Continuous risk assessment, especially in IT environments.

photo credit: https://quotesgram.com/road-construction-funny-quotes/

It’s the same situation every summer. Potholes get filled and road constructions cause more traffic than usual. We often must listen to the local news to know which roads are blocked; you almost cannot drive without having very good apps that could help you take the shortest routes in real-time so you can avoid the construction zone. The delays caused by these yearly road constructions seem very annoying many times and could be very costly; especially if you want to catch a flight and somehow forgot about a road closure. How do you deal with these construction delays? My wife and I often use the commute time to listen to audiobooks, nice music or to catch up on some gests and good laughter.

It is however very comforting to know that these constructions often extend the useful life of our vehicles, at least might save your tires and save many drivers from dangerous driving conditions. Can you imagine if nobody does anything to the roads after all the salting and snow plowing stress the roads experience during the winter season? I believe you would notice that in a matter of time, no one will be able to drive on those roads anymore. It makes sense that the cities spend money and time watching out for road damages and potholes to address road construction needs (based on the city’s budget). I have even seen situations where the city asks residents to report potholes around their neighborhoods to help the city plan the projects. Good roads come at a price and the price is often a continuous, but sometimes annoying road construction. This is the same reason why companies spend time on risk assessment.  The price of staying successful in business is knowing the actual (not expected or assumed) state of your business processes and permit me to say; your IT environment (and any other function that drives the success of your business). 

Why continuous risk assessment? 

In the light of recent events, it should be expected that most company’s report on compliance with the U.S Sarbanes- Oxley Act of 2002 would reflect a couple, if not a lot of changes in previously identified key controls from past SOx audits. The frequency of risk assessments however varies from one organization to another and depends on many factors which are beyond the intended scope of this post.

While annual risk assessment might have been sufficient in managing risk exposures for many organizations in the past, the impact of the recent unprecedented changes requires a change in the risk assessment approach. Among the challenges which demand a shift in risk assessment methods are the following recent incidents: 

  • the shift in technology use (more migration to cloud computing and therefore more third-party involvement)  
  • more than usual remote work arrangements due to the COVID-19 pandemic outbreak 
  • and the increase in cybersecurity and privacy-related issues, especially affecting third-party service providers.  
  • Disaster recovery and some other pandemic driven concerns. 
  • The pressure to safely return employees (including the employees involved with information technology and other employees in key business functions) back to the office environment or the decision to stay remote while still keeping businesses profitable.

To keep track of these changes above and the impact they could have on an organization, an informal risk assessment method which is performed on an ongoing basis could help the organization stay on track in its effort to achieve its set objectives. The focus is to integrate this risk assessment into the day-to-day business process. Most IT auditors already perform risk assessments either on annual basis or on a project basis, the focus in the continuous approach is not to replace an annual or more comprehensive risk assessment in an organization, but the main objective is to: 

  • To identify threats or vulnerabilities in an IT environment of any other area of interest with the purpose of immediately treating the possible risk. 
  • To collect relevant information which could be used as to feedback to issue-based risk assessment; and 
  • To gather information to feed back to the baseline risk assessment. 

In other words, this activity is meant to be a quick fix for issues that require immediate attention and also serve as a complement to a more elaborate risk assessment.  

Some ways to achieve this include:

  • A questionnaire sent to employees in management positions as well as employees with first-hand knowledge and experience of the systems, processes, and activities in an IT environment or any area of interest. The context of the questionnaire should address vulnerabilities and threat awareness. 
  • Use of inspection checklist. A brief checklist of issues or weaknesses found on prior audit engagements could be a great guide in coming up with this kind of list. 
  • A brainstorming session between employees in management positions as well as employees with first-hand knowledge and experience of the systems, processes, and activities in an IT environment Employees with first-hand knowledge of the systems. The topic of the brainstorming sessions should include controls addressed in the control procedures used by the IT audit team to conduct the audit of the IT environment of interest. 

       The documentation of the result of this risk assessment should cover hazard identification, vulnerabilities, and threat awareness, as well as brief impact analysis.  It is very important that the documentation is in a brief format so as not to defeat the purpose of the assessment. You should not document in such a way that seems like you are performing a comprehensive risk assessment. The important guideline should be that major potential issues should be transferred to a priority list from which a more thorough or comprehensive assessment would be made. One important requirement for the execution of a continuous risk assessment is that it must be easy to conduct to achieve its objectives.

Brevity but conciseness is key to making this approach yield good success, we like road constructions but we would prefer when they don’t last forever.