Factors frequently overlooked in risk assessments
Assessing the level of any business risk is not nearly as simple as most appear to make it.
Just look at any risk register or heat map (or “risk profile” in COSO language, which is the same thing) and you will see a single point for each source of risk’s potential effect and likelihood. That is simply wrong, as there is almost always a range of potential effects from an event (such as a decision), and each point in that range has its own likelihood.
One of the problems I have with most risk assessments is that they seek to evaluate each source of risk in a silo, rather than considering the big picture.
I tackle this at some length in my new book (coming soon), Understanding the Business Risk that is Cyber.
One of the sections in the book is on something called the “tipping point”. This is an extract:
In the robotics example [a project discussed earlier in the book], the cyber risk was seen as reducing the likelihood of achieving objectives by 3%.
On its own, this might be acceptable.
But the cyber risk might take the likelihood of achieving objectives beyond the tipping point[1]. It is defined in Merriam-Webster as:
The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place
Perhaps the board is willing to accept a 10% likelihood of failing to achieve an objective, and currently the risk of failure (considering all related sources of risk to objectives) is assessed at 8%.
But the robotics cyber risk would take the likelihood beyond the 10% limit.
In that case, the CEO would have to look at all the risks involved and determine the best course of action. It might be to invest in cyber; it might be to invest in a different source of risk; and, it might be to accept the more than 10% likelihood of failure.
It’s not about whether the cyber risk is “high”. It’s about whether taking it is the right option for the business.
Making a decision about cyber out of context is likely to lead to making the wrong decision.
This is one of the reasons I dislike the idea of quantifying a source of business risk in dollar terms.
An event, and every decision is an event, can affect the achievement of multiple objectives. Not only are there potential rewards to balance against adverse effects, but different objectives may be impacted by different amounts, at different times, and so on.
The effect on one objective might be acceptable, while the effect on others is not.
It may affect one objective immediately, and another in the longer run.
In addition, the decision may take the overall likelihood of achieving objectives beyond the tipping point.
The individual risk may be within approved risk limits (or criteria or appetite[2]), but the overall situation is now unacceptable.
Let me explain further with a hypothetical example.
The CEO is considering an early rollout of the latest version of the company’s product line. In a meeting of her executive team, she hears:
- There is a great opportunity to seize the market since our competitors are clearly lagging.
- An early rollout of the product line increases the risk that customers will not be satisfied with its quality. But the heads of Sales and Engineering both believe that the risk is at an acceptable level, within guidance from the board.
- The early rollout also increases the likelihood of a compliance failure, but the chief compliance officer and the head of engineering both believe that risk is acceptable.
- The CIO and CISO jointly warn that the rollout will increase cyber-related risk, but they believe the risk is acceptable.
- The General Counsel warns that there are pending legal issues related to the use of open-source code, but she believes that the level of risk is acceptable and in line with guidance from the board.
- The CFO comments that the rollout will strain working capital availability, but he thinks it is a manageable risk.
Each of these and other sources of risk to the business’ are within defined tolerances.
But the CEO looks at the big picture and is not happy taking the overall risk that at least one of these issues will bite the company, so focuses on a few of the individual sources of risk to see if they can be reduced before giving the go-ahead for the rollout.
We have heard for a long time that managing risk in silos is not a good idea, and that is why enterprise risk management was born.
Some continue to believe ERM is not a good idea[3]. I believe that managing each source of risk without seeing and understanding the big picture is the path to failure.
That is a major issue when it comes to cyber risk assessments – wait for the book to read more.
What do you think?
[1] Made famous by Malcolm Gladwell in The Tipping Point: How Little Things Can Make a Big Difference.
[2] By the way, I continue to have major issues with the idea that you can set an overall level of risk appetite, as it assumes you can aggregate all risks to a single number. The meaning of life may be 42, but that number has no practical meaning – just like most risk appetite statements.
[3] Some have repackaged ERM as “integrated risk management”, or IRM. I assume this is a marketing device, as there’s no practical difference.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
“thumbs up” – good post
The important issue is what are you going to do about the risk ,how will you monitor it or them,and how ,who, along with why.
Maybe take more, once you see the big picture?
I have added an example to the post to clarify the point. I hope it helps.
I presume the “tipping point” is based on some expected level of benefit? Accepting a higher level of disruption from a risk event may push you past yesterday’s tipping point, but maybe not today’s after incorporating how the new risk impact will benefit you.
The tipping point is the level you are willing to accept, for any reason
But the tipping point is not a static, fixed level, is it? The blog sounds like it is.
It can change, sure. But not all the time
I have added an example to the post to clarify the point. I hope it helps.
The risk assessment misses having a full risk population. Controls over rev rec focusing on the shipping process to confirm revenue with no controls related to revenue without a shipment which every ERP system allows for. Too much of an emphasis on SoD conflicts and not enough on Sensitive Access risks for end users (not just to define privileged access.
This leads to an incomplete RACM in just about every RACM we review.
We have developed risk based training to highlight specific risks to help auditors be better educated about this, but I suspect it will take years or decades for changes to take hold. This is just a systemic deficiency in implementing and auditing ERP systems.
You are still seeing pieces but not the whole puzzle
Without writing a book myself, I think you and I are seeing the same thing. Access controls, if done right, addresses risks related to security, fraud, compliance, and cyber. The entire C suite should care about getting access controls correct, but they don’t work together. They focus on their piece of the pie only.
Auditors are no different. You have a financially auditor, core IT auditor, and cyber auditor all looking at access controls, but never holistically.
The system is broken. People are trying to do the right thing, but they are only being trained in their context.
Norman – I have a class that focuses just on this. See: https://erpriskadvisors.teachable.com/p/understanding-systemic-issues
I am one of a few that has worked as a CFO, in an SI, and audited as a internal and external auditor. Few have seen the big picture like I have.
My only hope is that the PCAOB continues to take training from us so they can evolve their inspections and move the needle with the external auditors. Unless their is an external force (external auditors) I don’t think management will change. Some would proactively, but most are just checking the box to keep the external auditors off their backs. I wish this weren’t the case, but that is the world I see.
If anyone wants to have their eyes awakened, I would be happy to have a call to discuss. Feel free to email me at jhare@erpra.net.
I have added an example to the post to clarify the point. I hope it helps.
If there’s any confusion in this post, it stems from the initial paragraphs pointing out the issues with evaluating individual risks in a silo but subsequently relying on those results to properly make bigger decisions from multiple risks combined (in the example).
Perhaps it’s not that the initial siloed evaluation is “wrong” to do, but that the problem occurs if evaluation stops there.