I believe software is essential in managing user access risk, not only for SOX but also for other business risks. In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.
James Lam has an impressive resume: Chief Risk Officer for major financial institutions, author of a respected book on ERM, consultant, and board member. Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM. I think it is fair to say that James and I agree on many points but disagree on others.
Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives. They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures–implying a desire to stay home and vegetate. Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.
I have been saying for a while that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.
Risk management, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives. All the standards, frameworks, and guidelines talk about risk in terms of its ability to affect the achievement of the organization’s objectives. Some things might happen that will help and some that will interfere with our progress.
Even though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-–making and the setting and execution of strategy, the practice of managing risk continues to lag. I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward. When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.
The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!
How do you expect a CEO to believe risk management enables success when all the CRO gives him is a list of what could go wrong? He needs help to see what might happen, both good and bad, and what to do about it—in other words, risk management needs to be seen by the CEO as helping him or her get where he or she needs to go. Do you share my view? If so, how do we move both the practitioner and academic community?
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?
I am going to use a metaphor involving the board game of Monopoly to illustrate how I feel about risk management. The players compete to win by either having more money when the game ends (if there is a time limit) or by being the only one left standing after all the others have gone bankrupt. Let’s imagine our executive team is playing a game against its main competitors.
Who takes risk? The correct answer is ‘everybody’; everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.
Over the past half century, a great deal of literature has appeared in Canada and the United States about how to design, document and assess internal controls. First Reference has built upon the most current internal control authorities to provide organizations with practical tools for designing and evaluating controls.
You can purchase business insurance for nearly every operation and risk your business faces. However, navigating the particularities of insuring your organization can seem daunting. Investing in insurance coverage is a necessary part of operating a sound business, whether your organization is for profit or not.