This is the most common “sin” we run into within the industry. Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness.Trust me - I’ve been there. Prior to focusing on risk management, I was an IT auditor, my world was controls!
But analyzing controls is not the same as analyzing risk. In fact, I can confidently state that it can do more harm than good.
Not convinced? Consider the following scenario that I observed:
Acme Org analyzes two separate 3rd Party vendors by providing them with a detailed control questionnaire. The vendors provide detailed responses on their state of controls back to Acme’s risk analysts.
When reviewing the results from Vendor A, the analysts found 8 responses to the control questionnaire that are below Acme’s security standards and expectations.
When reviewing the responses from Vendor B, only 2 questions were answered below the security standards and exceptions.
With just this information…. It would appear that Vendor A is more “risky”.
Doing simple math… one may even say Vendor A is 4 times more “risky”
However, what if I told you Vendor A was a small law firm that occasionally will store a very limited amount of non-public contract information for a limited period of time. Vendor B is a key marketing analytics provider that continuously stores the records of 80 million customer’s PII in multiple systems.
Shame on us for only considering controls! This is just a simple example of how not using an accurate model of risk, like FAIR can lead to unintentional but poor risk management decision-making.
Benchmark your organization's risk management and risk analysis skillset against your peers. Take the 2017 Risk Management Maturity Survey.
Risk Analysis vs Risk Assessment: What's the Difference?