Did You Know?
One of the most significant reasons for the failure of any system or process is the principle of ‘garbage in, garbage out.’ This holds true whether you are dealing with a highly sophisticated IT system or the basic tools like Excel or Word. Essentially, if you feed low-quality or irrelevant data into a system, it will produce outputs of similar quality, if not worse. In essence, a system or process inundated with poor-quality data does little more than expedite the generation of undesirable results. Such a system or process, cluttered with useless information, provides no value.
To illustrate this point, consider your bank statement. If it’s arranged haphazardly with transactions in random order, unclear balances, and beneficiary details all over the place, making sense of your financial activity becomes an impossible task.
I emphasise this obvious point because, regrettably, we frequently encounter this kind of disorganised and unstructured risk data when tasked with migrating Excel-based risk registers into our software, BarnOwl. This lack of organisation and coherence in the data, makes it no surprise that risk professionals face a formidable challenge when trying to demonstrate the value of risk management to their organisations. Unstructured data, being unintelligible and impossible to report on or analyse effectively, ultimately adds no value to the process.
We often hear risk professionals say that risk registers are dead. I disagree. In my opinion, they are the building blocks of risk management, however they need to be articulated properly and structured correctly according to the ISO31000 and COSO standards. Risk management requires a disciplined approach! Lay a solid foundation by getting the basic risk register structure and data right and only then consider risk appetite, risk tolerance, key risk indicators, key performance indicators, quantification of risks, aggregation of risk, data analytics and predictive analysis. Risk management must add value and facilitate business decision making.
Getting the basics right:
Step 1: Objective: Identify an Objective / Outcome. E.g. 1. We act with integrity
Step 2: Risk: Identify the risks that will prevent you from achieving the objective or a risk that you would like to take to achieve the objective. e.g. 1.1 Cyber threat
Step 3: Contributing Factor (CF) / Cause: Identify the contributing factors / causes that cause the risk. E.g. 1.1.1 Unauthorised access to data, 1.1.2. Phishing and social engineering, 1.1.3. Denial of service attack, 1.1.4 Malware infections
Step 4a: Preventative Controls: Identify preventative controls to mitigate the contributing factors. One control can be used to mitigate more than one contributing factor so be sure to reference correctly. E.g. 1.1.1 Anti-virus software (linked to CF 1.1.1 and 1.1.4 above)
Step 4b: Mitigating Controls: Identify the controls you have in place to manage the risk should it materialise. These controls are linked directly to the risk or can be linked to individual Impacts/ Consequences. E.g. 1.1.2 – Contain the data loss as soon as possible, 1.1.3 Consider whether data breach notification is required
Step 5: Action plans Create action plan/s against the specific control/s and assign a responsible owner and due date. E.g. Install the latest anti-virus software by dd/mm/yyyy assigned to responsible owner Joe Soap linked to control: 1.1.1 Anti-virus software. To ensure the effectiveness of action plans, it is crucial to link them to the appropriate object/s (Risk or CF or Control), making them specific and providing relevant context. Generic action plans, such as ‘Manage cyber risk’, linked to the risk ‘Cyber threat’ state the obvious and offer no tangible value.
Example of a structured risk register
Ideally, it is best to put each data item in separate cells in Excel. In the example below, contributing factors are in separate cells:
Controls are also captured in separate cells against each contributing factor. If you decide to put multiple controls in one cell, then referencing is critical so that the user / system knows which controls belong to which contributing factors. In some cases, the same control can be used to manage more than one contributing factor. Therefore referencing of contributing factors and controls is critical.
You will notice below that action plans are captured in separate cells against the controls or at least referenced correctly so that the user / system knows which action plan is addressing which item (the risk, the contributing factor or the control). The more specific the action plan is, the more effective it will be and the more chance you have that something will be done about it.
The following is a bowtie visualisation of the risk register:
Example of an unstructured risk register
The following is an example of an unstructured risk register. All data is merged into single cells and there is no referencing. No user or system is able to import this data or make any sense of this data. Hence it adds very little or no value to the organisation. It would be impossible to know which controls were managing which contributing factors (causes) or how individual controls are rated in terms of adequacy and effectiveness and who is responsible for each of the controls. If controls are not rated individually, it means that there is no reliable way to rate the residual risk. It would also be impossible to know which action plans were managing which controls. Most action plan descriptions / titles in unstructured data are so vague and generic that they cannot be linked to anything specific (apart from the risk) and therefore add very little or no value and drive no accountability.
Example of structured risk data in BarnOwl
Risk register for unit ‘Client A’, showing inherent and residual risk ratings. Notice the exclamation mark next to ‘010a Cyber threat’, indicating that this risk needs to be reassessed because an item linked to this risk (i.e. its controls, child risks, KRIs or loss events) have changed since the risk was last rated.
Risk on a page ‘010a Cyber threat’, showing the linked contributing factors grouped by causes and impacts (consequences):
Drill down into contributing factor ‘010a.C01’ to see the linked controls including the control adequacy and effectiveness ratings:
View various dashboards made possible when capturing / importing structured risk data:
In summary
Risk management must add value and facilitate business decision making. Investing the time and energy to establish a solid foundation of structured and meaningful information within a risk management system allows an organisation:
- to proactively manage strategic, operational and compliance risk
- to facilitate a common risk taxonomy across divisions and disparate assurance providers
- to integrate risk across silos
- to ensure data integrity protected by role-based permissions
- over-sight of its risk universe – accurate, up to date, one version of the truth rather than 100s of spreadsheets
- to improve visibility of key risks in an ever changing risk landscape
- to automate risk reporting saving 1000s of manual hours
- to embed a good corporate governance culture enabled by action plans driving ownership and accountability
- to improve business decision with accurate and well-organised data reducing errors and improving strategic planning and reporting.
Useful links
https://api.barnowl.co.za/barnowl-knowledge-base/
Download the BarnOwl Risk Register Template here
About BarnOwl:
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations locally and internationally. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see https://api.barnowl.co.za for more information.