Welcome to part three of our COSO 2013 blog series. In our previous blog, we discussed the COSO framework’s key principles for the development of a robust control environment and ways that ServiceNow can assist with the implementation of those principles in your organization. Having setup your control environment, we can now focus on the next COSO component – Risk Assessments.
Risk Assessment Overview
In the two decades since the 1992 COSO framework was published, there has been significant improvement made in the world of governance, risk, and compliance (GRC). Historically, the focus has been on compliance, but more organizations are realizing that risk should drive control implementation, so that the right controls are applied to the right places, at the right time, with the right intensity.
Read: “The Future of Control Design”
An effective risk assessment process is crucial to this style of control implementation.
So what is a risk assessment?
To answer that, we must first understand risk. The COSO Framework defines risk as, “the possibility that an event will occur and adversely affect the achievement of objectives.” That’s simple enough – risk is all of the “what-if” scenarios that can negatively affect our company, its departments, processes, and functions. The purpose of the risk assessment is to analyze the entity, departments, processes, and functions in order to identify and quantify the risks. The COSO Framework provides 4 key principles required for effective risk assessments:
- “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.”
At its core, the risk assessment process helps an organization to identify what is most important to the business, so that time and resources are allocated appropriately. The highest priority departments, processes, and functions should be the first to perform more detailed, transaction level risk assessments.
COSO 2013’s Major Impacts on the Risk Assessment:
The 2013 framework places increased importance on the identification and prioritization of operational risks. The new framework also acknowledges the increased reliance on technology and third party service providers in the business environment. When performing transaction-level risk assessments, it’s important to identify where and how technology and/or third party reliance may impact the business. Other business activities impacted bym the new framework include:
- Determining your level of risk tolerance.
- Evaluating organization, business processes, entities, locations, and functional areas.
- Assessing fraud risk.
- Identifying triggers for additional risk assessments including personnel, environmental, and business changes.
How can ServiceNow Help with your Risk Assessments?
A robust, effective, risk management process is a critical component of any well governed organization. The information gathered during a risk assessment is a key input to many business decisions. For this reason, the risk assessment process should be well integrated with business operations, so that the data gathered is readily available when decisions need to be made. ServiceNow is the only platform that combines governance, risk, and compliance (GRC) and service delivery out-of-box. Therefore, it is the best platform for integrating the risk assessment process. Here are a few key ServiceNow applications that can assist with risk assessments:
Governance, Risk, and Compliance
No surprise here, the GRC application in ServiceNow is the core component that acts as the foundation of an effective risk assessment process. The GRC application includes a risk register that can be the single risk repository for all entity-level and transaction-level risk that are identified in your organization. The risk register includes a mechanism for ranking and prioritizing risks, and automatically recommends the appropriate risk response activities. These mechanisms can be tailored to your unique environment, risk assessment policy, and risk tolerance. Additionally, risks can be related directly to your internal policies, which can assist with your organization’s periodic review of policies and procedures.
Configuration Management
As stated in our previous blog, the Configuration Management Database (CMDB) is a powerful tool that can supercharge your risk management program. The CMDB is a tool intended to illustrate the relationships between all of the components of your organization. Using CMDB, you can map out your businesses entities and departments, the processes that make up those departments, and any reliance those processes may have on technology, physical locations, and third-party service providers. Using this business mapping, your organization can quickly identify dependencies, objectives, and risks at every level of the organization. This is a tool that you will not find in any other GRC platform on the market today and is one of the primary reasons why we recommend ServiceNow as an enterprise risk management platform.
Change Management
Anyone familiar with ITIL or IT operations can tell you about change management. It’s the process used to evaluate and approve changes to the IT environment, so that high-risk changes do not negatively impact the integrity and availability of IT’s services. But why limit the change management process to just IT? The change management process can (and should) be leveraged to evaluate any changes to business process or objectives, leadership, the physical environment, as well as major changes from mergers, acquisitions, and/or divestitures. The change process then becomes the trigger to conduct new risk assessments or refresh existing assessments. When used in conjunction with CMDB, this process becomes even more valuable because you can relate changes to each of your configuration items (CI’s) and report on the frequency of change to each of your organizations entities, departments and processes.
In our next blog, Intréis experts will discuss the impact COSO 2013 has had on control activities and how ServiceNow can help you manage them. If you have any questions for our GRC experts, comment below!
About the authors
“Life is too short to not hit the ground running” - john linamen
