Communicating the results of business controls to top management is never an easy process, especially if we want to ensure concrete information based on risk and effectiveness of controls is communicated. Generally, risk and controls rely on different methodologies; this is not ideal. Instead, we need flexible methodologies, collaboration between business processes and adequate tools. To create this synergistic approach, we can adapt what we are already using in our organizations.
Understanding how best to address a problem without experience increases difficulties. When you do not have experience with a specific task, the first step is to find a method that has already been appropriately reviewed and is already part of your daily work that can be applied. Risk is in the risk register and controls are valued in the capability maturity model (CMM). They are not immediately integrated because they derive from processes that follow different logic for different purposes such as impact and probability evaluations, and performance and maturity assessments. Risk is focused on more by top management, where sensitivity toward business objectives is a priority, while controls are more of a focus for operations and are linked to the objectives of individual processes.
To improve the quality of information we want to aggregate, we must collect it from common perimeters using similar details. The ideal candidates for forming bonds between risk and controls are the activities that take place in the organization and the assets used. Activities are nothing but actions put in place on assets, following a rule, to produce a result. The rule is a business requirement that benefits the objectives and the result is the product of the business. The list of all relevant assets and actions to manage them is part of the world of risk, while the list of actions and protection measures of these is part of the world of controls. By creating relationships between risk, assets and controls, we can share between them the data that are collected, preserving the original meaning and also introducing new combinations according to established relationships.
The functions of the risk register and CMM remain unchanged, but the relationships between assets and common activities allow the creation of new information, which adds value. Although this does require additional operational effort, it is still using the existing data basis. If trust on data quality should decrease, then we can rethink the audit process.
With a little creativity, we can use this process to review the logic of the audit plan. If we vary both the audit scope and the depth of the tests appropriately, we can reduce time spent in situations with lower risk, giving us more time for in-depth analysis in cases with greater risk. This ensures better coverage of the business perimeter sufficient to compensate for the fear of methodology changes.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Capability Maturity Model and Risk Register Integration: The Right Approach to Enterprise Governance,” ISACA Journal, volume 1, 2022. ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!
