First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

risk assessment

What makes for effective decision-making?

I was talking with a friend about decision-making and decided to put together a list of principles for effective decision-making. This is my first shot. What do you think? What would you change?

 

, , ,

A new code sets back the status and practice of internal auditing

he Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.

 

, , ,

Entering the era of operational resilience

Operational resilience is the ability of a business to tolerate shocks and maintain normal operations. Those shocks can be all sorts of things — IT failures, natural disasters, terrorism, cyberattacks — but they’re typically sudden shocks, happening within hours or even minutes, that threaten your company’s ability to provide whatever it is you provide to customers.

 

, , , ,

Risk and consequences

I like to think that effective risk management helps the managers of an organization, at all levels, make the informed and intelligent decisions necessary for success – reliably achieving enterprise objectives considering all the things that might happen, both positive and negative.

 

, , , ,

Mandatory cybersecurity incident reporting for IIROC investment firms

In November 2019, the Investment Industry Regulatory Organization of Canada released new mandatory reporting requirements for cybersecurity incidents, per IIROC Notice 19-0194. What are the new requirements?

 

, , , , , ,

Risk and the lemonade stand: how it matters in the simplest settings

This is a ‘risk management’ challenge. What are the parents’ objectives and how would you go about assessing whether the likelihood of achieving them is acceptable and, if not, what actions to take?

 

, , ,

Are your business decisions failing because they are biased?

Cognitive bias is something that all of us need to understand. It affects our own decisions as well as those our leaders make in running the business.

 

, ,

The next generation of internal auditing

I want to congratulate Workiva and Jose Tabuena for Internal Audit’s Guide to Planning, Managing and Addressing Risks. I want to focus on the first piece in that publication, Planning to Do the Right Audits: An Effective Internal Audit Risk Assessment. Here are some excerpts, with comments by me:

 

, , , , ,

Elevating internal audit’s role

For many years, PwC has shared with us their view of the State of the Internal Audit Profession. They have some useful words, but it is mixed in with an agenda with which I don’t totally agree. I will come to that later. But first, the good stuff:

 

, , , ,

How often should you assess risk?

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

 

, , ,

The accountants’ role in risk management

The International Federation of Accountants (IFAC) has published an interesting and useful piece, Enabling the Accountant’s Role in Effective Enterprise Risk Management.

 

, , , , , ,

The effective practitioner in action

Competition law

A risk practitioner can assist in a number of ways, including helping management use comparable methods and tools to assess both upside and downside potential consequences in a way that they can be compared.

 

, , , , ,

Are we taking risk, making a decision, or gambling?

We gamble all the time, but we don’t think of it that way. We think we are making decisions, not gambling – and often don’t see it as taking risk either.

 

, , ,

The cyber heat map

Vince Dasta of Protiviti makes a good point (pun intended – as will be explained shortly) in Cyber Risk Assessment: Moving Past the “Heat Map Trap”.

 

, , ,

Emerging risks: who is watching?

Who should be alert and watching for emerging risks: things that might happen (a better expression than the ‘R’ word, ‘risk’, because of its negative impression) that might affect the achievement of enterprise objectives?

 

, ,

Previous Posts