First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image


Risk visualization

Risk visualization can help executives make decisions not only to manage risks but to optimize outcomes and achieve objectives. I have to agree with the author of Are we witnessing the demise of the risk register (and the rise of risk visualisation)? He says, “I loathe risk registers”. So do, but for different reasons. He […]



How should you assess the effectiveness of risk management?

If an organization seeks to perform at world-class levels, it needs to have highly effective processes and practices for managing what might happen – risk.


, ,

Liability waivers: If in doubt, get a new one

There is a need for entities wishing to rely on liability waivers to ensure that the waivers are expertly drafted, that the purpose and limitations of liability waiver are understood by such entities and that such entities routinely review their waivers to ensure that they apply to all activities that might be engaged in by the parties executing such waivers.


, ,

Collaboration between the business risk and IT security teams

Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?


, , , , , ,

The worst audit report I have seen

I have seen a few candidates for this title, but one stands out. This is how I described it in my best-selling book, World-Class Internal Audit: Tales from my Journey:


, , , , ,

An example of game theory in risk management

One of the risks identified by many organizations as significant and included in the risk disclosures required in corporate filings, such as the annual and quarterly filings with the U.S. Securities and Exchange Commission, is the loss of key personnel.


, , ,

Identifying, assessing, and evaluating risk is the easy part

COSO ERM 2017 talks about strategy selection, which is a very important decision, and how you need to assess each option. The selection process includes understanding what might happen under each option (risks and opportunities in their language), weighing all the pros and cons, and then choosing the one that makes the most business sense.


, , , , , , ,

COSO ERM explains the flaw in risk appetite statements

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.


, , ,

Should you adopt the updated COSO ERM Framework? My assessment

It has been 13 years since the original COSO ERM Framework and eight years since ISO 31000:2009 was published. The updated COSO ERM Framework was an opportunity for COSO to “leap forward”. But did it?


, , , , , , , ,

Is the COSO ERM update a success or failure?

Recently, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA.


, , , , ,

How good is your chief risk officer?

A chief risk officer requires certain characteristics to succeed at being the leader of risk management in any organization. This article provides a list of critical attributes for such a leader.


, , ,

A conversation about risk with a CEO

Leaving the word “risk” out of a risk discussion with an executive can prove to be a positive way forward when asking what can go right for a project rather than what might go wrong.


, , , ,

Two words to transform discussions of risk management: risk to objectives

I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.


, , , , , , , ,

Positioning risk management to succeed

Jim DeLoach of Protiviti is an old friend. We enjoy discussing risk management over a meal, finding that we agree on far more than we disagree. Where we do disagree, it may be more by way of expressing ourselves, or due to our different positions and perspectives. His work always, in my experience, merits our careful attention and reflection. Jim recently wrote Positioning Independent Risk Management to Succeed: 6 Ways to Support the CRO.


, , ,

Internal audit and ERM accused of failing to hit the mark

The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag. It has been used recently to support an argument by a critic that both internal audit and ERM are failing.


, , , ,

Previous Posts