Watch the Game Film! - Review and Revision

Last time, I wrapped up discussing the 3rd COSO guiding Principle of Performance. This week, I will begin to discuss the 4th COSO guiding principle – Review and Revision.

Again, COSO has 5 guiding principles: 

1. Governance and Culture

2. Strategy and Objective-Setting

3. Performance

4. Review and Revision

5. Information, Communication and Reporting

After a football game, a football team will review its game film and performance and make any adjustments they need to improve their performance before their next game. A cybersecurity team must do the same for all of its processes, but especially for risk management.

An organization should reassess its ERM program over time as its business objectives change. Cybersecurity programs must do the same given a constantly evolving technology and threat landscape. This includes removing security controls, if necessary (the horror).

Continually reassessing cyber risk management practices ensures cybersecurity teams remain aligned to organizational objectives and can continue to identify and manage risks associated with new threats and vulnerabilities.

Our challenge as cybersecurity leaders is to do this faster and more efficiently to keep up with the pace of innovation and digital transformation throughout our organizations.

The three COSO principles for Review and Revision are (COSO, 2017):

1. Assesses Substantial Change

2. Reviews Risk and Performance

3. Pursues Improvement in Enterprise Risk Management

In the upcoming weeks, I will discuss HOW to execute on each of these principles.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.

Have a great week!