In a recent blog , I illustrated a GRC Strategy Quadrant that I think can be used to tailor risk management strategies to different types of risks.
A Better Way To Classify Risks
There’s nothing new about classifying risks by category—strategic risk, operational risk, and so on. But I’m suggesting that the strategy for managing risks is dramatically different for each quadrant.
The quadrant classifies risks based on the risk “appetite” of the business and the perceived risk level. I will illustrate …
Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but also reflect an overwhelming dissatisfaction with the implementation initiatives.
Adopt a Value Driven Approach to Risk
Recently, in an attempt to make risk management more relevant and sustainable, I wrote a blog aimed at focusing risk management on value driving activities of the business (“Driving Value with Risk Management”). My belief is that too much risk management activity is spent on identifying and …
Real success for risk management can only come from creating value. Yet risk management practices have largely failed the value add test.
What drives value in your business? To find out, you need to learn how equity analysts make buy/sell recommendations. Value drivers may not be tangible and they may not be on the balance sheet, but they’re very real.
For example, in the mining and metals industry, proven mineral reserves drive value. In the airline industry, one equity analyst concluded that the quality of …
A year ago, my team conducted some research into risk management. We wanted to assess the state of risk management adoption, the role of technology, and the evolution of risk management practices.
We combined our research with that of others and issued an infographic illustrating our conclusions. To summarize, everyone thinks risk management is important. But “good enough” practices and technologies rule. Things are changing slowly and not necessarily for the better, if at all.
In this blog I want to assess the state …
Last week, I wrote a blog about the qualifications for a director who is relied on by the board as a risk expert.
One of the comments I received is that the same or similar list could be used to define the necessary attributes of an effective chief risk officer (CRO).
I think that is right, with special emphasis added in three areas:
The CRO has to have an excellent understanding of the business, the organization structure and key players, how …
I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.
But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.
GRC refers to “a capability to reliably achieve objectives (governance & performance) while …
My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent web site that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.
I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”. This is …
Are you still using the same personal mobile phone and tablet in your personal life as you did just 3 years ago? Most are quick to adopt new technology and all its capabilities, such as the iPhone 4 or 5, iPad with Retina Display or the Samsung Galaxy.
But I am going to guess that most of you are using the same technology as you used in 2010 (if not much older) in your work life – …
In a recent interview I was asked, “what is mobile GRC, and how does it help?”
Afterwards, I realized that I had underestimated the potential impact of mobility on governance, risk, and compliance.
Years ago, Marshall McLuhan, an early prophet of the electronic age, coined the phrase “the medium is the message.” Many scholars have attempted to interpret this rather enigmatic phrase. My view is that the interpretation is simple and the implications profound.
The attributes and many of the benefits of mobile technologies in GRC are …
In my last blog, Control Effectiveness—Is the Glass Half Empty?, I examined how control effectiveness is often measured incompletely and inaccurately. Let’s look at what we learned and discuss a better way to determine effectiveness.
There are three lessons we can learn about making conclusions on control effectiveness:
Controls’ effectiveness can’t be measured against “control objectives”. Control effectiveness can only be measured against the broader, business (or in the examples, community and therapeutic) objectives. (Most of the major corporate failures we have seen in the …