Governance, Risk and Compliance

Many of the organizations that I speak with on the topic of integrated GRC are looking for ways to improve their overall risk assessment processes. As the first part of part series of blog posts on the topic of risk assessment, this post will focus on defining three different approaches to risk assessment.

Depending on the GRC focus area, a different framework of policy, risk, and control may be applied. For example, SOX professionals utilize the guidance in PCAOB AS5, risk professionals may utilize ISO 31000, and compliance professionals may utilize the US Federal Sentencing Guidelines. To highlight the distinct differences in these frameworks, I went through the simple process of searching for three words (or phrases) in each document and have highlighted the propensity of those words in the chart below. The three key word phrases are risk, control, and conduct/behavior.

As indicated in this chart, there are distinct differences in the focus in each of these frameworks judged by the propensity of the referenced keywords. Given these differences, it should come as no surprise that audit, risk, and compliance professionals, at times, have difficulty agreeing on both methodology and outcome when going through risk assessment processes.  Audit, risk and compliance professionals all claim, correctly, to be performing risk assessments, but they are all doing something different. More importantly, these GRC professionals seldom communicate or integrate their work to provide a complete picture. That causes many problems. I would assert that an important first step in resolving these differences is acknowledging the three distinct types of risk assessment.

• Context Risk Assessment: Context risk assessments focus on where things go wrong, what we know about the propensity of things to go wrong, and how the business can be affected.
• Event Risk Assessment: Event based risk assessment focuses on exactly what can go wrong, how we are managing what can go wrong, what do we need to manage, and are we getting better or worse.
• Behavior Risk Assessment: Will people do the right things

Each of the three approaches produces insight into risk, and each approach, taken alone, has huge blind spots. The context risk approach, embodied best by AS5 is primarily focused on managing controls, not on managing risk. The context risk approach identifies vulnerabilities, but it does not attempt to avoid or prevent them. This approach seems to have an implicit assumption that failure is random and inevitable and more controls are the best defense. Call it the Maginot Line syndrome. Human behavior risk and event risk are filtered out.

The event risk approach is focused on failure and its root causes. It’s implicit assumption is that if event risks are truly understood, then their root causes can be identified and eliminated.  Event risks can be managed by eliminating risks or reduced without controls. Ifan’t be eliminated, at least it can be predicted, and reserves can be provided to offset the risk when it occurs.

Context risk and human behavior risk are filtered out.

The behavior risk approach brings a third perspective.  This approach reinforces the behaviors a company needs through training, communication, monitoring and accountability, and how people will handle the risks and avoid failure.  The behavior risk approach is most commonly utilized in the regulatory compliance area.

All three approaches have merit. All three need to be incorporated into any new GRC regulatory framework. I will explore some of the specific features, strengths and weaknesses of each of these risk assessment approaches in future posts over the next week or two.