Blog | April 30, 2021 3 MINS

What is Your IT Risk Assessment Costing You?

The IT risk assessment process is the most tried and true method to collect and aggregate risk insights across the business. But adopting or supporting the process with technology advancements has been slow on the uptake. Most organizations are too busy responding to and initiating action to stay ahead of risk and compliance that they do not have the opportunity to evaluate, is there a better way? IT risk assessments are a critical piece of your risk management program. Still, the manual nature of spreadsheets and email could be holding your organization back and even costing you resources that the business can apply elsewhere.

Problem #1 Data Collection Process

  • A multi-step process with opportunity for delayed completion: Distributing IT risk assessments and coordinating between risk management and your line of business.
  • Collecting input and confirming answers across stakeholders: A single person may not have the information for an entire assessment, but they still receive the full questionnaire.
  • The time it takes the respondent to review, address, and complete all relevant questions.

Problem #2 Response Quality

  • Answers may not match the intended inquiry: Often assessment questions are very pointed without a lot of explanation or insight for the respondent to achieve a clear understanding.
  • Hindsight perspective: Point-in-time responses and the lag in logging static pieces of data quickly age of scope to measure your “current” exposure.

Watch the webinar10 Essential Steps to Rethinking Risk Assessments 

Time is Money: Calculating Your IT Risk Assessment Resources

Risk managers build out elaborate spreadsheet-based questionnaires to collect insights from the business line about day-to-day operations and gauge what risk may be exposed. Risk assessments cover a breadth of scenarios and therefore tend to be quite lengthy. To tailor every spreadsheet to the respondent’s domain knowledge would not only take more initial time but if you’re managing a spreadsheet or strictly table format – it would only create additional efforts to correlate the fields across IT risk assessment variations.

  1. How much time do you spend creating an assessment?
  2. How long does it take your organization to receive the completed assessment?
  3. What is the age of the data at this point?
  4. What time spent following up on outstanding assessments?
  5. How often do you need to follow up with stakeholders for clarification or explain their responses?

A traditional risk assessment process will take about…

  • One week to design the assessment or confirm the scope within the second line.
  • One day per risk owner to review and complete
  • One week to check answers and analyze associated risk
  • Three+ weeks to evaluate and treat risk

This timeline does not account for extended delays in completion or follow-up to clarify or collect additional information from respondents or related business stakeholders. The extra manual efforts and hours add up on their own for your risk managers and line of business risk owners without considering additional delays.

The average salary for risk manager in Atlanta, Georgia is $112,565 according to Amounting to about ~$431 per day

  • One week design: $2,156
  • One day to respond: $431 (single risk owner)
  • One week to analyze: $2,156
  • Three weeks to evaluate and treat $6,468

Based on the groundwork and execution of a single IT risk assessment in this simplified example, this can cost up to $11,211.

Spreadsheets are an asset for many businesses because they are readily available, provide flexible structure, and have a decent level of familiarity across the company. While spreadsheets have been the most uncomplicated option traditionally, that is no longer the case. Organizations need to rethink how they execute risk assessments using a modern-day platform rather than the traditional “ease” of execution in spreadsheets.

“By leveraging OneTrust, ClearDATA saves 3,000+ minutes (over 50 hours!) a year by automating this assessment process.” – Jonathan Slaughter, Director of Compliance, Security, and Privacy, ClearDATA

The real costs of IT risk assessments can be quite high and resource intensive.  Risk leaders must be able to streamline this process to enhance the quality of responses and gain additional efficiencies using dedicated assessment technology and automation. IT risk assessments today should be dynamic and responsive to present the most relative information to designated stakeholders.

Watch the webinar10 Essential Steps to Rethinking Risk Assessments 

Further IT risk assessment reading:

Next steps on IT risk assessments:

Onetrust All Rights Reserved