First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Backup and Disaster Planning

What does your risk management activity seek to achieve?

It is essential to understand what an organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

 

, , , , , , ,

The future of risk management

The Institute of Risk Management has a great feature where they have asked people around the world, including a number of luminaries, about the future of risk management.

 

, , , ,

Lawyers need to keep up with AI

For decades, novelists, scientists, mathematicians, futurists and science fiction enthusiasts have imagined what an automated society might look like. Artificial intelligence, or AI, is rapidly evolving, and the society we could only once imagine may be on the brink of becoming our new reality.

 

, , , , , , ,

Don’t outsmart yourself: AI and compliance

I’m a big fan of artificial intelligence. The older I get, the more I appreciate that real intelligence needs all the help it can get. Corporate ethics and compliance officers, however, need to pause before betting big on AI as a solution to all our needs.

 

, , , , ,

Real answers to common questions on cybersecurity

Every day there is something in the news about organizations generally of all different sizes that have been breached and have had to deal with the impact of the loss, compromise or destruction of data. Making key decision-makers aware of the general threat landscape is helpful, but more helpful is making them aware of the threat landscape specific to your organization.

 

, , , , , , ,

Cyber and reputation risk are dominoes

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

 

, , , , ,

Lawful access: The Privacy Commissioner reiterates its position

Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada, was asked, at the request of Commission’s counsel, to provide an overview of the legislation for protecting privacy in Canada and to answer questions about lawful access issues from a federal perspective.

 

, , , , , , , , ,

CCOs say policies are getting stronger; adoption of technology – not so much

KPMG recently published its latest survey of chief compliance officers. The report highlights the increasing value of effective Compliance. It also reveals growing pains of our industry, specifically in maximizing efficiencies.

 

, , ,

Is there a duty of device security? U.S. regulator fires warning shot over obligations of IoT manufacturers

A complaint filed by the U.S. Federal Trade Commission against D-Link Corporation, a Taiwanese computer networking equipment manufacturer, and its U.S. subsidiary, is raising questions about the extent of responsibility that networking equipment manufacturers may have for the security of their products, and how much of that responsibility rests with consumers and end users.

 

, , , , , , , , , , , , ,

Guidelines on the National Security Review of Investments

With the highly anticipated release of its Guidelines on the National Security Review of Investments, the Canadian government has finally shed some light on circumstances which may draw investors and parties involved in the investment into the realm of a national security review.

 

, , , , , , , , ,

How much cyber risk should an organization take?

I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.

 

, , , , , , , ,

Why do so many practitioners misunderstand risk?

My apologies in advance to all those who talk about third–party risk, IT risk, cyber risk, and so on. We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos. We should address risk because of its potential effect on the achievement of enterprise objectives.

 

, , ,

Selecting software to help manage user access risk

I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.

 

, , , ,

Views on the future of risk management

James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.

 

, , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Previous Posts