Seven Habits of Highly Effective Risk Management

I’ve been giving some thought to what makes a good risk management function. What follows is a summary of the 7 key attributes or processes I settled on, in no particular order. It is worth noting that this is not specific to IT or information security, but any environment where risk needs to be managed.

1. Objectivity

Be firm but fair. Always exercise professional scepticism when evaluating the effectiveness of a control environment. Just because someone says something works doesn’t necessarily mean it works as it should. Independence in also important – those too close to a process are not always in the best position to identify risks.

2. Risk assessment and reassessment

People, processes, the environment, technology, everything and anything changes. Consider the rate of change and other factors (such as incidents) and define a formal plan for revisiting the risk assessment phase. Check that your attributes, ratings and area of assessment are still valid.

3. Refinement of controls

In conjunction with #2 revisit controls and associated processes to validate these are effective and efficient. Even if the environment (and risk) hasn’t changed, there may be a better way of managing the risk such as with a new technology. Using maturity models can help to track and measure changes in the effectiveness of controls. Although monitoring controls is a fundamental part of risk management (as in the prescribed Plan-Do-Check-Act methodology), this does not constitute independent review. Make sure your audit team has a look at the control environment to give their view.

4. Collaboration with other risk management functions

Work environments can be very complex. Many systems, processes, laws, regulations and other attributes combine to keep a business working. It is nearly impossible for a single division to have 1) the knowledge required to understand all risks, and 2) the visibility of all components of the business. Even those teams with similar skill sets (such as IT security and IT audit) have different objectives and so need to work together to help the business manage risk effectively. Rather than working in isolation there is more value in assurance providers and risk managers working together to ensure appropriate lines of defence are in place while avoiding duplication of efforts (i.e. combined assurance).   

5. Awareness and training

The possible high rates of change in an environment (systems, business processes, risks, technologies or regulation) pose a challenge to those that are responsible for identifying and managing risks. Continued learning and awareness are fundamental requirements to obtain and sustain the necessary knowledge of the environment and associated risks. At the same time we are challenged by having too much information easily available, so it is important to filter out what is relevant and to identify trustworthy sources. Engaging with other professionals within this pretext is a great way of keeping up to date with changes relevant to your environment.

6. Collaboration with business

Apart from making the work place more pleasant, there is value in building a trusted relationship between risk managers/assurance providers and business stakeholders. The more these parties engage the more opportunity there is for knowledge transfer. The more a risk manager knows about the environment in which they operate the more effective they can be and the more value they can demonstrate.

7. Fairness

Most (if not all) divisions have the business’ best interests at heart, including risk functions. A risk manager’s job is not to always err on the side of caution and drive the control environment to such an extent that all risks are fully mitigated as this hinders the business’ ability to operate or perform successfully. Many businesses need to take risks to make money, and it is the responsibility of risk functions to allow them to do so while managing risks to an acceptable level. Managing risks is not always about fully mitigating them.

IT Audit or IT Security Audit?

I’ve just read a short but interesting post from David Hoelzer over at SANS where he asks the question of whether as IT Auditors we audit IT or IT Security.

http://it-audit.sans.org/blog/2009/11/10/it-audit-and-it-security-audits-is-there-a-difference/

Quite an old post but only found its way to me via Twitter recently. Anyway, the conclusion is that we audit a little of both, in that we 1) must validate the internal control environment of systems, applications and infrastructure, and 2) to do this effectively (and in part to validate the control is sustainable) we must also look at policies, procedures and standards governing the control environment.

I certainly agree with this view, but do also feel that we have more to offer. The role of Internal Audit itself has evolved over the past decade and business is increasingly looking to us for assurance and more value-add. Thus there are other risks that we need to consider and report on, such as strategic risk and governance. IA needs to be closer to the business and follow a risk-based approach. As Mervyn King noted, “Internal Audit needs to move from the back room to the Boardroom”.

Through all of this we as Internal Auditors need to work smarter and closer with other assurance providers. additionally in today’s technologically pervasive environment IT Audit has a role to play in assisting the rest of audit to work smarter by harnessing electronic processes. By this I mean that IT Audit can make better use of CAATs and data analytics to improve business process audits (i.e. testing a broader data set and avoiding sample risk) as well as identifying and testing automated controls that can free up business auditors to focus on more procedural controls. Controls maintaining the integrity of Management Information may not be always be there to manage a security risk for example, but can be very important in the context of a business’ strategy and/or Board level reporting.

In summary, I agree that pure-IT Audit must include an element of IT Security into the audit, but that we must also innovate and strive to understand more of how the application environment works, and the information that flows through these systems, in order to validate non-security controls that also impact the business’ risk profile.