First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

Cyber and the board

There’s an interesting article in the Harvard Law School Forum on Corporate Governance and Financial Regulation. What the Capital One Hack Means for Boards of Directors has some interesting insights that merit the attention of risk, cyber, audit, and governance practitioners.

 

, , , , , , , , ,

A CIO talks business sense about cyber security and the CISO

Every so often, I see an interesting piece on Forbes.com. This time it is How To Talk To the Board About Cybersecurity. A CIO shares his experience working with boards and advice on that challenge for CISOs. Here are some useful comments (with my highlights):

 

, , , , ,

A proactive approach to cyber risk management

It is not sufficient to say that cyber risk is high, medium, or low. The leaders of the organization need to be able to figure out what is the right level of resources to allocate to cyber defense and response; what is the right level of attention at board and executive committee level; and what should be communicated to shareholders and others.

 

, ,

How to assess the effectiveness of risk management

Internal auditors are expected, according to the IIA Standards and some governance codes, to assess the effectiveness of risk management.

 

, , ,

The next generation of internal auditing

I want to congratulate Workiva and Jose Tabuena for Internal Audit’s Guide to Planning, Managing and Addressing Risks. I want to focus on the first piece in that publication, Planning to Do the Right Audits: An Effective Internal Audit Risk Assessment. Here are some excerpts, with comments by me:

 

, , , , ,

Insight into effective risk management

I need to draw your attention to a provocative piece by his firm (presumably by him): The risks of risk management. (My thanks go to Tim Leech for tweeting about it.)

 

, , , , ,

Making intelligent and informed decisions around cyber

The experts continue to bombard us with their advice, insight, and guidance for addressing cyber.

 

, , , ,

CEOs are not idiots when it comes to risk management

If you consider the small number of organizations where risk management is considered as providing a strategic advantage, one of these alternatives must be true:

 

, , , ,

Scratching the surface on Facebook and its problems

​Facebook Data Exposure Offers Critical Lesson for Internal Auditors makes some good points, including:

 

, , , , , , ,

Time (again and still) for the IIA Standards to be correct

Internal audit can assist management by facilitating a fraud risk assessment. Management should make the decision both on the level of risk and whether it is acceptable. Internal audit can provide their opinion and advice on both.

 

, , , , , , , , ,

Decision-making and the practitioner

McKinsey has shared three articles with insights into effective decision-making.

 

, , ,

New reports on the cost and incidence of cyber breaches

A cyber breach can affect an organization in many ways, from trivial to devastating. There is a range of potential effects, each with its own likelihood.

 

, , , , , , ,

How often should you assess risk?

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

 

, , ,

A board that would fail any test of its governance practices

I am planning a meeting with the CRO from a company during which I had planned to share some of the principles of effective risk management, based on what is considered world-class, and the governance of risk management by the board.

 

, , , , , , ,

Selecting a framework for managing risk

arol Williams has a website, ERM Insights, where she writes about risk management (I prefer to talk about the management of risk, rather than risk management, to ensure we are talking about how the organization addresses what might happen, i.e., risk, rather than talking about a function or team).

 

, , , , , , , ,

Previous Posts