The responsibilities of first and second line Operational and IT Risk professionals can often be characterised by;
chasing others to finish tasks on time (finish risk events, update Actions, complete KRIs, complete RCSAs)
collating spreadsheets and other data
updating data where gaps, errors and omissions have occurred
seeking clarifications
chasing evidence
producing large, onerous packs and dashboards incorporating lists of Risks Events, Issues, KRIs and cyclical RCSAs.
Even with the adoption of a GRC system with some automation, many of these problems persist; leading to increase costs for organisations trying to keep up and a bored, burnt-out Risk workforce, left disillusioned and questioning why they got into the discipline at all.
Automation is the go-to solution for labour-saving solutions with a raft of possibilities, particularly within the Microsoft suite, alongside ever-improving eGRC solutions – many firms cannot afford to automate but if they could, automation must include subjectivity by nature.
Automated Scoring Reduces Time and Effort
Using a scoring system can enable automation for organisations that are in a position to automate, but also speed up a human-based process for those that aren’t, by taking the decision-based thinking and agonising (subjectivity) out of following a GRC process. This frees up capacity and enables risk professionals to focus more time on forward-looking, preventative and interesting tasks to protect the organisation.
A scoring system takes time to develop, and a period of testing is required to make sure it works for your particular organisation, but once implemented the pay back financially and in terms of increased levels of risk management over time is significant.
The following pages look at how to create a more objective scoring system and the benefits of doing so (numbers are purely for explanatory purposes).
Future role of Risk and Cyber Professionals – Current Role Overview and potential enhancements
Potential aspects of the Operational/Cyber Risk Role
Collation and santisation of information
Oversight and challenge
Completion of cyclical vs ongoing assessment
Subjective vs Objective – Quantitative vs Qualitative assessment
Analysis and thematics
Forward looking and predictive
Low or high volume of assessment / framework inputs and outputs
This post looks at the ability to quantify the framework inputs and outputs to design a more objective, quantitative framework
Developing the role of the second line to provide analytical, thematic and predictive oversight and challenge
Accelerating risk processes, providing fresher data and thus a fresher view of risk today
Reducing the effort from the business for inputs
Forward looking
Ongoing as opposed to cyclical
Scoring and Appetite
Use of colours and words as measures is counter-intuitive and vague in terms of what is important, what needs to be acted on, and where priorities lie
In the Qualitative approach, impact matrix definitions tend to be non-specific and left open to interpretation leading to inaccurate results
Using scoring removes subjectivity, ‘crafting’ and manipulating situations to achieve a specific pre-ordained outcome
Removing much of the thinking and pausing involved with a Qualitative process for inputs, accelerates the process
Steps
Define a Heatmap scoring method
Define impact levels that map directly to the Heatmap
Define Risk Appetite, Tolerance and Capacity in numbers, using the Organisation Heatmap and impact level scoring
Official ISO:31000 definitions:
•Risk capacity: the amount and type of risk an organisation is able to support in pursuit of its business objectives | Risk appetite: the amount and type of risk an organisation is willing to accept in pursuit of its business objectives | Risk tolerance: organisation’ or stakeholders’ readiness to bear the risk after risk “treatment” in order to achieve its objectives
Designing a Scoring Method
Assigning points to the Heatmap is a balancing act. The point of the exercise is to be less subjective so it’s important to take the effort to make the numbers meaningful.
Assigning points to the Heatmap is a balancing act. The point of the exercise is to be less subjective so it’s important to take the effort to make the numbers meaningful.
Probability/likelihood – distribute scoring evenly
probability theory (normal distribution bell curve) tells us that under 13.4% is approaching a situation that an outcome is extremely unlikely to occur
34% is when an outcome is becoming possible; 66% is starting to become likely and 86.4% is becoming highly likely
Choose a sensible rounding point
Impact – try to distribute scoring evenly, however you may choose a weighting as the scale increases
Assign points in the impact matrix (diag 3) – transpose to the Heatmap
Decide if points are linear or exponential (i.e., weighted)
Risk Assessment
Obtain an inherent risk score to determine if the risk is within appetite. Risks within appetite do not require resources to perform controls mandatorily.
A score of 9 is outside of appetite, challenging successful implementation of objectives, by landing in the Risk Capacity zone
Mandatory Action – decision taken to implement a preventative control framework. Score reduced by 6 to 3.
Residual score is in the risk appetite zone.
Framework Elements Scoring
Framework elements like Risk Events and KRIs, often identify weaknesses and gaps we did not know were there and act to inspire us to go back and assess the process after performing root cause analysis. Using a scoring mechanism, we can therefore prioritise where to focus limited resource – highest score takes precedence. Assign scores to weaknesses and gaps appropriately; then assign scores to types of Actions to resolve, managing them through the Issues and Actions process, thus taking points away.
Impact on Roles
To find out more, please use the 'Get in Touch' button situated at the the top of the page to get in contact with Integrated Control Framework Consulting.