As I pondered about what blog content may be interesting and useful to our current and prospective clients, I kept coming back to one interesting client discussion I recently had. I was working with a first-year SOC 2 readiness client, and they were asking for insights and my perspectives on best practices for conducting an enterprise risk assessment. I had recently been researching ISO risk management as well as SOC 2 risk management best practices. What I found interesting about this discussion was that this particular company had never conducted an enterprise-level risk assessment.
Keep in mind, this organization was no spring chicken, this Company had been around for years, humming along, making money, and delivering their services without a hitch for years. From my position, hearing this made me uneasy – I have seen enough in my 25+ year career to know that this Company has been very lucky! Very lucky that up until now, an unmitigated risk had not popped up to impact them, their clients, the public, or the nation.
I felt passionate that I should be guiding them toward understanding the benefits and importance of completing their own enterprise risk assessment. They had to understand that conducting a risk assessment was more than just checking a box to be one step closer to their SOC compliance. The old adage “You can lead a horse to water but you can’t make it drink” came to mind as I decided where to point them to begin this exercise. In order to move forward, I wanted them to play a role in determining which risk management framework to use.
Commonly Utilized Risk Management Frameworks
For purposes of this exercise, I focused on two risk management frameworks that address enterprise risks and specifically also include sufficient consideration of information technology risks.
- ISO 31000 – ISO Risk Management
- COSO ERM and COBIT v5 Integrated Frameworks
Please note, that there are other risk management frameworks, some of which are enterprise-focused, information technology-focused, and some business-focused. Each is useful to consider for perspectives when developing a risk assessment program, such as:
- NIST Cybersecurity Framework (CSF)
- RIMS Risk Maturity Model (RMM)
- The IIA’s International Professional Practices Framework (IPPF)
- Factor Analysis of Information Risk (FAIR)
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- Threat Assessment and Remediation Analysis (TARA)
- IT Service Management (ITSM) Paradigm with Information Technology Infrastructure Library (ITIL) V4
- Open Compliance and Ethics Group Red Book (OCEG)
Using the two risk management frameworks to guide the discussions we focused our conversation on the organized nature of the frameworks, and how each aligned to their existing processes. The fact that the risk assessment requirement was a mandatory component in nearly every compliance and certification regulatory framework my client was looking to achieve, my client made a selection and conducted their own internal assessment. As there is not a required risk assessment framework for the SOC 2, the Company tailored the applicable frameworks to the needs of their organization.
ISO 31000 – ISO Risk Management
The ISO 31000 framework was an obvious focal point for providing relevant guidance to my client to assist with with their risk assessment planning. ISO is a framework that would align nicely with ISO/IEC 27001:2022 risk requirements, as well as SOC 2 requirements. The International Organization for Standardization (ISO) developed ISO 31000 by providing common principles and guidelines for risk management. This means that this global risk management framework is not specific to any industry.
The framework integrates risk management into the governance and decision-making processes and procedures of an organization. This risk management framework allows for organizations that are of different sizes and industries to align to a shared framework and method for handling risks. This risk management framework focuses on improving the quality of decision-making and assisting companies in achieving their strategic goals and objectives while mitigating potential risks.
COSO ERM & COBIT v5 Integrated Frameworks
COSO published the Enterprise Risk Management Framework and this has become a standard framework for audit, risk, and compliance. A Company’s management may utilize COSO principles to develop its risk management processes. These principles should address the culture, capabilities, and practices that are required to be integrated with the Company’s strategy to achieve the Company’s objectives.
COSO may be integrated with COBIT 5, as COBIT identifies the framework to specifically address the IT risks. COBIT 5 allows for “IT to be governed and managed in a holistic manner” for the entire Company, and it provides full coverage of the “end-to-end business and IT functional areas of responsibility”. This integrated framework considers the business interests as well as the IT-related interests of internal and external Company stakeholders.
Commonalities Between the Risk Frameworks
When leveraging the frameworks for guidance to the Company management, commonalities showed up from the start. Each framework has a series of steps or stages that are cyclical to continue to manage the Company’s risks.
