Risk evaluation and mitigation strategies for SOC 2 compliance is something I am being asked more frequently about by many first-time clients. In the following paragraphs, I will be discussing requirements for service organizations to consider when contemplating or undergoing a SOC 2 audit. Specifically, risk assessment and mitigation strategies in place at the service organization.
Within the Trust Services Criteria (TSCs) governed by the AICPA is the Security Criteria (also known as the common criteria) which includes the Risk Assessment Criteria (CC3). The Risk Assessment Criteria covers COSO Principles 6-9 and has areas of focus which include management’s assessment of risk and mitigation of that risk, among other things, that can assist the service organization in creating controls that meet the SOC 2 Criteria.
Risk Assessments & the SOC 2 Criteria
Risk assessments can be used by service organizations to evaluate the type of risk present as a result of the service organization’s service commitments and system requirements. Or in other words, the risk present to the service organization as a result of doing business. Many service organizations are already doing this in an informal manner and as part of undergoing a SOC 2 audit, should consider formalizing the process.
If the service organization has a formalized risk assessment process prior to undergoing a SOC 2 audit or readiness assessment, this will assist the auditor in evaluating the service organization’s control environment and performing their own risk assessment as part of the audit planning process. If a risk assessment has yet to be formalized or isn’t being performed in any capacity, this is a possible control gap that will hopefully be identified by the auditor during the readiness assessment for the SOC 2 audit. Many service auditors offer a readiness assessment as part of the first-time audit for new clients. This is something to consider when choosing a service auditor if the service organization has yet to undergo a SOC 2 audit.
The Security Criteria contains CC3 which is specific to risk assessment and focuses on how the service organization has specified objectives and evaluated risks to achieving those objectives. Additionally, it focuses on how risks to objectives are analyzed and managed by the service organization. Points of focus provided when considering the criteria involve management performing a risk assessment which will aid in evaluating risk. So if a service organization has yet to formalize a risk assessment process, they will likely need to do so for their SOC 2 audit.
How Risk Assessments Evaluate Risk
The service auditor working on the SOC 2 readiness assessment can assist in providing management with recommendations for how to document the risk assessment and things to consider when performing the risk assessment. But the responsibility of performing the service organization’s risk assessment lies with management.
In performing the risk assessment, management at the service organization will need to define their service commitments and system requirements as the first step in order to then evaluate the risk present to achieve those objectives. When brainstorming risk factors, management should consider risk not just in one area of the organization but across the organization as a whole. Internal and external risks can be considered when evaluating risks; such as the following:
- System Risks, etc.
When risk factors have been identified, management can then evaluate the risk by determining the likelihood and potential impact of the risk. The size and complexity of the service organization should be considered when determining the likelihood and potential impact of the risk, as this will vary for a small organization vs a large one. Once likelihood and impact have been determined, they can be used to assign an initial risk level.
Controls in place at the service organization that mitigate or reduce the risk level are then considered. The remaining risk is often referred to as residual risk. Residual risk should then be assigned a risk level, which is defined by the service organization. Management should then review all residual risk levels and determine which risks need to be considered for mitigation. Often, risks can be mitigated by putting additional controls in place to address the identified control gap.
What are Control Gaps?
Control gaps can be referred to with many different titles such as control deficiencies, control weaknesses, etc. They can occur when a control does not exist, is not properly designed, or is not operating effectively. In order to identify a control gap, management should consider if a control is addressing or mitigating the risk(s) present that threaten the service organization’s achievement of their defined service commitments and system requirements.
Control gaps can be identified in the risk assessment when management is evaluating the current controls in place to mitigate risk. Control gaps can also be identified when performing monitoring activities, undergoing internal and external audits, and performing regular security activities. Once control gaps are identified there are various strategies management can use to evaluate the risk associated with the control gap.
What Strategies Are Used to Evaluate Risk?
When evaluating residual risk identified in the risk assessment, there are various strategies for management to employ. Some of the more common risk management strategies are as follows:
- Risk Acceptance – which is just like it sounds, management analyzes the risk and decides to accept the risk to the organization, and no further action is taken to mitigate the risk.
- Risk Transference – which is when the service organization enters into a contract with a third party which effectively shifts the responsibility of the risk to the third party.
- Risk Avoidance – is when management chooses to avoid the situation which would cause the risk altogether. An example of this is when a service organization is considering the risk associated with entering into a contract with a third party, if the risk is too high, management could decide to not enter into the agreement with the third party and avoid the risk completely.
- Risk Reduction – involves putting controls into place to reduce the impact of the risk or prevent the risk from occurring.
Once a risk strategy is decided upon for all risks identified in the risk assessment, it will be up to management to deploy the strategies and monitor their progress as part of their risk mitigation plan. Check out our article “Vendor/Third-Party Risk Management: Best Practices” to learn more about vendor and third-party risk management.
How Do You Create a Mitigation Plan?
Risk mitigation plans are helpful to management when they are trying to manage the mitigation of several risks at the same time or across a span of time. Timelines for mitigation plans vary depending on the severity of the risks identified in the risk assessment. As many service organizations perform a risk assessment at least annually, many mitigation plan timelines coincide with the amount of time between each risk assessment so the results of mitigation can be assessed in the next risk assessment.
When creating a mitigation plan, management should rank which risks to address first based on severity, addressing the mitigation of critical risks first. A timeline should be created for the mitigation plan that includes other projects outside of risk mitigation projects that are a priority and will reduce the amount of effort that can be directed at risk mitigation activities. This will assist in creating feasible timelines. For each mitigation project in the risk mitigation plan, tasks should be assigned to owners who are responsible for leading, monitoring, and communicating the progress of the mitigation efforts to the rest of management. Mitigation projects should be documented and tracked within a ticketing system or similar solution in order to provide visibility into the progress of the efforts.
Quarterly or more frequent meetings should be held to discuss the progress of the mitigation activities and the mitigation plan as a whole. Any remediation updates should also be incorporated back into the risk assessment in order to accurately track and report mitigation progress.
What is the Difference Between Risk Evaluation & Risk Management?
When I consider the differences between risk evaluation and risk management, it helps to think of these as two separate activities performed by management that are used in the risk assessment process. Risk evaluation typically involves management performing the following:
- Defining service commitments and system requirements.
- Identifying risk factors to those objectives.
- Assigning risk levels to those risks.
In doing these things, management is determining the significance of the risk to the organization, or performing a risk evaluation.
The next of the two activities, risk management, typically encompasses management’s strategy for identifying, addressing, and monitoring risk as a whole in order to manage risk factors to the service organization. Evaluating risk is typically a piece of the risk management process, as well as planning, monitoring, and updating risk mitigation activities. In performing these activities, management is minimizing and preventing the risks present to the organization, or in other words, managing the risk present to the organization.
This article covered how risk assessments relate to the SOC 2 criteria and how risk assessments can assist management in evaluating risks to the service organizations’ service commitments and system requirements. In performing a risk assessment, control gaps are identified, and we discussed the strategies that can be used to address them and provided a high-level overview of how to create a mitigation plan. In learning about these things, we were able to highlight the difference between risk evaluation and risk management.
If you are interested in learning more about our SOC 2 audit services, the Trust Services Criteria, and the process for undergoing a SOC 2 audit readiness assessment, please contact us for more information.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.