First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

risk management

The value of a risk register

A risk register makes you feel good. It makes you feel you have accomplished something, a list of risks that might cause harm to the organization. It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.” But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?

 

, , , ,

Risk in the fourth dimension

The word, a magic word with amazing power, is “why”. Let’s think of the power of this word when it comes to risk and risk management.

 

, ,

New guidance on operational risk

When an organization is focused on avoiding failure, it is very hard to be successful. Operational risk is basically about the things that can go wrong in day–to–day processes that can trip you up. It is impossible to eliminate such risk. The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful.

 

, , ,

How much cyber risk should an organization take?

I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.

 

, , , , , , , ,

Views on the future of risk management

James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.

 

, , , , ,

Competition law issues for HR Professionals in Canada

Competition law

A company’s HR functions, such as recruitment and compensation, are not typically regarded as antitrust “hot spots” (as opposed to sales and marketing). Recent cases in the United States, however, highlight how hiring practices can create the risk of competition law violations for companies and their HR personnel. Since Canadian competition law is similar to U.S. antitrust law in these respects, it is important that Canadian HR professionals be aware of these risks and protect themselves and their companies from exposure.

 

, , , , , , , , , , , , , , ,

Top 10 most read Inside Internal Controls posts 2016 & Season’s Greetings

We are signing off with a list of the top 10 most read Inside Internal Controls posts 2016. Privacy issues and director’s liability seem to have been hot topics this year with several blog posts on the topics making it on the list. The top 10 most read Inside Internal Controls posts 2016 Director’s liability […]

 

, , , , , , , , , , , , , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Risk and strategy entwined

Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives. They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures–implying a desire to stay home and vegetate. Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.

 

, , ,

Explaining risk management in plain English

I have been saying for a while that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

 

, , ,

COSO ERM Exposure Draft

This last week, COSO published an Exposure Draft of its ERM Framework Update, freshly entitled Enterprise Risk Management – Aligning Risk with Strategy and Objectives. The COSO update is a significant moment for all risk practitioners. So I strongly recommend that everybody take the time to review and give careful consideration to the draft.

 

, , , , ,

A revolution in risk management

Risk management, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives. All the standards, frameworks, and guidelines talk about risk in terms of its ability to affect the achievement of the organization’s objectives. Some things might happen that will help and some that will interfere with our progress.

 

, , , , ,

Risk management guidance: Time for a leap change

Even though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-–making and the setting and execution of strategy, the practice of managing risk continues to lag. I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward. When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.

 

, , , , ,

The astonishing Wells Fargo fraud

The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!

 

, , , , , , , ,

Risk management: What academics fail to understand

How do you expect a CEO to believe risk management enables success when all the CRO gives him is a list of what could go wrong? He needs help to see what might happen, both good and bad, and what to do about it—in other words, risk management needs to be seen by the CEO as helping him or her get where he or she needs to go. Do you share my view? If so, how do we move both the practitioner and academic community?

 

, , , , , ,

Previous Posts Next posts