Evaluate – When a risk is assessed as high but an assurance structure is in place to mitigate the risk, the appropriate response would be testing or assessment activities to independently evaluate the risk mitigation in place. Think: SOX testing or process audits.
Improve – When an organization has high risk exposure and a high perceived assurance gap, the appropriate response is likely to improve the overall processes and implement or strengthen controls to mitigate risk exposure. Think: pre-system implementation support.
Optimize – When assessed risk is low and the assurance gap is lower than the desired threshold, the risk is likely over-managed. Organizations will look to risk functions to improve, automate or rationalize control activities in these cases to better allocate resources in line with risk. Think: process redesign.
Monitor – When assessed risk is low and the perceived assurance gap is high, risk functions will leverage technology to track key performance and risk indictors. Think: continuous monitoring.
Your risk steward will play a pivotal role in helping decision-makers understand their assurance gaps while creating a calculated and purposeful response. Their goal is to work with stakeholders to find the right balance between evaluating, improving, optimizing and monitoring risks to confirm completeness of coverage while being judicious with time and resources. Leading companies are leveraging technology as a crucial component to find harmony in these four areas to build a coordinated risk response that inspires trust and confidence among stakeholders.