Author Archives: Bruce McCuaig
Who Audits The Super Bowl?
Who Audits The Super Bowl? I am trying to anticipate the impact of in-memory processing on governance, risk, and compliance (GRC) activities. What will it mean to risk, compliance, audit, and other GRC professionals when we have the ability to scan and analyze millions of pieces of data almost instantly? How will professional practices change?
How Mobility Will Transform GRC
In a recent interview I was asked, “what is mobile GRC, and how does it help?” Afterwards, I realized that I had underestimated the potential impact of mobility on governance, risk, and compliance.
Myths In Risk Management: Control Effectiveness
In my last blog, Control Effectiveness—Is the Glass Half Empty?, I examined how control effectiveness is often measured incompletely and inaccurately. Let’s look at what we learned and discuss a better way to determine effectiveness.
There are three lessons we can learn about making conclusions on control effectiveness: Controls’ effectiveness can’t be measured against “control objectives”. Control effectiveness can only be measured against the broader, business (or in the examples, community and therapeutic) objectives. (Most of the major corporate failures we have seen in the financial …
Read the rest of this entry
[This is a content summary only. Visit The Decision Factor blog for the complete post and other content as well.]
Myths in Risk Management: Control Effectiveness — Is the Glass Half Empty?
Control effectiveness opinions are what we expect from auditors. But what does a control effectiveness opinion really tell us?
None of us would conclude a glass is half full without knowing how big the glass actually is. The amount of liquid currently in a glass doesn’t tell you anything unless you know how much liquid the glass will hold.
Similarly, control effectiveness opinions are often based on knowing only half the facts. Many, if not most, of the major corporate failures …
Read the rest of this entry
[This is a content summary only. Visit The Decision Factor blog for the complete post and other content as well.]
Myths in Risk Management – With Controls, Too Much of a Good Thing Can Be Bad
Mobile devices are wonderful things. They’re light, easy to use and operate, accessible, and available — and they’ve revolutionized the way we manage our personal and business lives.
But for most of us, the mobile devices provided by our emp…
Myths in Risk Management — You Don’t Need To Start With A Risk
Recently I was perusing a relatively unknown corner of ISO 31000 Risk Management —Principles and Guidelines— and long dormant memories flooded back.
The ISO section I was reading, Monitoring and Review (s 5.6), deals with the sorts of metrics th…
Myths in Risk Management — Can Risks Be Owned?
Help Wanted: Risk Owner Position Available
I’d like to consider for a moment the concept of risk ownership. ISO 31000 defines a risk owner as a “person or entity with the accountability and authority to manage a risk.” I’ve seen risk regis…
Myths in Risk Management — Can Risks Be Registered?
Years ago, I worked in a bank. I‘m sure the concept of a “register” came from a banker initially. Banks had registers for everything.
One of my jobs was to keep the collateral register postings up to date. When a customer opened a line of credit…
Myths In Risk Management — Exposing The Flaws Of Risk Heat Maps
Recently, I ran a round table discussion on the topic of enterprise risk management (ERM). The participants were all experienced risk managers in the private and public sectors. During a break, I overheard one participant sharing her experience in pres…
What’s Wrong With Risk?
Regardless of our school of thought (e.g. COSO ERM, ISO 3100 or others), for those of us who follow the progress of enterprise risk management (ERM), there’s little to encourage us. One recent study published by the ERM initiative at North Carolina S…
Recent Comments