control, and governance
Understanding the Risk Management Process
Identifying risks, as well as their likelihood and overall impact, can help beginner internal auditors provide recommendations that enable companies to develop an effective risk management plan.
Mark T. Edmead, CISSP, CISA
Director of IT
Control Solutions International
Besides identifying the risks facing an organization, internal auditors help assess the impact risks can have on companywide performance and processes. Therefore, the role of auditors is not only to evaluate risks, but to determine whether adequate controls are in place to mitigate risks effectively. Becoming familiar with the different elements of an effective risk management process can help beginner internal auditors provide recommendations that address the organization's risk management needs and identify risks before they become a threat to companywide assets and data.
WHAT IS RISK?
Both the U.S. Securities and Exchange Commission (SEC) and the U.S. Federal Financial Institutions Examinations Council (FFIEC) have addressed the need to conduct risk assessments, while frameworks such as Basel II, ISACA's Control Objectives for Information and Related Technology, and the Software Engineering Institute's Octave approach have provided risk assessment guidelines to organizations worldwide. While governance institutions and frameworks continue to expand their discussions on risk, beginner auditors may wonder what risk truly is and why risk assessments are important to the internal audit community.
According to The IIA, risk is defined as the possibility that an event will occur, which will impact an organization's achievement of objectives (The Professional Practices Framework 2004). There are many forms of risk in an organization, including IT risk, financial risk, operational risk, network security risk, and personnel risk. To address risks more effectively, organizations may use a risk management approach that identifies, assesses, manages, and controls potential events or situations.
Among other things, the goal of effective risk management is to ensure that each risk is identified, documented, prioritized, and mitigated whenever possible. Because all organizations face risk, whether positive (i.e., opportunities) or negative (i.e., events that hinder company processes), the challenge for auditors is to know when risk will occur and the impact it will have on the organization.
In addition, auditors need to consider the probability that the risk will occur. For example, it may not be necessary for the organization to worry about a particular IT risk when the likelihood that it will occur is significantly low and its impact is low as well. However, organizations should concentrate on low-probability risks that will have a high-negative impact. As a result, looking at the impact and probability of each risk is important when establishing an effective risk management program that addresses companywide risk.
THE RISK MANAGEMENT PROCESS
When establishing a risk management process or initiative, auditors should recommend that organizations examine best management practices in the area. Typically, risk management plans have the following objectives:
In 2002, the U.S. National Institute of Standards and Technology (NIST) published a set of IT security risk management best practices. The NIST document, Risk Management Guide for Information Technology Systems (PDF), discusses the IT security risk management process in detail. According to the guide, IT risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations and assessments. For instance, the risk assessment stage is where the auditor identifies and evaluates each risk, the impact these risks have on the organization, and any risk-reducing recommendations. The risk mitigation stage involves prioritizing, implementing, and maintaining appropriate risk-reduction measures that are recommended in the risk assessment process, while the ongoing risk evaluation and assessment stage asks that the organization continuously evaluate their risk management activities in reducing risks.
As mentioned in the NIST guide, risk assessments should be the first step in an IT risk management initiative. The end result of the risk assessment is to determine the extent of the potential threat and its associated risk, which is defined as the likelihood that a given threat can exploit or take advantage of a particular vulnerability. For example, if an auditor is evaluating an IT system, the threats to the system should be analyzed in conjunction with potential vulnerabilities and any implemented controls.
The risk assessment process begins with the identification of risk categories. An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization. Examples of risk categories include:
For instance, technical risks are associated with the operation of applications or programs including computers or perimeter security devices (e.g., a computer that connects directly to the Internet could be at risk if it does not have antivirus software). An example of a project management risk could be the inadequacy of the project manager to complete and deliver a project, causing the company to delay the release of a product to the marketplace. Organizational risks deal with how the company's infrastructure relates to business operations and the protection of its assets (e.g., the company does not have clear segregation of duties between its production and development environments), while financial risks encompass events that will have a financial impact on the organization (e.g., investing the company's cash reserves in a highly speculative investment scheme). External risks are those events that impact the organization but occur outside of its control (e.g., natural disasters such as earthquakes and floods). Finally, a compliance risk occurs when a company does not comply with mandated federal regulations, which often results in fines or legal sanctions.
Determining the Risk Likelihood Level
(Adapted from NIST's Risk Management Guide for Information Technology Systems)
Identifying the Risk's Impact
The next step is to determine the impact that the threat could have on the organization. It is important for auditors to understand that not all threats will have the same impact. This is because each system in the organization most likely will have a different value (i.e., not all systems in the organization are worth the same or regarded in the same way). For instance, to evaluate the value of a system, auditors should identify the processes performed by the system, the system's importance to the company, and the value or sensitivity of the data in the system. A system that handles the company's payroll will have more value than the system that is used to keep the lunchroom menu database.
The impact of a security event can be defined as a breach or loss of confidentiality, integrity, or availability, which may result in an unauthorized disclosure of company information (i.e., loss of confidentiality), the improper modification of the information (i.e., loss of integrity), and a system's unavailability when needed (i.e., loss of availability). The magnitude of impact also can be categorized as high, medium, or low as shown in Table 2 below.
