Control Assessments Are Not Risk Assessments

Control-Assessments-Are-Not-Risk-Assessments.jpgThis is the most common “sin” we run into within the industry.  Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness. 

Trust me - I’ve been there. Prior to focusing on risk management, I was an IT auditor, my world was controls!

But analyzing controls is not the same as analyzing risk. In fact, I can confidently state that it can do more harm than good. 

Not convinced? Consider the following scenario that I observed:

Acme Org analyzes two separate 3rd Party vendors by providing them with a detailed control questionnaire. The vendors provide detailed responses on their state of controls back to Acme’s risk analysts.

When reviewing the results from Vendor A, the analysts found 8 responses to the control questionnaire that are below Acme’s security standards and expectations. 

When reviewing the responses from Vendor B, only 2 questions were answered below the security standards and exceptions. 

With just this information…. It would appear that Vendor A is more “risky”. 

Doing simple math… one may even say Vendor A is 4 times more “risky” 

However, what if I told you Vendor A was a small law firm that occasionally will store a very limited amount of non-public contract information for a limited period of time. Vendor B is a key marketing analytics provider that continuously stores the records of 80 million customer’s PII in multiple systems. 

Shame on us for only considering controls! This is just a simple example of how not using an accurate model of risk, like FAIR can lead to unintentional but poor risk management decision-making.


Benchmark your organization's risk management and risk analysis skillset against your peers. Take the 2017 Risk Management Maturity Survey


Related: 

Risk Analysis vs Risk Assessment: What's the Difference?

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37