Risk and Compliance? Or maybe, Compliance and risk? The difference is not merely a semantic one, it is philosophical. Some GRC managers believe that risk assessments are just something you have to do in order to comply with certain frameworks. Others believe that your entire Compliance program should be built on a risk-based approach.
In this blog, we will cover why – while the first philosophy might be ok when you are starting out – once you reach a certain level of maturity, you MUST adopt a risk-first approach. Don't worry, we won't leave you hanging; as the industry experts in all-things Compliance, we’ll also dive into some practical steps you can take to start shifting your mindset today.
Risk and Control: NOT a Chicken or the Egg Situation
Let’s start at the very beginning (a very good place to start). What came first? With requirements like “the organization shall define and apply an information security risk assessment process” from ISO/IEC 27001 and “the entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed” from COSO Principle 7 (CC3.2), it seems pretty straight forward. Risks and control objectives go hand-in-hand. You perform risk assessments because you need to satisfy control objectives. In other words, risk assessments are the result of control objectives. The end, right? Not quite…
How did we arrive at these control objectives in the first place? How are frameworks, composed of control objectives, born? They are, by design, categorized by potential risk vectors. They provide activities you can perform in order to reduce your organization’s risk exposure within a specific area, from secure development and vendor management to human resources and business continuity. Put differently, controls are designed to mitigate risks and provide reasonable assurance of the achievement of various objectives.
So at least we’ve answered the existential question of what came first (risk). But does that mean you should prioritize risks?
Why Mature Organizations Need a Risk-Based Approach
At the beginning of their Security and Compliance journey, most organizations perform risk assessments as a tick-the-box exercise in order to conform to the requirements of a certification. And while this may mean that responding to risk is not being performed effectively, it is understandable.
But as organizations mature, their primary Security and Compliance priorities need to shift from being audit centric, towards a risk-based approach for one simple reason – the more at stake, the less risk the organization is willing to be exposed to. (Just ask management).
What is a Risk-Based Approach?
A risk-based approach in Compliance is identifying the highest risks to your organization by performing a serious risk assessment and then defining and monitoring your controls with the understanding of what exactly they are meant to achieve within your specific organization. This is the only way you can know you haven’t exceeded your risk appetite.
Carrying out a risk and control self assessment will not have a negative impact on your ability to pass your next audit. This is because by shifting the focus towards risk management and monitoring the effectiveness of control implementation within the context of the organizational risk appetite, you can provide clear justifications for your approach to the auditor. If, however, you monitor the effectiveness of control implementations solely within the context of a framework, you very well may exceed your organizational risk appetite, as there is no one-size-fits-all framework.
How to Adopt a Risk-First Approach
So, you’re managing a mature Compliance program and we’ve convinced you it's time for a risk-based approach. But how can you go about adopting one? Here are three steps to a risk-based approach you can get started with:
- Define your inherent risk profile: A clearly defined inherent risk profile should take into consideration the nature of the organization, the industry the organization operates in, business impact analysis data, legal and regulatory obligations, etc.
- Set treatment strategies: Once you have identified the risks for which the inherent risk value exceeds the defined organizational risk appetite, define their treatment strategies.
- Implement and monitor controls: Monitor that the controls you have implemented as a part of your treatment strategy are in fact reducing the risk level such that the residual risk level is within the organizational risk appetite.
Next Stop: Continuous Monitoring
While these risk-based approach steps will help you build a great baseline, it is just a first step. To be able to claim that you have a risk-first mindset, you can’t settle for a point-in-time approach. If you truly want to help your organization stay within its risk appetite, you need an understanding of the real-time status of a given risk; you need to transition into treating risks as living creatures that are constantly changing and evolving.
What does this look like? Well, remember step three from above? Let’s break it down for a minute. For each of your risks, you have controls that are meant to be mitigating them. But how can you know at any point in time that the controls are actually doing their job? Well, for this you need an approach to your risk and Compliance management that is based on a live stream of data. You will define risks, determine the right controls and then monitor the data to make sure they are effective. That real-time Compliance data in turn will let you know if a control is working, informing your risk level and giving you a real view of your organizational risk.
A Risk-Based Approach is Egg-cellent
Whether you are ready for data-powered continuous risk monitoring or not, you should start shifting your security and Compliance program towards a risk-first approach. Not only will this make your program more impactful and prepare you for growth, but it will also help you speak in the same risk-centric language that leadership does, making you an even more valuable part of the organization. Discover how anecdotes, the pioneers in Compliance OS, can help you make the shift to a risk-based approach to Compliance. Good luck!
About the author
Contact us
