Weak or missing risk assessment
Many organizations don’t understand or are intimidated by the phrase “risk assessment.” Consequently, they don’t do one, or they do an incomplete job. Most risk management and audit standards require a risk-based approach so that controls are focused on reducing the highest risks. Without a good risk assessment, organizations will waste resources on controls that don’t address highest risk.