The best way to justify the risk mitigation actions recommended in a risk assessment would be to focus on the business drivers, which are the factors that influence the organization’s objectives, performance, and value creation12.
Focusing on the business drivers means aligning the risk mitigation actions with the organization’s strategic goals, priorities, and values, and demonstrating how the actions will support or enhance the organization’s capabilities, opportunities, and competitive advantage12.
Focusing on the business drivers also means communicating the benefits, costs, and trade-offs of the risk mitigation actions to the relevant stakeholders, and showing how the actions will address the organization’s risk appetite, tolerance, and exposure12.
The other options are not the best way to justify the risk mitigation actions, but rather possible sources of information or guidance that may support the justification. For example:
Aligning with audit results is a way to validate the effectiveness and efficiency of the risk mitigation actions, and to identify any gaps or weaknesses that need improvement34. However, audit results may not reflect the organization’s current or future business drivers, and may not capture the full scope or impact of the risk mitigation actions34.
Benchmarking with competitor’s actions is a way to compare the organization’s risk mitigation actions with the best practices or standards of the industry or market, and to identify any areas of improvement or differentiation56. However, competitor’s actions may not be suitable or applicable for the organization’s specific context, needs, or challenges, and may not align with the organization’s business drivers56.
Referencing best practice is a way to adopt the proven or accepted methods or techniques for risk mitigation, and to ensure the quality and consistency of the risk mitigation actions78. However, best practice may not be the most optimal or innovative solution for the organization’s unique situation, and may not address the organization’s business drivers78. References =
1: Risk IT Framework, ISACA, 2009
2: IT Risk Management Framework, University of Toronto, 2017
3: IT Audit and Assurance Standards, ISACA, 2014
4: IT Audit and Assurance Guidelines, ISACA, 2014
5: Benchmarking IT Risk Management Practices, ISACA Journal, Volume 4, 2017
6: Benchmarking: A Tool for Improving IT Risk Management, ISACA Now Blog, March 27, 2017
7: IT Risk Management Best Practices, ISACA Journal, Volume 1, 2018
8: IT Risk Management Best Practices, ISACA Now Blog, January 9, 2018