First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Is the goal of risk governance taking boards in the wrong direction?

The board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection. The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms. Effective governance of an organization is limited if the board focuses on risks.

 

, , , , , , , ,

The updated ISO risk management standard merits our attention

Neither the ISO nor the COSO updates will, in my opinion, move the understanding and practice of ‘risk management’ to where they need to be. The updates are small steps when leaps were required.

 

, , , , ,

A step-by-step guide to creating a cybersecurity plan

The first step is easily accomplished by reviewing a few definitions. The second step is trickier. The third step may involve a lot of work, but you can start with six straightforward steps.

 

, , , , , , , , , , , , ,

Risk visualization

Risk visualization can help executives make decisions not only to manage risks but to optimize outcomes and achieve objectives. I have to agree with the author of Are we witnessing the demise of the risk register (and the rise of risk visualisation)? He says, “I loathe risk registers”. So do, but for different reasons. He […]

 

, ,

It’s not about risk management – it’s about the achievement of objectives

I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives. It’s about being successful. Success is measured through the achievement of specified objectives. We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our […]

 

, , ,

Collaboration between the business risk and IT security teams

Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?

 

, , , , , ,

The state of information or cyber security today

Senior management must understand the state of information or cyber security today and how it affects enterprise objectives and the delivery of value to customers and other stakeholders. A number of recent publications talk to this topic.

 

, , , , , , , , , ,

Do we understand what a risk event is?

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization. (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

 

, , , ,

Can you manage technology risk in today’s environment?

This is a new world and we need to re-examine traditional techniques for addressing technology risk. Before assessing and testing controls, challenge management on whether they believe effective security is in place and why. An internal audit team can help with this.

 

, , , , , ,

Updated: Nova Scotia passes new cyber-bullying legislation

On October 5, 2017, the Nova Scotia Legislature introduced Bill No. 27, the Intimate Images and Cyber-protection Act. The Act comes as Nova Scotia’s previous cyber-bullying legislation, the Cyber-safety Act, was struck down in 2015 by the Nova Scotia Supreme Court on constitutional challenge.

 

, , , , , , , , ,

Is it about managing risk?

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

 

, , , ,

Previous Posts