(Adapted from NIST's Risk Management Guide for Information Technology Systems)
In addition, auditors need to measure the risk's actual impact on the organization. This can be done by measuring the risk's impact in a quantitative (e.g., revenue loss or the cost to replace IT equipment) or qualitative manner (e.g., the loss of public confidence when a security breach is announced in the media). There are advantages and disadvantages to both approaches.
The quantitative impact analysis approach provides a definite measure of the impact's magnitude, which can be used to calculate a control's cost-benefit analysis. For instance, if an asset's loss of availability impact is defined quantitatively as US $1,000, then a US $10 dollar control to mitigate the threat has a cost-benefit of 100 to 1 ($1,000/$10).
A major disadvantage of this quantitative approach is the use of wide numerical ranges that can become quite confusing. For example, a 100 to 1 cost-benefit calculation can be obtained from a $1,000 loss and a $10 mitigating control or from a $500 loss and a $5 mitigating control. Therefore, simply looking at the final 100 to 1 cost benefit does not really give auditors an idea of the actual negative impact or the cost of the mitigating control. All the auditor gets are numbers in the form of ratios.
On the other hand, the advantage of qualitative (i.e., high, medium, or low) analysis is that it allows the auditor to prioritize risks and identify improvement areas quickly. However, this approach does not provide the means to calculate the cost-benefit for any of the recommended controls. That is, the auditor can determine that a particular asset has a high risk, but he or she will not know what the impact's cost will be or the mitigating control's effectiveness.
When using Table 3, the auditor will rate the risk as having a low, medium, or high impact. The table defines the risk's impact scale as:
Table 3 also defines a high risk as having a value of 1.0, a medium risk as having a value of 0.5, and a low risk as having a value of 0.1. A threat has the highest risk (i.e., a value of 30) if the impact is high and the threat probability is high (i.e., a value of 1.0). A threat has the lowest risk (i.e., a value of 1) if the impact is low and the threat probability is low (i.e., a value of 0.1). Before using this table, auditors need to keep in mind that the ranges used in these examples are arbitrary. Auditors may use any ranges, such as 1 to 25 for low-impact threat, 26 to 50 for a medium-impact threat, and 51 to 75 for a high-impact threat if desired. For instance, auditors can only choose one of the numbers from each of the sets (i.e., 1, 2, 3 for low-impact threats; 5, 10, 15 for medium-impact threats; and 10, 20, 30 for high-impact threats.) The main concept is to assign a value range for low-, medium-, and high-impact threats so that the auditor has a common risk assessment reference point. The same is true of the threat possibility numbers used in the chart.
When addressing risks, many organizations usually start by correcting those risks with a lower impact to the organization and a lower probability because these are easier to fix — and fixing a greater number of open issues in a short amount of time looks better on paper. However, auditors should recommend that organizations start by addressing those risks that will have the highest likelihood of occurring and will have the highest impact. This is because by focusing on the low-impact risks first, the company still remains vulnerable to the high impact risks that can cause irreparable damage.
In addition, while high impact/high likelihood risks should be a high priority, low impact/high likelihood risks and high impact/low likelihood risks also may require immediate attention. Therefore, each risk should be carefully evaluated before determining which risk needs to be addressed first. For example, a system that is connected to the Internet may be highly vulnerable because a specific software patch is not installed and any Trojan coming from the Internet can infect the system. As a result, if the system remains unpatched, it could greatly impact the organization's day-to-day operations (i.e., should the system remain unpatched, there is a high likelihood the system will have a high impact on the organization).
Now, imagine that the organization uses another system that is not connected to the Internet. In this case, the impact to the organization is still high because the system is not patched and vulnerable to any Trojan that makes its way through the network. However, because the machine is not connected to the Internet, the threat likelihood is low (i.e., this is an example of a high impact/low probability risk). From these two situations, the auditor can determine that the first system poses a higher risk to the organization and should be fixed first.
Many organizations are implementing risk management programs that can help them address companywide risks and potential threats. In the area of IT, an effective risk management program relies on the auditor's expertise, thus enabling the organization to apply the necessary risk management controls to a specific area or IT system.
To maximize its effectiveness, auditors should recommend that the risk management initiative receives the support and commitment from senior management. This will help to set the proper tone at the top for the program, as well as ensure that controls are managed properly and implemented risk management policies and procedures are adhered to by company staff. In addition, the proper tone at the top will help to establish the organization's attitude toward risk and the kinds of risks that are acceptable. Finally, the audit team needs to have the proper training or expertise in the area of risk management to better identify and rate risk levels as well as evaluate controls to determine if they meet the organization's risk management needs.
Besides the NIST guide and the regulations and frameworks mentioned at the beginning of this article, beginner internal auditors can refer to the following two documents for additional information on the risk management process:
"Auditing System Conversions" by Dan Swanson, CIA, CMA, CISA, CISSP, CAP.
"The Role of Internal Audit Enterprisewide Risk Management" (PDF) by The IIA.
Mark Edmead is the western region director of IT for Control Solutions International and has more than 25 years of experience in the areas of computer systems architecture, information security, project management, and IT and application audits. In the past, Edmead worked as a consultant for Fortune 500 and 1000 companies in the areas of information, system, and Internet security, as well as regulatory compliance. In addition, he has worked for many audit and computer security firms, such as KPMG Information Risk Management Group, IBM's Privacy and Security Group, and Protiviti.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.