T2P Information Governance & Risk Management News

Information Security Program Gives Professionals Step-by-Step Guide to Comply ... - Business Wire (press release)

2009-11-09T15:23:22Z

Information Security Program Gives Professionals Step-by-Step Guide to Comply ...
Business Wire (press release)
“As a result of an onslaught of security breaches, many states are rapidly enacting information security program laws that significantly impact the way ...

and more »

openpages Survey Finds IT Risk Management Evolving - PR-USA.net (press release)

2009-11-05T09:17:20Z

openpages Survey Finds IT Risk Management Evolving
PR-USA.net (press release)
Regarding the types of technology solutions they use to support IT risk management, the openpages survey found that companies still have yet to take a ...

and more »

Avoid the Five Common Dangers of IT Risk Management - Government Technology

2009-11-06T19:20:54Z

Avoid the Five Common Dangers of IT Risk Management
Government Technology
... for the public sector to strategically approach the selection of integrated technology platforms for governance, risk management and compliance (GRC). ...

and more »

Banking: From financial intermediation to risk management - Sunday Times.lk

2009-11-07T20:27:02Z

Banking: From financial intermediation to risk management
Sunday Times.lk
This calls for new skills in risk management. Technological advancements have also changed the way we do our banking. Technology has brought banking to our ...

Risk Management Should be Part of Strategic Planning, Performance Management - IT Business Edge

2009-11-09T19:59:17Z

Risk Management Should be Part of Strategic Planning, Performance Management
IT Business Edge
By date: Risk management is much more than tweaking financial controls and increasing transparency, according to a report from Accenture. ...

and more »

CFOs to CIOs: Get Real

2009-11-05T04:05:00Z

On their wish lists addressed to IT leaders, finance chiefs want more risk-management awareness and better communication on project delivery.

SEC Denies Sarbanes-Oxley Exemption

2006-05-18T04:00:00Z

Small public cos. will need to comply.

SEC Sarbanes-Oxley Changes to Give Small, Public Firms a Break

2006-12-11T05:00:00Z

The U.S. Securities and Exchange Commission (SEC) is on Wednesday expected to start the process to modify existing auditing provisions for small, public firms within the Sarbanes-Oxley Act of 2002 (Sarbox) when it presents new rules related to section 404 of the act, The New York Times reports.Under section 404 of Sarbox, publicly-traded firms are required to evaluate and document the ...

SOX and Micromanagement

2007-01-31T05:00:00Z

Organizational consultant N. Dean Meyer reveals how regulations are used as an excuse for costly disempowerment.

The Core of Risk Management: it's the Data!

2009-11-02T05:00:00Z

Over the past couple of weeks, I have had opportunities to sit down and talk with risk management professionals from two perspectives; analysis and data. From the analytical perspective, I spoke with risk management practitioners and, on the data side, it was data warehousing experts. The question I posed was given the events of the last 18 months, what is the one issue that confronts you today in evolving your risk practices?

Leadership Legacy

2009-11-02T16:17:00Z

This year's Hall of Fame honorees share a mission to accelerate IT and enable business success.

From Enterprise Risk Management to Governance Risk and Compliance - Vanguard

2009-11-08T18:19:24Z

Vanguard

From Enterprise Risk Management to Governance Risk and Compliance
Vanguard
In addition, the ERM framework needs to be anchored by a comprehensive corporate governance framework and compliance processes to achieve a robust GRC ...
Risk management and the banksThe Guardian - Nigeria

all 13 news articles »

Mideast lacks in compliance - Zawya

2009-11-09T07:06:22Z

Mideast lacks in compliance
Zawya
Countries such as Yemen and Lebanon are far behind as far as compliance is concerned. Steps to ensure compliance [to corporate governance] have just begun ...

Risk-Based Compliance: A Framework for Analysis - Corporate Compliance Insights

2009-11-09T18:19:14Z

Risk-Based Compliance: A Framework for Analysis
Corporate Compliance Insights
Most companies understand that certain business relationships present more ...

