I spent several years of my career working in internal audit risk management, where I specialized in IT risk and controls. During this time, I helped to evaluate the company’s “highest” risk areas, which were identified during the previous year’s enterprise risk assessment (read our blog for more about the value of identifying your highest cyber risks). I was also fortunate enough to participate in the annual risk assessment meetings, where I was able to learn firsthand what was keeping executives up at night.
As part of this process, risk scenarios were plotted on a simple 3x3 matrix based on likelihood and magnitude. During this time, it never occurred to me that there was an alternative method to approach risk, since what we were doing seemed to be the industry norm.
It wasn’t until I decided to pivot my career away from auditing into a risk management position with RiskLens that I began to view risk differently. This was when I was introduced to the Factor Analysis of Information RIsk (FAIR) risk assessment framework.
The problem with subjective internal audit risk management scoring
During my time with internal audit, I conducted assessments for various processes and technologies, which ultimately resulted in the issuance of a report highlighting problems and recommendations. Each problem was then assigned a risk rating (high, medium, or low), which would ultimately drive the timeline that management had to perform remediations.
One of the challenges I recall my group facing was the process used to assign risk ratings. The only tools that we were equipped with were the subjective definitions that comprised high, medium, and low risks.
Since the definitions were subjective, it was not uncommon for management to disagree with the ratings assigned. There were even times where, internally, my own team would arrive at different risk ratings.
Additionally, because there were only three categories of risk, a large number of our audit findings seemed to find their way into the high-risk rating bucket. These were all risks that management was unable to accept.
Knowing what I know now, I can confidently say that the FAIR model could benefit internal audit teams in 3 key ways when it comes to risk management:
1. FAIR can help to prioritize risks within the organization by assigning a quantitative value.
With the high/medium/low approach cited above, management gets stuck determining which of the “high” risks are of most concern — there aren’t any further means to help prioritize remediation. If management were to challenge the number of high risks resulting from audit findings using this approach, there would be no basis other than the subjective rating to argue otherwise.
The FAIR model, which quantifies risk in dollar values, makes it much easier to tell which risks should be treated as top priority.
2. FAIR can also serve as the catalyst to help internal auditors understand that risk is more than just control deficiencies and findings.
If auditors use the FAIR model to evaluate and articulate risk, they may uncover that the issues they are concerned with do not warrant the subjective ratings assigned or do not truly represent loss events that materialize within the organization. For more information on this concept, refer to the blog post When Internal Audit and InfoSecurity Teams Play Nice Together.
3. Finally, FAIR can be leveraged by audit professionals to help expand the focus beyond compliance risk.
Although some audit departments that do not use the FAIR model are inherently more advanced in this area than others, the FAIR model is one way that audit departments can view risk through the same lens as management and the board, allowing for more effective and efficient conversations. This capability is a differentiator that can only lead to better performance over time.
Improving your internal audit risk management approach
If you’re an internal auditor who identifies with my experience, I strongly suggest looking into using the FAIR model for internal auditing. Being able to speak with decision making board members about risk in concrete, dollar values results in more meaningful conversations around key risks and makes it certain which ones should be viewed as top risks.
To learn more about the FAIR model, follow this link.
To contact RiskLens about how to apply the FAIR model to your business using our platform, click here.
Related:
Evolve Your Organization to Cyber Risk Economics: A Mini-Guide