A shift from a compliance-aware to a risk-aware culture
If an organization that shifts from a compliance-aware culture to one that is risk-aware – as my colleague Isaiah McGowan identifies in his latest post – has any legs, we need to demand more from the process that identifies, evaluates, and ultimately leads to the prioritization of risks, otherwise known as risk assessment. As it stands currently, what passes as “risk assessments” in most GRC programs are nothing more than the: highly subjective; qualitative based; 1 – 5 likelihood/impact scale; green, amber, red heat map.
Now those operating in the present compliance focused-GRC environment may not see anything wrong with what’s been outlined above. “Heck, it’s worked in the past. We can assign a likelihood and impact based on what we feel is the “risk”, and in the end our assumptions are validated as our “risk” shows up in the color spectrum we assumed it would.” There are many problems with what I’ve outlined above, and which range from: assessments being more subjective rather than objective; inconsistencies from analysis to analysis; as well as difficulty normalizing data and standing behind recommendations.
Requirements for risk assessments
The short of it is, this is not how to conduct a risk assessment, at least not one worth leveraging any decision over. If we as an industry want to evolve GRC to IRM, one that is focused on risk, we have an obligation to demand more from the risk assessment process. The process should: