As businesses, especially those that are regulated, we work hard to carry out risk assessments, but where are we with that and are these assessments informed, measured or validated?
Risk, this thing that ‘compliance’ professionals work hard to mitigate.
Well, regulatory risk at any rate.
Where are we with this?
I would suspect we all look to identify our risks, guesstimate the inherent nature of them by considering likelihood and impact.
I would also hope we are also reassessing these after our businesses have designed mitigation by way of procedures and controls.
But, do we then assess the effectiveness of the design, do we review and report on the operational efficiency of these controls?
Perhaps we do this through our monitoring and assurance programmes...however there remain some burning questions,
What is our quantified confidence in those controls and have we considered how we might do this with validity?
Are we able to show our boards definitive evidence of whether our inherent risk is diverging or converging when compared to residual risk?
If we profess to be following a risk-based approach, we have to be able to provide answers to these!
We need to constantly strive to improve our defence.
Comentários