Alyned Thinking

Why new thinking is needed and how we are putting our expertise to work.

Doing Risk Assessments Right

Multi-coloured measuring tape

Most organisations follow a sample based approach to identifying risk or gaining assurance for reasons of cost and practicality. Risk Assessments are already widely used and accepted as a method for risk identification and assurance and can be an extremely powerful and cost effective tool when done right and an utterly useless tool if done wrong. Consider the global practice of filing tax returns as a highly effective way of getting billions of people to declare their income and deductibles through a self assessment process. The previous Safe Harbor scheme, on the other hand, is an example of applying self assessments without any controls or meaningful oversight and using self assessments very poorly.

New technologies, such as Alyne, are making assessments significantly easier, more cost effective and highly scalable. Unfortunately, this alone does not guarantee your assessments to be successful. How do you get honest responses? How do you make sense of all the data in the results? The following tips should guide you to easily get meaningful results from your Alyne assessments:

 

  • Find the right mix
    There are multiple formats of running assessments. Starting from a self assessment, you can also provide additional guidance by running a virtual assessment, in which you moderate the assessment using video or phone conferences to interact. The most intensive assessment format is an on site assessment. Requesting evidence or comments to each question can additionally raise assurance but also increase effort.

    We recommend combining various formats to achieve the best results while minimizing effort. Use more intense assessments (e.g. on site assessments) for high risk areas, and less intense assessments (e.g. self assessments) for lower risk areas. It is important to always perform an additional on site or virtual assessment on a sample of your self assessed recipients and inform them of this assessment sample. This creates incentive to provide honest responses in their self assessment. You can use Alyne to document all of these assessment types and analyse results across your campaign.

  • Be clear about expectations
    The better your recipients know what to do, the faster you get the results you want. One key aspect is the clear and precise definition of scope. If the extent of what you are asking is not specific, your recipients will be unclear on your expectations and the results may not be reliable. In Alyne, this means defining an appropriate title and adding a meaningful description. Alyne’s workflow provides additional guidance for your recipients, such as a searchable glossary, user guides and specified deadlines.

    Additionally, you should also be clear about the intention of your assessment and potential consequences from the assessment’s results. This includes the impact of significant deviations between self assessment outcomes and an on site sample check. Your recipients should understand why you are requesting their input and what is at stake for them.

  • Define a set of controls and policies
    Based on your scope and general expectations for your recipients, you should define a set of expected behaviour and state, which would satisfy your requirements. For example, when assessing User Access Management, you want to decide what processes and standards are followed to measure your recipient’s compliance with these expectations.

  • Ask the right questions
    Consider your recipients carefully and select an appropriate set of questions given the proposed assessment format. Recipients that need a lot of guidance, of whom you want to ask a large set of questions, may be best assessed in a workshop format. You might also consider combining a high level self assessment initially and add a more detailed moderated assessment for areas of identified risk. Be aware that you may be asking your recipients to commit multiple person days of effort to respond to an assessment set of 400 or more control statements.

    Alyne also enables you to set a desired expectation. The maturity scale is defined from non-existent processes to industry leading best practices. Select the expected maturity carefully and adapt them to your recipients. For example, do you expect your vendor who services your printers to have the same industry leading identity management processes you expect from your data centre operator?  

  • Be responsive
    Part of our inspiration to build the Alyne product, was the experience of many poorly executed self assessments throughout our careers. Initial responses were often insufficient, resulting in endless email chains and poorly versioned spreadsheets. With Alyne, we’ve given both assessors and recipients the opportunity to communicate throughout the assessment, using social media like comments and chats. Your recipients will be more engaged, if you are responsive in answering their questions and the quality of responses to your assessment will increase if you offer timely guidance. Also monitor progress on all of your recipients diligently. If you see the assessment period running out without sufficient progress, send a reminder in time. 

  • Draw the right conclusions
    With digitalised solutions such as Alyne, it is easy to generate a large amount of data through big assessments with many recipients. The challenge becomes drawing the right conclusions from the available information. Alyne provides a powerful risk reporting functionality to assist you with this. Try to identify both individual risks from specific recipients as well as patterns, risk clusters and cumulative risks by generating multiple reports for various combinations of assessment responses.

The bottom line is this: Poorly executed assessments will not deliver valuable results and will end up being administrative busy work for your recipients. However, by selecting the right assessment format, defining clear expectations, asking the right questions and closely managing the assessment, Alyne provides you with a highly scalable and cost effective solution to gain significantly enhanced transparency and contextual insights into your current risk exposure.


Photo Credit: GabiPott / photocase.de

Karl Viertel
Author: Karl Viertel
About the author
Founder & CEO of Alyne, IT security professional, gadget enthusiast.