First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

The state of information or cyber security today

Senior management must understand the state of information or cyber security today and how it affects enterprise objectives and the delivery of value to customers and other stakeholders. A number of recent publications talk to this topic.

 

, , , , , , , , , ,

Do we understand what a risk event is?

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization. (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

 

, , , ,

Can you manage technology risk in today’s environment?

This is a new world and we need to re-examine traditional techniques for addressing technology risk. Before assessing and testing controls, challenge management on whether they believe effective security is in place and why. An internal audit team can help with this.

 

, , , , , ,

Updated: Nova Scotia passes new cyber-bullying legislation

On October 5, 2017, the Nova Scotia Legislature introduced Bill No. 27, the Intimate Images and Cyber-protection Act. The Act comes as Nova Scotia’s previous cyber-bullying legislation, the Cyber-safety Act, was struck down in 2015 by the Nova Scotia Supreme Court on constitutional challenge.

 

, , , , , , , , ,

Is it about managing risk?

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

 

, , , ,

Estonian blockchain-based ID card security flaw raises issues about identity

On August 30, 2017, an international team of security researchers notified the Estonian government of a security vulnerability affecting the digital use of Estonian ID cards issued to around half of the Estonian population. Affecting 750,000 ID cards issued to a population of 1.3 million, the Estonian Information System Authority (RIA) has taken measures to restrict some of the ID card’s security features until a permanent solution is found.

 

, , , , ,

Should you adopt the updated COSO ERM Framework? My assessment

It has been 13 years since the original COSO ERM Framework and eight years since ISO 31000:2009 was published. The updated COSO ERM Framework was an opportunity for COSO to “leap forward”. But did it?

 

, , , , , , , ,

How well did COSO address comments on the ERM draft?

My impression is that COSO only tinkered with the draft. But, have they done enough to move practices forward, in the right direction? Will this update change the percentage of executives answering the piercing question by Deloitte, “Does risk management support, at a high level, the ability to develop and execute business strategies”, up from 13% close to 80%?

 

, , , , , ,

Three cybersecurity trends driving the Bank of Canada’s call for cybersecurity to be treated as a ‘public good’

As the level and sophistication of cyber-attacks continue to grow, there will be a mounting pressure on regulators to continue to develop coordinated, meaningful, mandatory minimum standards that are enforceable against all financial institutions and FMIs as well as their service providers.

 

, , , , , ,

Is the COSO ERM update a success or failure?

Recently, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA.

 

, , , , ,

A conversation about risk with a CEO

Leaving the word “risk” out of a risk discussion with an executive can prove to be a positive way forward when asking what can go right for a project rather than what might go wrong.

 

, , , ,

Six principles for effective risk management

In World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six.

 

, , , , , , ,

Processes to support information technology effectiveness reviews

This blog post reminds organizations that they should take the time to conduct information technology effectiveness reviews, to evaluate and improve the IT department’s role in achieving the organization’s goals.

 

, , , , , , , ,

What does your risk management activity seek to achieve?

It is essential to understand what an organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

 

, , , , , , ,

The future of risk management

The Institute of Risk Management has a great feature where they have asked people around the world, including a number of luminaries, about the future of risk management.

 

, , , ,

Previous Posts