In a recent blog, I illustrated a GRC Strategy Quadrant that I think can be used to tailor risk management strategies to different types of risks.
A Better Way To Classify Risks
There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting that the strategy for managing risks is dramatically different for each quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.
In last …
In a recent blog , I illustrated a GRC Strategy Quadrant that I think can be used to tailor risk management strategies to different types of risks.
A Better Way To Classify Risks
There’s nothing new about classifying risks by category—strategic risk, operational risk, and so on. But I’m suggesting that the strategy for managing risks is dramatically different for each quadrant.
The quadrant classifies risks based on the risk “appetite” of the business and the perceived risk level. I will illustrate …
‘Stick close to your desks and never go to sea, And you all may be rulers of the Queen’s Navy’
The chorus of “Sir Joseph Porter’s Song” above, taken from the Gilbert and Sullivan operetta H. M. S. Pinafore, is a satire said to be based on William Henry Smith (1825-91), the Victorian businessman who made a fortune through expanding his father’s bookselling business into a national chain which still thrives today as WH Smith. Like many successful businessmen William entered Parliament …
Real success for risk management can only come from creating value. Yet risk management practices have largely failed the value add test.
What drives value in your business? To find out, you need to learn how equity analysts make buy/sell recommendations. Value drivers may not be tangible and they may not be on the balance sheet, but they’re very real.
For example, in the mining and metals industry, proven mineral reserves drive value. In the airline industry, one equity analyst concluded that the quality of …
In my last blog, Redefining the Role of Internal Audit: Avoiding Redundancy, I outlined the dangers auditors face if they don’t innovate and adapt to today’s technological advances. I also proposed that internal auditors should respond with a paradigm shift—from being in the auditing business to being in the knowledge business.
What would this new role for internal auditors look like? Let me suggest another definition:
The role of Internal Auditors is to create, interpret, and disseminate as widely as possible …
When circumstances change dramatically, but you just don’t see how the changes impact you personally or professionally, it’s wise to stop and reflect. It could be a sign that something profound is happening and you’re missing it.
This October 1st is the 105th anniversary of the introduction of the Model T Ford in 1908. The development of the transportation industry at the beginning of this century, I believe, is comparable to the technology innovations of the last few years. And I suggest that …
A year ago, my team conducted some research into risk management. We wanted to assess the state of risk management adoption, the role of technology, and the evolution of risk management practices.
We combined our research with that of others and issued an infographic illustrating our conclusions. To summarize, everyone thinks risk management is important. But “good enough” practices and technologies rule. Things are changing slowly and not necessarily for the better, if at all.
In this blog I want to assess the state …
I was in a meeting this week discussing with some colleagues how clients build a business case for acquiring governance, risk, and compliance solutions.
Many GRC professionals accept the concept of GRC, but struggle to justify the initiative, the investment, and the cultural changes required.
My colleagues and I agreed that the fundamental arguments used by clients to justify the benefits of GRC were a reduction in cost and an increase in efficiency. Rarely was …
I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.
But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.
GRC refers to “a capability to reliably achieve objectives (governance & performance) while …
My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent web site that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.
I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”. This is …