Should I Share Our Risk Assessment
Many times, when you complete a risk assessment, the results will go somewhere. Let’s talk about the potential audience who will be interested in seeing the results of your risk assessment. I want to start off with the board. Whether or not you are an organization that has a formal board of directors, or whether you are a privately held company that is owned by a single individual, the responsible party for governance and oversight for the organization should absolutely know what the results of your risk assessment are. Those individuals should even be involved in the process. So, you want to make sure that they’re well informed about what you’re doing, when you’re doing it, and what the results are. There are other stakeholders within your organization. Maybe you have compliance personnel who will have to maintain documentation for the audits that you go through, an auditor will want to see risk assessment results. If you’re going through audits such as PCI, or HIPPA, or ISO or SOC2, or any other industry standard framework that’s out there, they will all require a risk assessment, and you’ll have to have the proof in order to show your auditor. You’ll have customers who’ll want to see a copy of your risk assessment. You may decide what that format looks like and specifically what parts of your process you’re sharing with your customers, but it’s certainly customary today for clients to ask for and receive a copy of your risk assessment results. If you’re in a regulated industry, you will have examiners or regulators who will come in and want to see those results as well. So, this is a very important document, it's a very important process for you to complete at least annually, if not maintained on a regular basis throughout the year so that you can provide the latest and most up to date report whenever you’re asked to provide it.