The Audit Expert’s Guide To Conducting An Effective Risk Assessment

by Hannah Grace Holladay / February 21st, 2023

The Top 3 Issues With Your Risk Assessment: Auditor Insight Webinar Recap

The power of a risk assessment isn’t just identifying risks: it’s creating a culture of security.

The risk assessment process is often viewed as a necessary evil for compliance and is commonly seen as inconvenient and unimportant. However, after over 20 years in the information security space, Shannon Lane views risk assessment as the most powerful tool in directing an organization, budget maintenance, and project management.

In his presentation, Shannon shared where most companies go wrong with their risk assessments and how they can better leverage the opportunity to build their company’s consensus and morale around the subject of cybersecurity compliance.

In this blog, we have highlighted what you need to know to conduct an effective risk assessment, including the top three reasons risk assessments fail, so you can make sure your organization is making the most out of your risk assessment process. You can find the slides to the webinar presentation below:

Do as the Romans Do

An ancient metaphor helps us understand the role risk assessment plays in your business.

Rome was a nation of organization and innovation, and change was an integral part of their culture.  It was seen as so significant that the idea that things never stay the same was even given a god, Janus, the god of beginnings.  He has two faces; one is looking forward to the decisions being made and the other is looking back over the decisions of the past.

Like Janus, businesses are divided into two prongs: Visionaries and Guardians.  Visionaries are CEOs, CTOs, CIOs, and are supported by sales and marketing.  Their goal is to move the company forward and figure out what is next. 

Guardians are CFOs, CISOs, COOs, and are supported by HR, IT, finance, and operations. They protect the march.  They ensure the company is well equipped to meet its goals and that everything is working as intended.

The risk assessment process is designed to bring these two groups together so they understand and support each other.

A really good risk assessment will do the following:

  • Establish a common language to discuss and compare threats to an organization
  • Assist in setting objectives, milestones, and tasks
  • Lead to a deep understanding of the company operating environment
  • Help establish the “Why” of things
  • Show how departments, working groups, and teams are interrelated, and how their activities affect the organization
  • Define the road being travelled, while including the vision of where that road leads.

Preparation is the key element of a risk assessment.

“Expect everything, I always say, and the unexpected never happens.”

Norton Juster, The Phantom Tollbooth

Risk brings all of the voices of your organization together. It helps you to figure out what to expect, how often to expect it, and whether that is good or bad for your organization.

Just like a Roman campaign, we wouldn’t embark on a journey without planning.  We need direction, equipment, planning, and contingency planning.  Risk assessment is the key business activity used to ensure we are ready for the journey, we understand the trail, and we’re ready to face the journey ahead.

Every framework agrees risk assessment is key.

Risk assessment is so fundamental to the information security and governance process that every major framework requires a risk assessment.

Despite risk assessments being a critical part of an audit, not having a risk assessment (or a quality one) is normally one of the biggest findings for a new audit client.

Three Reasons Risk Assessments Fail

  1. Sword points
    • Sword points are the required compliance activities that lead to grudging and resentful attitudes toward compliance.
    • Completing risk activities just because they are “necessary” leads to careless action.
    • Considered activity leads to real understanding.
  2. Doing things halfway
    • Risk must be approached holistically; it is so much more than technology. Every role and department faces threats that are a risk to your business. What are you doing about that?
    • If you only do half a risk assessment, you aren’t actually preparing yourself for the future.
  3. Lack of a lexicon
    • Does your organization understand the vocabulary used in your risk assessment? Does everyone understand the labels of risk (i.e., does everyone understand what high impact means)?
    • Think of the color green.  Green can be several things: olive green, grass, lime, the sea.  Without a common definition, we will all interpret things differently and that is a risk in and of itself.

So, how do we take these faults and actually perform an effective risk assessment? There are four steps:

Step 1: CommitmentEveryone in management must be committed, and all departments must be involved. Expressing your commitment to understanding and managing risk speaks volumes to your company’s security culture and establishes the importance of the process.
Step 2: CohesivenessUse a risk framework and establish your risk vocabulary.   This will align your team and create a unified experience. It teaches the whole organization what risks are important and why.
Step 3:
Cyclical Engagement
This is a living document. Update it throughout the year as risks are identified. Review it every year. Use it to track progress. Use it to justify budgets.
Step 4:
Check In & Celebrate
Check in throughout the year and celebrate successes. Call out milestones that are hit. This sets up a culture that calls out risk and prioritizes security. This is where a security culture begins.

Establishing and prioritizing your risk assessment does far more than produce a list of risks. It drives inclusivity so everyone understands what each department is doing and why it matters. It drives budgets by showing what is needed and giving easy justification for spending.

But most importantly, it creates a security culture that teaches your organization to value and prioritize risk.

Improve Your Risk Assessment Process with KirkpatrickPrice

Are you unsure if your risk management procedures are effective enough to protect your organization?

Connect with one of our risk assessment experts today so we can help you mitigate risk within your organization.  KirkpatrickPrice offers free risk assessment reviews and will connect you to an expert who cares about your security and compliance goals.

To continue learning about risk assessments, watch the entire webinar where Shannon goes deeper into the qualities your risk assessment needs to be effective by answering the questions submitted in the Q & A portion of the webinar. Shannon answered questions like:

  • How do I get my C-Suite on board with this process?
  • Who should control this exercise?
  • Who needs to be included in my risk assessment process?
  • Where should I start if my organization has never done a risk assessment?
  • And more!

Assess your risk and become unstoppable.

About The Webinar Host: Shannon Lane

Shannon Lane has over 20 years of experience in information services, including healthcare IT,
e-commerce data extrapolation, network administration, database administration, and external audit work. He now serves on the frontlines of cybersecurity audit as a Lead Practitioner at KirkpatrickPrice. He holds the CISSP, CISA, QSA, and CCSFP certifications.

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.