Doing Risk Assessments Right
Most organisations follow a sample based approach to identifying risk or gaining assurance for reasons of cost and practicality. Risk Assessments are already widely used and accepted as a method for risk identification and assurance and can be an extremely powerful and cost effective tool when done right and an utterly useless tool if done wrong. Consider the global practice of filing tax returns as a highly effective way of getting billions of people to declare their income and deductibles through a self assessment process. The previous Safe Harbor scheme, on the other hand, is an example of applying self assessments without any controls or meaningful oversight and using self assessments very poorly.