Author Archives: Norman Marks
Lucy Marcus is recognized as a governance expert and has served as chair of audit committees for many years. In a piece for Reuters, she called serving on an audit committee “the toughest job you’ll ever love”. I recommend reading her post and listening to the video that shows her answering questions about the HP and Autonomy affair.
I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.
John Fraser is a highly-respected Canadian risk and audit practitioner. He introduced and then for 13 years led the risk management program at Hydro One. John shares his wisdom on effective risk management with both common sense and humor. I like his book on ERM, which you can find on Amazon.
EY Audit Guidance for IT. Recently, Ernst & Young published advice for internal audit functions regarding their IT audit work. Ten key IT considerations for internal audit starts out in brilliant fashion by pointing to the need to [...]
A recent post on the Harvard Business Review site, What CEOs Really Think of Their Boards, makes interesting reading. While the author’s early message is that boards need to tone down their oversight [...]
Last year, I heard a senior consultant from one of the large firms explain their approach to risk management. It focused on ‘risk and reward’ and why it is important to understand risk so you can balance it against the potential for reward.
Earlier this year, an interesting article on CFO.com considered the risk management practices at 10 major global banks. While they found that each of the banks considered risk management (or, ERM in the words of the author) a strategic priority and recognized that “risks of all kinds [...]
A new Risk Angles issue from Deloitte, Five questions on risk assessment, takes a few commonly asked questions about risk assessment and provides short answers to each. The two page document is an easy read and I recommend it for boards and executives, as well as practitioners.
Many internal auditor’s want an answer to the question, how do we put a value on internal audit. Let’s answer another question first: what is the value of a home? The correct answer is that a house is worth what somebody is willing to pay for it.
Most internal audit departments have evolved from reporting on controls to reporting on how well risks are managed. But when they discuss issues, they usually still talk in terms of the controls failing, perhaps rating them as “high risk”, “medium”, or “low”.