First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

risk

Always-on risk and strategy management

Always-on strategy complements the annual [strategy] process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year.

 

, , , , ,

Cybersecurity in a post-Ashley Madison world

In a recent key finding, PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity.

 

, , , , , , , , , ,

PwC does better on risk management

If you don’t focus on the achievement of objectives, but instead manage individual risks, how do you know whether you are likely to achieve them – or the possibility of exceeding them?

 

, , , , , ,

Risk appetite in practice

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

 

, , ,

Risk management in review

PwC’s latest Risk In Review study makes some very interesting points. It carries the title of “Managing risk from the front line” and I recommend downloading and reading it.

 

, , , , ,

The current state of risk oversight: Useful or useless?

All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.

 

, , , , , , ,

Cyber and reputation risk are dominoes

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

 

, , , , ,

When an acceptable level of risk is not acceptable

We are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like. But is that sufficient?

 

, ,

How to mess up your risk management program

Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?

 

, , , , ,

The current state of risk management

But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under–funded?

 

, , , , ,

The value of a risk register

A risk register makes you feel good. It makes you feel you have accomplished something, a list of risks that might cause harm to the organization. It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.” But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?

 

, , , ,

Risk in the fourth dimension

The word, a magic word with amazing power, is “why”. Let’s think of the power of this word when it comes to risk and risk management.

 

, ,

New guidance on operational risk

When an organization is focused on avoiding failure, it is very hard to be successful. Operational risk is basically about the things that can go wrong in day–to–day processes that can trip you up. It is impossible to eliminate such risk. The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful.

 

, , ,

How much cyber risk should an organization take?

I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.

 

, , , , , , , ,

Why do so many practitioners misunderstand risk?

My apologies in advance to all those who talk about third–party risk, IT risk, cyber risk, and so on. We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos. We should address risk because of its potential effect on the achievement of enterprise objectives.

 

, , ,

Previous Posts Next posts