ISACA: Tips for Moving To a Risk-Based Model From a Controls-Based Approach

Reposted Content from ISACA Newsletter @ISACA Volume 22

In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day. Professionals who are innovative, forward-thinking and fearless in the face of mental model adjustments will be the leaders of cybersecurity management. Mental models are the paradigms, or lenses, through which we view the world, and they can serve to limit our thinking if we are not receptive to hearing new views or thinking critically about our current practices.

At the North America and European CACS Conferences, ISACA holds 2 invitation-only IT Audit Leaders Forums and publishes the results for those who were not in attendance. This article contains my interpretation and guidance in applying one of the IT Audit Leader forum’s discussion topics to your enterprise. Challenges in the audit field are not only limited to the audit field; they are shared across many other disciplines and professional domains. If you are a security, governance, risk management or IT professional, consider these tips and how this challenge applies to your enterprise. The first challenge is moving to a risk-based model and away from a controls-based, or checklist, approach:

The Controls-Based Audit Approach

Before getting into moving to a risk-based model, we’d like to briefly overview the controls-based approach that’s common today. This approach is well-defined in the audit and assurance discipline. Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure guidance is being followed, records are accurate and effectiveness targets are being met. I know there are some nuances between types of engagements, but for the purposes of this article, it is assumed that audit and assurance professionals are tasked with ensuring and evaluating that things are operating according to a prescribed or bounded set of criteria.

Many of the criteria that are audited or for which assurance is provided have already occurred, meaning that we look to the past to evaluate what has previously happened. This means that the online transaction has been performed, the security control is implemented and operating, or the financial statement has been attested to. There is no uncertainty in the result of the transaction (pass or fail), if the control is implemented or not, or if the financial statement is finalized. The primary risk in audit and attestation is in reaching an incorrect conclusion from the engagement or the risk of noncompliance if controls and practices are not operating as intended. Organizations spend a lot of time and money on implementing and testing controls rather than managing risk.

The Risk-Based Approach

Moving to a risk-based model involves a new way of thinking. This is a forward-looking view of uncertainty. In the landscape in which an organization operates, there are many things that impede an enterprise from accomplishing its objectives, achieving its financial or operational targets, or meeting its mission. A risk-based approach is best paired with a strategic view of the organization to understand which potential uncertainties or risk factors have the highest potential to prevent the organization from meeting its intended targets, objectives, mission, etc. A thoughtful risk assessment will consider the general things that can affect all organizations (about 80% of an enterprise risk) and will also consider those things that are specific to your individual type of business or organization (about 20% of an enterprise risk). The reason there are so many compliance regulations, control catalogs or best practices is that many organizations do not perform risk assessments with the rigor, depth or thoughtful analysis (qualitative and quantitative) that is needed to really understand where to focus the appropriate resources to manage the uncertainties that may materialize in a given day.

Moving to a risk-based model by way of implementing a set of prescribed controls or compliance regulations will generally protect an organization from about 75-85% of the risk in the environment, and it can be put into effect without the benefit of a comprehensive risk assessment. It is far easier to report on gaps in controls, security incidents or phishing attempts as risk events because they have already happened. Reporting on the uncertainty of what might or might not happen is a discipline that takes an investment of education, time and resources to report to management in a way that improves decision-making and does not rely solely on guessing, previous audit findings or reporting realized risk.

Steps in an Effective Risk Management Process

So, in the absence of a mature cybersecurity risk management program and process, the organization can be generally effective in preventing realized risk with a robust compliance or controls program. However, to ensure that you are managing the risk factors that have the most relevance to your organization, thoughtful risk identification, risk analysis, risk management and risk monitoring processes must be defined, implemented and measured for effectiveness. In general, an effective cybersecurity risk management process is comprised of the following components:

• Establish the organizational context — What are the mission, objectives and strategy?
• Identify risk — To meeting the objectives, mission and strategy
• Analyze risk — Qualitative and quantitative; not guesswork
• Evaluate and prioritize risk — Based on analysis, not on what is in the news
• Respond to or treat risk — With projects that are managed to completion
• Measure and control the risk management process — By defining the processes and procedures and using standard templates and measurement scales

An Example to Highlight the Main Takeaways:

• Conclusion: Looking backward, as a result of the controls based audit approach [audit finding], the company lost US $3 million in revenue during the third quarter.
• Risk: Looking forward, without a strategic plan to correct [audit finding], the company could potentially lose an additional US $3 million in the fourth quarter and US $4 million in the first quarter of the new year.

If you are interested in learning more about how to move to a risk-based model and overall risk management, there are many quality ISACA publications that cover the topic in more detail. I will also be delivering a workshop on risk assessment and risk management at the upcoming 2018 North America CACS in Chicago, Illinois, USA.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

Contact Axio today to learn more about how your organization can better manage cyber risk.

1. One Platform to Rule Your Cyber Program

   We've written a comprehensive eBook that shows you step by step how fast and easy it is to create a continuous cyber risk assessment process that gets your entire team working on a path for continuous cyber improvement. See results you can take action on in as as little as a day.

   Download the eBook