About UsThe Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP. |
Posted by: Norman Marks June 6, 2013 
My good friend, Michael Rasmussen, is perhaps the father of the term GRC and styles himself as the GRC Pundit. He has an excellent web site that I wholeheartedly recommend and one of his latest posts is on the subject of 2013 GRC Drivers and Trends.
I share with Michael and many others the belief that the term GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”. This is …
Read the rest of this entry
Posted by: Norman Marks February 12, 2013  Are you still using the same personal mobile phone and tablet in your personal life as you did just 3 years ago? Most are quick to adopt new technology and all its capabilities, such as the iPhone 4 or 5, iPad with Retina Display or the Samsung Galaxy.
But I am going to guess that most of you are using the same technology as you used in 2010 (if not much older) in your work life – whether …
Read the rest of this entry
Posted by: Bruce McCuaig February 7, 2013  In a recent interview I was asked, “what is mobile GRC, and how does it help?”
Afterwards, I realized that I had underestimated the potential impact of mobility on governance, risk, and compliance.
Years ago, Marshall McLuhan, an early prophet of the electronic age, coined the phrase “the medium is the message.” Many scholars have attempted to interpret this rather enigmatic phrase. My view is that the interpretation is simple and the implications profound.
The attributes and many of the benefits of mobile technologies in GRC are …
Read the rest of this entry
Posted by: Bruce McCuaig January 17, 2013  In my last blog, Control Effectiveness—Is the Glass Half Empty?, I examined how control effectiveness is often measured incompletely and inaccurately. Let’s look at what we learned and discuss a better way to determine effectiveness.
There are three lessons we can learn about making conclusions on control effectiveness:
Controls’ effectiveness can’t be measured against “control objectives”. Control effectiveness can only be measured against the broader, business (or in the examples, community and therapeutic) objectives. (Most of the major corporate failures we have seen in the …
Read the rest of this entry
Posted by: Bruce McCuaig January 15, 2013  Control effectiveness opinions are what we expect from auditors. But what does a control effectiveness opinion really tell us?
None of us would conclude a glass is half full without knowing how big the glass actually is. The amount of liquid currently in a glass doesn’t tell you anything unless you know how much liquid the glass will hold.
Similarly, control effectiveness opinions are often based on knowing only half the facts. Many, if not most, of the major corporate failures …
Read the rest of this entry
Posted by: Norman Marks December 20, 2012  I truly believe that amazing developments are arriving that will make future decision-making far more effective. I want to talk about two in this post; admittedly one is more a hope and the other more a prediction.
The prediction can be expressed this way:
In the near future, which is getting nearer every day, decision-makers will have moved from an experience-based process to an information-based process. They will have reliable, useful information delivered to the palm of their hand in near real time that will let them …
Read the rest of this entry
Posted by: Bruce McCuaig November 29, 2012  Mobile devices are wonderful things. They’re light, easy to use and operate, accessible, and available — and they’ve revolutionized the way we manage our personal and business lives.
But for most of us, the mobile devices provided by our employers have very strict “controls”. Most are designed to turn off if they’re idle for just a few minutes. I can reset the timing on mine, but five minutes seems to be the maximum. During a typical conference call when I need to refer to my iPad, it’s common …
Read the rest of this entry
Posted by: Bruce McCuaig November 20, 2012  Recently I was perusing a relatively unknown corner of ISO 31000 Risk Management —Principles and Guidelines— and long dormant memories flooded back.
The ISO section I was reading, Monitoring and Review (s 5.6), deals with the sorts of metrics that should be monitored to ensure the risk management system’s working. For example, it suggests monitoring indicators of control effectiveness, incidents (near misses), issues, key risk indicators, loss events, and other relevant variables important to the risk management process.
Years ago, I …
Read the rest of this entry
Posted by: Bruce McCuaig November 13, 2012  Help Wanted: Risk Owner Position Available
I’d like to consider for a moment the concept of risk ownership. ISO 31000 defines a risk owner as a “person or entity with the accountability and authority to manage a risk.” I’ve seen risk registers listing risk owners, but I don’t think I’ve ever met anybody who proudly proclaimed they were a risk owner.
I have never read a resume with a list of risks owned by a job applicant.
I have never seen a course at any level that …
Read the rest of this entry
Posted by: Bruce McCuaig November 8, 2012  Years ago, I worked in a bank. I‘m sure the concept of a “register” came from a banker initially. Banks had registers for everything.
One of my jobs was to keep the collateral register postings up to date. When a customer opened a line of credit, they were required to pledge something, usually marketable securities, as collateral. I posted the collateral in the register and someone else placed the securities in the vault, where they’d stay and gather dust. (I think bankers invented segregation of duties too.)
Occasionally, the bank auditors …
Read the rest of this entry
|
