What Risk Assessment Documentation is Necessary

One of the things your auditor is going to ask you for is a lot of paper. We talk about paperwork, policies, procedures, risk assessment, program understanding, guidelines. All of these things are integral to a good audit. But why does an auditor care? What do they represent? Why should you consider this idea of getting good paperwork around your company and the services you provide? The first reason is survivability. Many organizations have key personnel that completely understand a process and those key personnel may not be with you forever. Whether they win the lottery and move to the Bahamas or just find a new family opportunity somewhere else, losing key internal intelligence can drive faults in process. Catching that intelligence in a written procedure or in a functional policy goes a long way to making sure that the thing that you’ve built continues functioning when key pieces of it go missing. Further, documentation expresses maturity. It shows us repeatability. It tells us that you understand the very processes that you’ve put in place to deliver the services that you’re providing. Good procedures tell us that you get it. That you understand your own service delivery. And finally, you cannot secure something that you do not know you have. Understanding the flow of your processes and expressing your desires through policy gives us an environment that is inherently securable. It lets everyone know what something should look like so that you can find discrepancies and understand those shadow processes that go around and attempt to skirt issues within your environment. It also gives your employees a place to come talk to you about faults in process. They can point to a piece of paper and simply say, “This part isn’t working.” From there you can have a good discussion about how to make things better. Many people are resistant to writing policies and procedures and many people look at them as a necessary check box exercise for an audit. But I would posit to you that policies and procedures -good policies and procedures that truly express what you do and who you are, are fundamental to having a good operation that survives, grows, and thrives. 

Related Videos