Strategic Programs, Cybersecurity & Audit Finding Review (SPCAF Review)

Effective use of resources and capital is everyone’s responsibility. Yet, many strategic programs, capital expenditures, and audit finding remediation activities have not been reviewed to determine whether they are introducing new risks. If opportunity and risk are two sides of the same coin, then there seems to be a bias as to what side of the coin most business leaders focus on when building a business case to move forward with new initiatives. The two items are not mutually exclusive. When discussed in context with controls and with an eye on achieving an acceptable level of residual risk, the integrated risk management process should be viewed as a business enabler not a speed table in the opportunity evaluation process.

This analysis and verification activity usually starts with a review of current and near-term projects. Mapping programs to key business processes and strategic outcomes is where most clients ask Risk Neutral to begin. If a program cannot be mapped to a strategic goal (e.g., financial, operations, compliance, reputational), should resources be allocated to the activity? By documenting the critical business processes such as ‘lead to cash’ as an example, this process provides a clear understanding of a specific program’s value and facilitates the effective evaluation of residual risk. This activity can be extended to include establishing use/abuse cases and threat models to help further understand vulnerabilities, asset & 3 rd party dependencies, cyber, IT and compliance requirements. With this level of detail uniformly documented, qualitative recommendations may be established using more precise quantitative techniques such as Factor Analysis for Information Risk (FAIR).

The additional levels of insight provided by this analysis technique provide senior leadership with a more informed risk perspective. This insight allows them to verify the appropriate resource priority and levels of residual risk associated with a specific initiative are within the tolerance described in the organization’s risk appetite statement. Risk Neutral’s broad industry experience and certifications provide the foundation for independent, objective insights into the organization’s critical programs and spending requests.

A logical follow-on activity is the establishment of an enterprise risk register. This repository captures the risk treatment, documentation and oversight procedures for critical assets. It serves as a single source to document any ‘in-flight’ projects designed to improve controls and achieve the desired target state of residual risk. This significant evolution of the integrated risk management (IRM) program provides the foundational elements for the cultural transformation to a more ‘risk-aware’ organization. By setting the right tone at the top, the board of directors and c-suite can reinforce the importance of proper risk treatment and further explain how it contributes to the organization’s sustainable success. For organizations that use a Three Lines of Defense Model, this activity often results in process improvements that further enable the first line of defense (1LoD) to proactive manage risk throughout the entire lifecycle of a project. This organizational core competency of integrating risk management into business as usual activities will be increasingly important as most industries anticipate an increased regulatory burden that is often centered around addressing emerging risks (e.g., data privacy, reporting, cyber).