Transcription  

One of the things on people’s minds when they go through an audit is, “How much do I have to show in order to prove to the auditor that we’re doing enough? How much is enough when you’re conducting a risk assessment?” And for my part, I really want to emphasize to you that the format and the documentation and the comprehensiveness of your risk assessment is not necessarily the most important thing. I would rather hear an organization that understand s their risk, they’re able to articulate what the risk is, and they’re able to communicate what they’re doing about the risk what controls they put into place in order to address specific risks. I would rather have that than an actual formal, written risk assessment. Sometimes people will produce written documentation, but they won’t be able to explain what it means, or what’s included in it, and at that point it’s really meaningless. So, a company that embraces the risk assessment process, and understands how to discuss those risks, and list them out, and articulate what’s going on, that is the most important thing. So, if you can do that, you are going to be really well prepared to meet with your auditor and provide evidence that you understand what risk management means to you.