It's natural to stick to what you know. This impulse can serve us well in risk management, since it predisposes us to find problems in existing process. However, from the broader view of business performance, sticking with what we know (and have) can present something of a problem.

Risk exists on many fronts and has at least a couple of faces. Still, the risk management field as a whole tends to focus fairly narrowly on internal operational risks and their likelihood of causing failure. Meanwhile, we ignore external factors that can sink the ship altogether. And we fail to recognize opportunity risks; that is, opportunities that, if we only acted on them, would improve the bottom line. A more comprehensive risk management approach must look beyond our immediate environment and seek to assess factors that act upon the business, such as...

• Regulation—control requirements and whether the strategy responds to regulatory changes that should impact existing processes)
• Competitive pressures—responsiveness of new systems
• Threatscape—whether security controls are responsive to known and emerging threats, how well controls are baked into development strategies, etc.
• E-discovery requirements—the operational ability to respond to legal requests without jeopardizing 
• Vendor/supplier/outsourcer characteristics—including stability, reliability, and predictable M&As—and their potential impact on technology availability and costing
• If IT adheres to an external standard or framework, whether/how updates to that framework are reflected (or can be practically reflected) in the strategy. Recent updates include COBIT 4.1, ITIL v3, Sedona, and new ISO 27x releases
• Systems continuity (responsiveness to environmental factors that might impact systems continuity; e.g., if processes generate critical data, whether remote backup is included in the strategy and budgeting)
• Physical risks, such as changes to facilities and infrastructures that should impact IT development and processes

(Missed) opportunity risks:

• Whether IT uses or has even evaluated cost/benefits posed by relatively new tools and techniques—virtualization, -ML standards, agile development methodologies and developer marketplaces, etc.
• Tax credits, grants, or other incentives for green IT
• Vendor consolidation—or even more broadly, contractual standards
• Potential process and market opportunities implicit (but ignored) in proposed strategy

These factors are all similar in that they're not things the business is doing. They're either things it could be doing or they're causals—conditions imposed on the business by external forces and entities. Yet they all represent valid and potentially material risks that should be recognized and assessed.

Now, let's shift gears for a moment.

The impetus for this post actually came up in an audit context, where the question of what should be audited was raised. I believe  this question will be increasingly debated in coming years, and it's intimately related to current questions of the value of internal audit (and auditors) to corporate strategy.

Should auditors seek to advise on opportunity risks, as well as loss risks? Certainly, much of this goal is beyond the scope of conventional audit responsibilities...but is it really in the interest of businesses to draw a line between "you're missing out and something bad is going to happen" and "you're missing out and something good is going to pass you by?"

Another way to look at the question is, should audit aspire to a leadership role in which it guides corporate strategy based on process-oriented business-performance assessment? Or should this advisory function reside with dedicated risk managers? Or should it, as is often the case now, be implicit (and thus unmeasured) in business and IT management roles outside of both formal audit and risk management functions?

One contingency to consider is the potential influence of external auditors on auditing norms. As the extraordinary revenue streams from SOX audits taper off, external audit firms are under increasing pressure to make up that revenue through broader service offerings. Continuing to expand the scope and strategic contribution of external audits to encompass performance-improvement recommentations is an attractive opportunity. (In fact, it's already happening.) This shift will inevitably influence the perceived role of internal audit as well, pushing it into new areas of corporate governance that are well beyond conventional, tactical, and control-oriented assessments.

If you're an auditor, a risk manager, or even just perform one of the risk evaluation functions listed above. I'd be interested in hearing your thoughts on theses questions; in particular:

• Does your company systematically assess external and opportunity risk factors? If so, who performs those assessments?
• Should auditors try to assess business opportunity risks?
• Is the role of audit changing? If so, where is it headed?

 PM me through my profile, use the form on this page, or This e-mail address is being protected from spambots. You need JavaScript enabled to view it . Any way you choose, I look forward to hearing from you.

Related Resources (just a couple):

• General audit approach (not specific to IT auditing)
• Ernst & Young: Escalating Role of Internal Audit
• Rethinking Risk, CFO Magazine