As we cited in “Risk Assessments are only a piece of the Risk Management Puzzle,” the abysmal performance of organizations in the first round of Health Insurance Portability and Accountability Act (HIPAA) audits shows great room for improvement. None of the facts outlined by David Solove in “”, is more upsetting than those regarding risk assessments.
Two-thirds of all entities–47 of out of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses—had no complete or accurate risk assessment program.
Unfortunately for organizations that haven’t taken the development of their risk assessment function seriously, the focus on this area in future audits is going to increase in 2015.
So what is a risk assessment, and why do you need one?
A risk assessment is the process through which management identifies and analyzes the threats and vulnerabilities that might adversely affect realization of the organization’s business objectives. Simply put, a risk assessment answers three questions:
“What could happen?”
“How could it happen?”
“Why do we care?”
Information System risk assessments, specifically, identify the potential adverse impacts that arise from the operation of information systems and the information processed, stored, and transmitted by those systems.
Some form of risk assessment is required by most high-profile regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), Gramm Leach-Bliley (GLBA), and more. To guide you through the process, there are many sources of guidance for conducting meaningful, comprehensive risk assessments such as:
- COSO 2013
- NIST 800-30
- NIST 800-39
- ISO 31000
- FIPS 199
Read: COSO 2013: Risk Assessment
However, organizations have maximum flexibility on how risk assessments are actually conducted. There are no specific requirements regarding the level of detail included, the tools or techniques used, or the format and content of the assessment results. In addition, because the context within which you conduct business is constantly evolving, the validity and usefulness of any risk assessment is bounded in time.
This means that it is up to YOU, the organization, to conduct a sufficient risk assessment, before the auditors find all the nasty points that you skimmed over or missed entirely.
There is little or no point in conducting a risk assessment that does not:
- Have an adequate scope. A risk assessment should be performed within the scope of the organization as a whole. This is a part of “risk framing”. You can’t quantify operational risks without first framing risk in the context of your organization.
- Dig into the ‘icky stuff’. You know the stuff we’re talking about…the departments, processes, people, information systems, infrastructure, and third parties that make up your organization. Each of these presents risk to your business. Ignoring or skimming over them will not change that.
There is also no point in a risk assessment that is not:
- Repeatable or defensible.
- Part of, or going to be part of a larger risk management program.
Read: Risk Assessments are only a piece of the Risk Management Puzzle
Risk assessments are crucial to your overall risk management program. This assessment can support a wide variety of risk-based decisions and activities by organizational officials such as:
- What type of risk response is appropriate for your organization, such as risk acceptance, avoidance, mitigation, sharing, or transfer?
- Development of organization-wide programs, policies, procedures, and guidance
- Development of minimum, organization-wide, internal controls and potential implementation of software solution(s) necessary to monitor and manage your Enterprise Risk Management Program.
- Modification of business functions and/or business processes
- The selection of suppliers, services, and contractors to support organizational business functions
- Definition of business requirements, SLA’s, and key performance indicators (KPIs) for 3rd parties, information systems, and infrastructure that support your business processes.
- Operational decisions, including the requisite level of monitoring activity, the frequency of ongoing information system authorizations, and system maintenance decisions.
Conducting a Risk Assessment in Three Steps
Step 1: Identify business units and dependencies
Before you try to analyze the details of your organization’s processes and technologies, it’s important to first identify what is important to the business as a whole. Start by breaking up your organization into pieces, first at a high level, then at a more detailed level. Next, record the dependencies that each component has on one another. These pieces may vary, based on each organization, but should look something like this:
- Companies
- Business Units
- Departments
- Processes
- Facilities
- IT Services
- Vendors
- Infrastructure
Step 2: Identify business objectives
Risk assessments are all about finding out what can go wrong. But it’s hard to identify what can go wrong without identifying what the goals are. Every business unit, department, and business process has key metrics to measure success. Identify, prioritize, and communicate these metrics. This will help stakeholders to more accurately identify the risks that could prevent achievement of those goals.
- Revenue targets
- Cost reductions
- Market share
- Compliance
- Certification
- Service Levels
- Customer Satisfaction
Step 3: Conduct BIA & Risk Assessments
Now that business units and key dependencies are defined, it’s time to quantify the impact that each has on one another. That’s the purpose of a Business Impact Analysis. The risk assessment identifies and quantifies the threats and vulnerabilities that may prevent the components from achieving its objective.
Assess exposure to risk due to loss of confidentiality, integrity, and availability of:
- Processes
- Facilities
- IT Services
- Vendors
- Staff
- Infrastructure
A risk assessment, as part of an overall risk management process, will provide senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.
For more on the topic of risk management, Risk Assessments are just a Piece of the Risk Management Puzzle.