16.- SOME DEADLY SINS OF RISK MANAGEMENT.
- Not understanding the context.
- Not adequately defining the scope of the assessment.
- Risk assessment is viewed as an episodic initiative providing limited value.
- Risk assessment is added onto day - to - day responsibilities without being integrated into business processes (risk assessment discussion is not a part of business planning, execution, and evaluation meetings).
- Failing to use existing organizational skills and knowledge in a team environment.
- The amount of information and data gathered is difficult to interpret and use (failure to effectively organize and manage the volume and quality of assessment data).
- Failing to adequately understand and define the correct risk assessment tool to use.
- Too many different risk assessments are performed across the organization (there is not a shared approach for performing risk assessments).
- Results of the risk assessment are not acted upon (failure to follow up actions and measures related to risk assessments).
- Automatically assuming reliability / effectiveness of existing controls.
- Implementing controls that don’t address the identified priority risks.
- Failing to test effectiveness and consequences of controls.
- Risk assessments become stale, providing the same results every time (without refreshing their data capture, process, and reporting from time to time, risk assessments may lose relevance).