Who is Involved in a Risk Assessment
Transcription
So, you’ve watched these videos and you’ve decided that you're going to do a risk assessment and this process seems like a good idea to you and to your organization. Who should you bring to the table? That question gets asked a lot to an auditor who discusses risk assessment and even more so when we go out on risk assessment activity. My response is always the same. I want to see the people that run your organization. The ones that know how the company truly operates. Be the one that guides you in assessing your risks. Around your risk assessment table should sit both company principals and company employees with a stake in the processes that you’re evaluating. Make sure that you get input from your own internal subject matter experts on your own processes. Where can things go wrong? What are we doing to prevent those things from going wrong? How do we quantify that risk? Often the CEO, or the CTO, or the CSO are the wrong person to ask that question too. You really do need to get the people in your organization with the on the ground view of the risks that you’re operating against.
So, you’ve watched these videos and you’ve decided that you're going to do a risk assessment and this process seems like a good idea to you and to your organization. Who should you bring to the table? That question gets asked a lot to an auditor who discusses risk assessment and even more so when we go out on risk assessment activity. My response is always the same. I want to see the people that run your organization. The ones that know how the company truly operates. Be the one that guides you in assessing your risks. Around your risk assessment table should sit both company principals and company employees with a stake in the processes that you’re evaluating. Make sure that you get input from your own internal subject matter experts on your own processes. Where can things go wrong? What are we doing to prevent those things from going wrong? How do we quantify that risk? Often the CEO, or the CTO, or the CSO are the wrong person to ask that question too. You really do need to get the people in your organization with the on the ground view of the risks that you’re operating against.