely that the wrong controls are assessed and that the findings have little value.
- Does the assessment cycle keep pace with real-world change? If change in risks (environment and process, or controls) is more frequent than the evaluation period, the assessments will miss real risk. For example, if your IT environment changes every few months, business continuity test cycles should match that cycle—anything else gives a false sense of confidence.
- Do control assessments actually focus on controls or do they mix in policies, procedures or rules? “Green” ratings for the existence of policies is a long way from examining a control that can detect an out-of-bounds conditions and act on that information.
- Do assessments divert attention from daily use of risk management? Both lag time and emphasis on control (rather than environment or business capabilities) have a tendency to cause organizations to see risk management as only a “bandage” assurance function, rather than a valued management function that fixes root causes.
If they fall into the traps noted here, risk or control assessments probably also divert resources from more helpful risk management activities and create a false sense of assurance. These traps have led to serious harm. Consider data breaches, frauds, network outages, robo-signings and other problems that occurred when controls were, on paper, acceptable. Of course, assessments and tests must be applied with appropriate rigor to drive meaningful action. The good news is that these problems are relatively easy to fix.
This article was adapted from Brian Barnier’s book The Operational Risk Handbook for Financial Companies.