How many enterprise risk analysis reports must an organization release? A few years ago, I faced this question in light of cost, time and complexity of the solution. My conclusion is that 1 is fine.
Cost is a consequence of the details I need, the number of people involved and their time. Complexity can come from the need for training sessions (and increased costs). A lot of time spent on refreshing basic information means it is updated less frequently, and the obsolescence will decrease the quality of the results.
I want to propose a methodology to assess the risk based on 2 levels of evaluations in order to cover any need for details, to cut any redundancy in data collection, to provide simplicity in the assessment, to keep a low time to update, and to ensure great flexibility to add and maintain any new control framework with minimal cost.
It sounds complex, but it is easy enough to do. In practice, risk is the calculation of uncertainty on the achievement of the business objectives. If we connect uncertainty about objectives to the level of maturity to enforce the rules, then we can involve in the assessment all the key users, but the evaluation can be limited to their work and therefore no training will be required. Complementing this, an organization can also use a light and flexible software tool.
With this proposed methodology, we will get several types of risk analysis and related documents. We will have all the risk analysis of International Organization for Standardization (ISO) certifications, the data protection impact assessment (DPIA) of the EU General Data Protection Regulation (GDPR) 2016/679, the business impact analysis (BIA document), the risk treatment (RTP) plan, IT security assessments, the level of compliance with the laws, etc. This methodology provides this information all in a single tool, but it is managed by key users (to feed and analyze) and top management (to make decisions and approve) in a continuous and virtuous loop, each in its own set of competence.
How to do this is explained in my 2-part Journal article.
Read Luigi Sbriz’s recent Journal article:
“Enterprise Risk Monitoring Methodology, Part 1,” ISACA Journal, volume 2, 2019.
