Demanding More of IRM: Risk Assessments

From GRC to IRM

A shift, or something of a rebranding within the GRC space has been gathering steam over the past few months. John Wheeler of Gartner wrote a piece that identifies a potential evolution in the space, going from GRC to what has become known as “Integrated Risk Management”, or IRM. IRM is not exactly a new term when it comes to the risk management space, as I’m sure those in the community can identify similarities among it and other frameworks or disciplines that have been propagated throughout the years.  Yet I do believe that it is worth pointing out the proposed shift in focus in the GRC space. The space has gone from an over-emphasis on the Compliance aspect of the discipline, to the ill forgotten middle child of the acronym, “Risk” and its management.

A shift from a compliance-aware to a risk-aware culture

If an organization that shifts from a compliance-aware culture to one that is risk-aware – as my colleague Isaiah McGowan identifies in his latest post – has any legs, we need to demand more from the process that identifies, evaluates, and ultimately leads to the prioritization of risks, otherwise known as risk assessment. As it stands currently, what passes as “risk assessments” in most GRC programs are nothing more than the: highly subjective; qualitative based; 1 – 5 likelihood/impact scale; green, amber, red heat map.

Now those operating in the present compliance focused-GRC environment may not see anything wrong with what’s been outlined above. “Heck, it’s worked in the past. We can assign a likelihood and impact based on what we feel is the “risk”, and in the end our assumptions are validated as our “risk” shows up in the color spectrum we assumed it would.” There are many problems with what I’ve outlined above, and which range from: assessments being more subjective rather than objective; inconsistencies from analysis to analysis; as well as difficulty normalizing data and standing behind recommendations.

Requirements for risk assessments

The short of it is, this is not how to conduct a risk assessment, at least not one worth leveraging any decision over. If we as an industry want to evolve GRC to IRM, one that is focused on risk, we have an obligation to demand more from the risk assessment process. The process should:

  • Provide a framework for consistently identifying and breaking down the components of risk, which fosters consistency and critical thinking.
  • Leverage a set of well-defined terms, which increases the likelihood of clear communication.
  • Possess the capability to be used quantitatively, which ultimately allows for the presentation of results in business terms.

All the above is found in Factor Analysis of Information Risk, otherwise known as FAIR. This is the model we leverage at RiskLens to provide our clients a better, more defensible understanding of the risks that face their organization.