First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Author Archive - Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more

Risk and game theory

game theory

The Cuban Missile Crisis is frequently cited as an example of the use of Game Theory. I am talking about the situation confronting the Kennedy government when they found that the USSR had installed missiles in Cuba that were capable of hitting American cities with nuclear weapons. Here is a link to a summary of […]

 

, , , , , , , , , , , , , , ,

Do we understand what a risk event is?

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization. (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

 

, , , ,

Can you manage technology risk in today’s environment?

This is a new world and we need to re-examine traditional techniques for addressing technology risk. Before assessing and testing controls, challenge management on whether they believe effective security is in place and why. An internal audit team can help with this.

 

, , , , , ,

Are we doing enough about behavior?

I have written about culture as having many facets. Auditing culture is not just about ethics, or risk-taking. It’s about behavior and what drives it. Are we, as individuals (especially when we are in a position of authority, such as any member of internal audit) doing enough?

 

, , ,

COSO ERM explains the flaw in risk appetite statements

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

 

, , ,

Is it about managing risk?

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

 

, , , ,

Getting risk management right

In this commentary on a recent article by Doug Anderson, an advisor on behalf of the IIA on the COSO ERM update project, examples are provided on getting risk management right.

 

, , , , ,

Should you adopt the updated COSO ERM Framework? My assessment

It has been 13 years since the original COSO ERM Framework and eight years since ISO 31000:2009 was published. The updated COSO ERM Framework was an opportunity for COSO to “leap forward”. But did it?

 

, , , , , , , ,

How well did COSO address comments on the ERM draft?

My impression is that COSO only tinkered with the draft. But, have they done enough to move practices forward, in the right direction? Will this update change the percentage of executives answering the piercing question by Deloitte, “Does risk management support, at a high level, the ability to develop and execute business strategies”, up from 13% close to 80%?

 

, , , , , ,

Which are the best principles for effective risk management?

I will let you decide which is the best set of principles: which is clearer in setting expectations for the effective management of risk and which is better as a basis for assessing the maturity of risk management.

 

, , , ,

Is the COSO ERM update a success or failure?

Recently, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA.

 

, , , , ,

How good is your chief risk officer?

A chief risk officer requires certain characteristics to succeed at being the leader of risk management in any organization. This article provides a list of critical attributes for such a leader.

 

, , ,

A conversation about risk with a CEO

Leaving the word “risk” out of a risk discussion with an executive can prove to be a positive way forward when asking what can go right for a project rather than what might go wrong.

 

, , , ,

Wells Fargo and KPMG – did KPMG fail the investors?

My friend Francine McKenna recently had a piece (she is co-author) published by MarketWatch: Where was KPMG, Wells Fargo’s auditor, while the funny business was going on? It is scathing in its discussion of the role played by KPMG.

 

, , ,

Linking risk management to results

The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.

 

, , ,

Previous Posts Next posts