close

What Is Truth to Power?

[+] A research and advisory resource...

dedicated to bridging the gaps between governance and practice, technology and business, regulation and control, risk management and real market pressures, and your own knowledge and the knowledge of your peers.

[+] An open forum and community...

built to create a common pool of knowledge—one big brain—that lets you work more efficiently, build technology and business practices more effectively, and endure audits more effortlessly.

[+] A plexus nexus...

a neutral hub through which you can reach many valuable information nodes, resource collections, and organizations that are helping people like you already, but in fractured ways.

[+] A rebellion...

against the idea that auditors, analysts, and consultancies can control information simply through their ability to collect and distill it. T2P's goal is to unlock the vast body of knowledge, insight, and conventional wisdom that we all have, make it freely available to you, and help you digest and interpret it—without undue cost, bias, or hype.

Top Panel
WHAT IS T2P?
Top Panel
Submit in FaceBook
Submit CRC%20Deep%20and%20Wide in Google Bookmarks
Tweet this!
|
Print
E-mail
 
CRC Deep and Wide

CRC Index

The Control & Risk Calculator is designed to help you record, track, assess, and prioritize the controls that bound your company's information use, protection, and preservation. In general, its utility is predicated on three categories of information about your organizational environment:

  1. System(s)—loosely defined as any technology environment, data set, or business process to which a common set of controls apply. You can define any number of systems.
  2. Controls that cover your defined system(s), including control characteristics and significant organizational factors that are likely to impact their effectiveness. You can define any number of controls for any given system.
  3. The risk environment against which your defined controls protect. The CRC does not track specific risks; rather, it seeks to ascertain key qualities of the total risk environment.

As noted in the CRC Overview, you can define your control environments and efforts for the CRC in any way that's useful and meaningful in the context of your own governance goals. The CRC does provide some structure in its assessment functions however. Most of its information is gathered through simple questionnaires similar to this:

control and risk calculator questonnaire


The example above is the Control and Risk questionnaire. After you've defined a system, about 20 questions help you to rank and identify characteristics of the controls and risks associated with that system. Based on your answers, the CRC generates several measurement and ratings that culminate in a "risk-based control recommendation" for each control. This calculation reflects the system, control, and risk characteristics you've specified, tempered by your defined organizational risk tolerance.
 
For example, the following diagram represents just three simple scenarios (reflecting the cumulative scores of characteristic types) that will produce specific action recommendations:

 

Control and Risk Calculator Scenarios

 

Although recommendations have only three states—"no action indicated," "eventual action" and "immediate action"—there are many ways to arrive at any given state, and the CRC algorithm for calculating action recommendations does reflect every characteristic you define.

Within the CRC interface, these recommendations look something like this:

Control and Risk Calculator Tracking Table Closed

 

The Control Tracking table shown above has many uses, in addition to the risk-based control recommendations it displays. By expanding the table to show all columns and data, you can review all of the data and intermediate calculations that cumulatively support your risk-based control recommendations. This is effectively a 20,000-foot view of your organization's risk and control landscape, on demand and at your fingertips.

The CRC's ability to let you see your system weight, risk factors, and control environment side-by-side is one of its more useful functions. Many organizations store and track these types of information separately, which can lead to fragmented and fuzzy risk analyses. Helping you to reduce such fragmentation is one of the things the CRC is designed to do. The following image shows what a fully expanded Control Tracking table might look like. Note that this is the same table shown in the previous image, except with all information revealed:

Control and Risk Calculator - Control Tracking Table, Expanded

 

Within the Control Tracking table, you can sort controls by recommended action or ID. Sorting by action will effectively result in a prioritized list of control activities, wherein controls that are likely (according to the data you've provided) to need more immediate augmentation or support are listed first.

The CRC is also designed to support risk management that's responsive to ever-changing variables of control strength, risk conditions, and systems definitions. Within the Control Tracking table, you can very easily change or update the control and risk characteristics for any defined control, and then review the impact of those changes both on the CRC's intermediate calculations and final risk-based control recommendation. In addition, you can always change any system's characteristics, which will impact and update the calculations of all controls defined for that system.

What the CRC doesn't do

The CRC cannot create a compliance or risk management program for you. In its current state, it can only augment your ongoing control and risk efforts. Because every organization approaches these efforts uniquely, the CRC does not require, predefine, or presuppose the existence of any particular systems, controls, or risks. Instead, represents a generic framework designed to leverage your prior work and management efforts.

The CRC does not have any inherent insight into your organizational risks and environments. Its value as a compliance and risk management support tool is dependent on the completeness and quality of the information you provide. More—and more accurate—information is likely to produce more relevant control measurements and recommendations.   
The CRC can't tell you what controls you need or what risks are impacting you. Its calculations depend on your prior knowledge of these risk management factors.

In its current version, the CRC does not reflect system dependencies. Although you are encouraged to define upstream and downstream dependencies in your systems definition, these relationships are not factored into you control or risk calculations. We hope to provide a way to incorporate the impact of dependencies future CRC updates.

Finally, the CRC does not reflect specific uncertainty. Currently, the CRC's algorithms primarily reflect uncertainty through a slight bias towards higher risk than is strictly reflected by your inputs. For example, if you define a system (technology, process, or information) as extremely critical and sensitive, the CRC will never produce a "no action indicated" recommendation—even if you specify the strongest possible control environment and lowest possible risks. The implicit assumption is that critical systems are always subject to unrecognized risks and should therefore always be subject to review. In future updates, we hope to allow you to factor in more specific uncertainty for both individual controls and the risk environmnet.

Further information:

 
 

T2P RECOMMENDS:

AuditNet logo
AuditNet is an online portal for auditors. Created and run by the venerable Jim Kaplan, the organization's mission is to develop a complete "utility" for audit-related information, products, and services.

T2P RECOMMENDS:

The BeyeNETWORK provides resources and professional community support for business intelligence, performance management, data warehousing, data integration and data quality.

T2P RECOMMENDS:

IIA Logo

The Institute of Internal Auditors (IIA) is a powerful research and guidance organization focusing on audit principles and processes for business and IT functions. IIA guidance related to information control includes the Global Technology Audit Guide (GTAG) series and the Guide to the Assessment of IT Risk (GAIT) series.