First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Author Archive - Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more

How effective is your internal audit function? Is it world-class?

When I became a CAE, I started by benchmarking against firms that had a great reputation, either for their business practices or internal audit departments. That is still a good idea and I recommend it.

 

, , ,

Amazing insights on cyber

A couple of recent pieces shed some light, some amazing light, on how cyber-related risk is perceived by executives and the board.

 

, , , , , ,

Common sense talk about risk heat maps and more

Only when the business impact is understood does it make sense to get into the details of which risks to which information assets should be mitigated and how.

 

, , , , , ,

Allegations and investigations

What we should all note from the news is that a failure to perform an appropriate investigation is a serious source of risk to any organization.

 

, , , , , ,

KPMG studies ERM and gets some things right but misses the key point

There’s some good material in KPMG’s Enterprise Risk Management Benchmarking Study, subtitled Evolving to an active, integrated and agile approach amidst change and disruption.

 

, , , , ,

The board and cyber security

There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:

 

, , , , , , , ,

Risk and the lemonade stand: how it matters in the simplest settings

This is a ‘risk management’ challenge. What are the parents’ objectives and how would you go about assessing whether the likelihood of achieving them is acceptable and, if not, what actions to take?

 

, , ,

Do risk appetite statements add value?

Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk.

 

, , ,

The core principles for effective internal auditing

The IIA has published a new Practice Guide (PG), Demonstrating the Core Principles for the Professional Practice of Internal Auditing.

 

, , , ,

An ERM horror story

Does it make sense to aggregate risk levels for a variety of risk sources, including cyber, compliance, credit, liquidity, competitor, and internal control over financial reporting?

 

, , , ,

Cyber and the board

There’s an interesting article in the Harvard Law School Forum on Corporate Governance and Financial Regulation. What the Capital One Hack Means for Boards of Directors has some interesting insights that merit the attention of risk, cyber, audit, and governance practitioners.

 

, , , , , , , , ,

A CIO talks business sense about cyber security and the CISO

Every so often, I see an interesting piece on Forbes.com. This time it is How To Talk To the Board About Cybersecurity. A CIO shares his experience working with boards and advice on that challenge for CISOs. Here are some useful comments (with my highlights):

 

, , , , ,

Are your business decisions failing because they are biased?

Cognitive bias is something that all of us need to understand. It affects our own decisions as well as those our leaders make in running the business.

 

, ,

A proactive approach to cyber risk management

It is not sufficient to say that cyber risk is high, medium, or low. The leaders of the organization need to be able to figure out what is the right level of resources to allocate to cyber defense and response; what is the right level of attention at board and executive committee level; and what should be communicated to shareholders and others.

 

, ,

How to assess the effectiveness of risk management

Internal auditors are expected, according to the IIA Standards and some governance codes, to assess the effectiveness of risk management.

 

, , ,

Previous Posts