Too Many Risk Assessments: How to Create an Integrated Assessment Model that Keeps Everyone Happy

Lisa Stowe, Senior Compliance Director, Ally Bank NYSE: ALLY

Lisa Stowe, Senior Compliance Director, Ally Bank NYSE: ALLY

“Why are there so many risk assessments?” I am willing to bet that question has come from various executives within your institution. As risk professionals, we dutifully respond that we must have them because we have so many different ways to look at and measure risk. While this is accurate, what if I told you that you could meet the needs of various risk types across your organization while reducing duplication and establishing more consistency? It is possible!

Having several different assessments performed by various teams to identify risks and controls can be problematic for various reasons. Aside from irritating executives and business partners alike because it is inefficient, you also risk being unable to make any correlation—apples and oranges—or if you can compare, what if you get different answers?

Examples of risk assessments at your institution may include a Risk and Control Self-Assessment (RCSA), a Compliance Risk Assessment, and an IT Risk Assessment. Let’s say each is interested in managing the Gramm-Leach Bliley Act (GLBA) but might be coming at it from different angles. For example, your compliance team is interested in Privacy, IT is interested in Information Security, and the RCSA is focused on the operational events leading to a breach. One may reasonably want to connect the dots between these assessments, but that can be incredibly difficult to do if you are not leveraging common data elements.

" The first step to any resolution is agreeing we have a problem "

The key to mitigating this challenge is establishing a centralized inventory of risks and controls that can be leveraged for various risk assessments. Risks for each assessment can be identified within the inventory through related metadata (e.g., related regulations, control categories, risk impacts). When an assessment of the target inventory data is launched, the process owner and subject matter experts from Compliance and IT are engaged in the assessment review. Pulling everyone together allows space for challenge and collective agreement that the data is relevant and correctly identifies and measures the risk and whether the controls are adequate for migrants.

Later, when IT wants to complete a separate, potentially independent assessment, their involvement in the original assessment makes what once was a start-from-scratch exercise a matter of extracting their slice of the risk data pie, reviewing for any updates, and reporting. Should any additional information be identified as missing or incorrect, it is time to get the original gang back together to resolve the issue.

Accomplishments from this approach:

• Everyone is talking the same language, so when a control is defective, everyone knows which one it is because it is the same control.
• The results are more accurate because the subject matter expert challenge was involved.
• The results have fewer surprises because everyone can view the same data.
• The business line has only been involved in a single assessment.
• Data can now be assessed, reviewed, and analyzed by multiple groups segmented to their specific area of oversight.

To be sure, there is a lot more to this conversation than what is contained in this article concerning how centralized data is managed, such as what systems and tools can be used to store it or how to keep it dynamic and relevant. But as with most things, the first step to any resolution is agreeing we have a problem. The good news is that the problem of too many risk assessments can be solved without sacrificing various assessment needs; we just need to be smarter about the approach.

inventory

Information Security

review