I spent several years of my career working in internal audit, specializing in IT risk and controls. During this time, I helped to evaluate the company’s “highest” risk areas, which were identified during the previous year’s enterprise risk assessment. I was also fortunate enough to participate in the annual risk assessment meetings, where I was able to experience firsthand what was keeping executives up at night.
As part of this process, risk scenarios were plotted on simple 3×3 matrix, based on likelihood and magnitude. During this time, it never occurred to me that there was an alternative method to approach risk since what we were doing seemed to be the industry norm.
It wasn’t until I decided to pivot my career from audit to a risk management position with RiskLens that I began to view risk differently. This was the point where I was introduced to a risk assessment framework called FAIR.
During my time with internal audit, I conducted assessments over various processes and technologies, which ultimately resulted in the issuance of a report with issues and recommendations. Each issue was then assigned a risk rating (high, medium, or low), which would ultimately drive the timeline that management had to remediate.
One of the challenges I recall my group facing was the process used to assign the risk ratings. The only tool that we were equipped with were the subjective definitions that comprised high, medium and low risks.
Since the definitions were so subjective, it was not uncommon for management to disagree with the ratings assigned. There were even times where internally my own team would arrive at a different risk rating.
Additionally, because there were only three categories of risk, a large number of audit findings seemed to find their way into the high-risk rating bucket. These were all risks that management was unable to accept.
Knowing what I know now about FAIR, there are several ways in which this model could benefit internal audit when it comes to risk management:
FAIR can help to prioritize risks within the organization by assigning a quantitative value.
With the high/medium/low approach previously cited, management is stuck determining which of the “high” risks are of most concern with no further means to help prioritize remediation. If management were to challenge the number of high risks resulting from audit findings using this same approach, there would be no basis other than the subjective rating, to argue otherwise.
FAIR can also serve as the catalyst to help internal auditors understand that risk is more than just control deficiencies and findings.
If auditors used FAIR to evaluate and articulate risk, this may uncover that the issues they are concerned with do not warrant the subjective rating assigned or do not truly represent a loss event that materializes within the organization. For more information on this concept, refer to the blog post When Internal Audit and InfoSecurity Teams Play Nice Together.
Finally, FAIR can be leveraged by audit professionals to help expand the focus beyond compliance risk.
Although some audit departments that do not use FAIR are inherently more advanced in this area than others, FAIR is one way that audit departments can view risk through the same lens as management and the board, allowing for more effective and efficient conversations. This skillset in itself is a differentiator that will only lead to better performance over time.