- Establish the Context of the Assessment
- Communication with Responsible Parties
- Identify Enterprise Risks
- Analyze and Evaluate Likelihood and Impact
- Respond to Risks
- Monitor and Review Periodically
- Recording and Reporting
- Continuous Risk Identification and Assessment
Guidance considerations suggest some common enterprise risks that may be areas of focus.
Areas of Risk to Be Aware Of
Common Areas of risk to consider include:
- IT Security risk
- Financial risk
- Operational risk
- Regulatory risk
- Strategic risk
- Compliance risk
- Economic risk
- Legal risk
- Natural disasters
Conversations are held with responsible parties that hold roles in each of the risk areas and may include a moderator who is familiar with conducting risk assessment discussions.
Identifying Risk Significance
Within the frameworks, risk significance is based on a scoring of the Impact and the Likelihood of the risk. Therefore the higher the impact on the Company if the risk occurred and the higher the likelihood of the risk occurring, the more significant the risk would be considered in the assessment.
Impact – level of damage sustained when a risk event occurs:
- 5 Very High/Critical: Almost certain to threaten the continuance of the Company or Services
- 4 High/Serious: Substantial impact on Company time, cost or quality
- 3 Moderate: Notable impact on Company time, cost or quality
- 2 Low: Minor impact on Company time, cost or quality
- 1 Very Low: Negligible impact
Likelihood of the risk event occurring:
- 5 Very High: Event is almost certain to occur
- 4 High: Event is highly likely to occur
- 3 Moderate: Event is somewhat likely to occur (as likely as not)
- 2 Low: Event is unlikely to occur
- 1 Very Low: Event is highly unlikely to occur
Determining an Appropriate Risk Response
Risk Responses including mitigation approaches depend on the significance determined during the risk evaluation:
- Modify the Risk – Determine what controls exist that reduce the likelihood of it occurring and/or damage it will cause.
- Risk Acceptance – Accept that the risk falls within previously established risk acceptance criteria.
- Avoid the Risk – Change the business or IT circumstances that are causing the risk.
- Share the Risk – Identify if there is a business partner, such as an insurance firm or a third party that is better equipped to manage the risk.
All risks, risk responses, and responsible party approvals are to be documented and memorialized, and changes should be tracked along with the mitigation techniques and approaches to resolution, as appropriate.
Benefits of Conducting an Enterprise Risk Assessment
When a Company successfully implements an enterprise risk assessment program and process, immediately several benefits may be seen.
- Prepared for potential threats – With the identification of potential risks, companies can prepare contingency plans and strategies to mitigate the risk impact.
- Continued compliance – Most frameworks require evidence of enterprise risk assessments and many industries have stringent regulatory requirements. The risk assessment may aid in compliance with regulatory requirements and thus reduce the risk of legal issues.
- Potential Improvements to the Company’s Reputation – Proactive risk identification and risk management help to protect the Company’s reputation by preventing and minimizing incidents that could potentially harm itself or its clients.
- Builds a Company’s Disaster and/or Incident Resilience – May assist Companies to continue operations during or after a risk by enabling the Company to face it and recover from it faster.
- Better Decision Making – Conducting an enterprise risk assessment evaluates the risks and assists management in making more informed decisions to correctly prioritize potential risk activities.
- Consider New Innovations – When a Company manages its risks effectively, it can begin to focus on other innovations and programs.
Summary
In conclusion, enterprise risk assessments are a discipline that address the full spectrum of a Company’s risks, including challenges and opportunities, and integrate them into an enterprise-wide program. Conducting a sufficient enterprise risk assessment contributes to improved decision-making and supports the achievement of a Company’s mission, goals, and objectives.
My client ended up conducting a risk assessment and expressed deep gratitude and identified lessons learned that they stated may likely end up saving their people time, and ultimately saving the Company money. The board of directors was impressed with the end-resulting analysis and everyone involved appreciated the risk reduction approaches enabled due to the risk program implementation.
If your Company has not conducted an enterprise-wide risk assessment, consider doing so by utilizing one of these great frameworks as a starting point for guidance. If you have any questions or are interested in what other readiness activities Linford may be able to assist you with, reach out for more information at any time.
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.