ISACA Journal - 2013 Volume 6

Risk assessment has become an integral part of today’s organization as business operations are expanding and being diversified, resulting in increased risk exposure. In addition, the tightening of regulatory bodies across the globe has resulted in the emergence of assurance functions such as operational risk management, information security, internal audit, internal control and compliance.

Each of these functions stresses the importance of risk assessment within the organization and performs independent comprehensive exercises within the specific domain. 1

Generally, there is room for debate about integration among all assurance functions and the use of an integrated risk assessment program (IRAP). Most standards have mapping documents available that show control overlaps among various standards and best practices, but they are rarely followed and adopted by the assurance functions of organizations. 2, 3, 4

The question arises: Is the integration of assurance functions really a need?

Generally, professionals working in
compliance, audit, risk management or
information security departments face the
following issues that give rise to the need for an
integrated risk management program:
• Risk assessments performed by assurance
professionals are specific to their respective
domain and do not give a holistic risk profile of
the organization, which results in the presence
of unmitigated and undetected threats.

• Often, assurance functions need different departments to nominate representatives for their correspondence and coordination.

Typically, a department can assign the responsibility to a single resource. The efforts of the nominee multiply as each assurance function forms its respective teams within the organization. The individual often ends up performing similar tasks, such as self-assessments, statistics reporting and call-tree updating, for different groups, resulting in duplication of effort and repetitive and redundant activities.

• Management often misinterprets observations that are common across different reviews and audit reports because of the difference in severity level and recommendation. As a result, these observations are inappropriately treated and reappear.

• The different audits and review exercises of the assurance functions often frustrate the auditee because of the constant information gathering and response requirements associated with these activities and performed in short intervals of time.

• The auditee sometimes provides different resolution and target dates for observations that are similar to those reported by different assurance functions in their audit or review reports.

Keeping these issues in mind, organizations
could start considering integration of assurance
functions by identifying the overlapping and
redundant activities. Examples of areas of
common interest include:
• Obtaining nomination for departmentwide
coordinators
• Conducting awareness sessions
• Obtaining departmentwide asset inventory
• Identifying business processes
• Identifying internal and regulatory requirements
• Performing business impact analysis
• Assessing risk
• Investigating incidents
• Reporting to management
The assurance functions should synchronize
and align with common activities with respect
to their scope, objective and methodology. This
would allow for the development of an IRAP.

For risk assessment, international standards are used to ensure that best practices and controls are used to mitigate risk associated with systems, services and processes. An illustration of integrating two departments is depicted in the following figures, where one department uses ISO 27001:2005 and the other Basel II. 5

Syed Fahd Azam, CISA, is assistant vice president of information security at Summit Bank, Pakistan.

He manages information security and compliance at the enterprise levels. He is involved in developing policies, performing audits and conducting awareness sessions. Azam has five years of experience in the field of IT governance. He can be reached at fahd.azam@gmail.com.

An Integrated Risk Assessment Program—
A Cliché or a Need?
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.