First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Author Archive - Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

New GRC guidance from OCEG might be missing a crucial point

GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity”. A new Guide from OCEG, A Practical Guide About GRC Metrics and Measurement, says, a major part of GRC is about “break[ing] down silos between governance, strategy, performance management, risk management, compliance management, internal audit and other departments”.

 

, , , , ,

Reporting on risk to the board

Those charged with reporting on risk to the board and to the executive team should understand what they are trying to achieve, what information they need to be successful and how they can help.

 

, , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

Don’t forget to audit controls!

It’s best to have management detect issues and for audit to assess whether those detective controls are adequate.

 

, , , , , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Is the goal of risk governance taking boards in the wrong direction?

The board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection. The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms. Effective governance of an organization is limited if the board focuses on risks.

 

, , , , , , , ,

How do you manage culture?

psychological safety

There are many aspects or dimensions to culture, just as there are many dimensions to the behavior you want it to drive. They may include:

 

, , , , , ,

The SEC is changing the rules for SOX s302 certifications to include cyber risks

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity. But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

 

, , ,

The updated ISO risk management standard merits our attention

Neither the ISO nor the COSO updates will, in my opinion, move the understanding and practice of ‘risk management’ to where they need to be. The updates are small steps when leaps were required.

 

, , , , ,

One objective but multiple risks

Some organizations and consultants are wedded to the idea that the level of risk can be quantified and calculated as the magnitude of a potential effect (or consequence) multiplied by its likelihood.

 

, , ,

Risk visualization

Risk visualization can help executives make decisions not only to manage risks but to optimize outcomes and achieve objectives. I have to agree with the author of Are we witnessing the demise of the risk register (and the rise of risk visualisation)? He says, “I loathe risk registers”. So do, but for different reasons. He […]

 

, ,

It’s not about risk management – it’s about the achievement of objectives

I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives. It’s about being successful. Success is measured through the achievement of specified objectives. We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our […]

 

, , ,

How should you assess the effectiveness of risk management?

If an organization seeks to perform at world-class levels, it needs to have highly effective processes and practices for managing what might happen – risk.

 

, ,

Collaboration between the business risk and IT security teams

Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?

 

, , , , , ,

Previous Posts Next posts