Mark-to-data? - community blog from Neil Edelstein

2009-10-26T16:23:21Z

New COSO Thought Paper Supports Integration of Strategy and ERM

2009-11-05T01:30:00Z

COSO highlights specific areas where management can work with its board to enhance the board’s risk oversight capabilities for strategic advantage ALTAMONTE SPRINGS, Fla. – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - an organization providing thought leadership and guidance on internal controls, enterprise risk management and fraud deterrence – has released a new thought paper, Strengthening Enterprise Risk Management for Strategic Advantage, that highlights specific areas where senior management can work with its board of directors to enhance the board’s risk oversight capabilities and the organization’s strategic value. This document builds upon four specific board risk oversight responsibilities outlined in a recently released COSO thought paper, Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide more detail on ways senior management can work with the board and others in the organization to strengthen risk management in all types of organizations. “Management is often being asked to provide their boards with more information regarding key risk exposures,” said COSO Chairman David Landsittel. “The challenge facing management is designing and implementing an enterprise wide approach to risk management that is both strategic and value-adding so that the board and senior management have a rich understanding of the organization’s top risk exposures. This thought paper highlights four specific areas where management can work with their board to provide appropriate risk oversight related to strategies and objectives.” This thought paper calls attention to COSO’s Enterprise Risk Management – Integrated Framework (2004), COSO’s definition of ERM, and the key elements of effective board risk oversight. The paper builds upon four critical areas, which are also highlighted in COSO’s Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide a basis for introspection about current approaches to risk management and to be a catalyst for management to strengthen its overall approach to enterprise wide risk management to help boards fulfill their risk oversight responsibilities. “Through our hands-on work with boards and senior executives of organizations of all sizes and industries, we observe a desire for stronger integration of strategy execution and risk oversight,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of NC State’s ERM Initiative. “This COSO thought paper provides a rich discussion of the many ways management and boards can work to capture the strategic advantage of an enterprise-wide approach to risk management.” COSO has developed these two thought papers on enterprise risk management to provide more in-depth discussion on how senior management can strengthen risk management processes for strategic advantage. Both thought papers can be downloaded for free at www.coso.org, in addition to the executive summary of COSO’s Enterprise Risk Management – Integrated Framework (2004). ### About COSO Originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO comprises the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). About NC State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising, its internet portal (www.erm.ncsu.edu); research, advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives.

Gartner Magic Quadrant Under Fire – Lawsuit Alleges Defamation and more

2009-10-22T18:31:57Z

A storm is brewing throughout the analyst community as one of the largest and most influential technology analyst firms comes under fire for one of their highest prized research artifacts – The Gartner Magic Quadrant (MQ) – ZL Technologies has filed a lawsuit alleging damages from Gartner’s Email and Archiving MQ and the MQ process [...]

Risk / Threat vs. Risk Issue

2009-10-26T18:07:55Z

***
Up front props:
1.   In the “risk universe” square, I used the “evolving change categorizations” from a Joshua Corman blog post found here.
2.   I heard the term “risk ecosystem” from Microsoft’s Mark Curphey in a video related to a risk repository web app they recently released called “Risk Tracker” (either here or here). I found the term to be valuable in the context of this blog post.
3.   The approach to the image above was not solely mine, I just embellished and sanitized on someone’s idea here at my employer.
***
Some terminology declarations:

I am using the word risk in a variety of capacities in this post.

In some cases, it is being used in the context of a threat (storm heading in my direction).

In other cases is being used in the context of a derived value; the probable magnitude and frequency of loss; $.

I am using the term “risk issue” or “risk finding” to mean a documented risk that requires a decision from management to either assume or mitigate.

Finally, in the database symbol titled “Risk Rep.” – that is short for “risk repository”.
***

I have recently been in a few conversations related to when a “risk” (or threat) becomes a “risk issue”. Most of these conversations have been with information security risk management executives; which implies “philosophying”, evangelizing, white boarding, and of course – excessive use of non-risk management analogies to reflect risk management concepts. In the end, these conversations turned out to be valuable because if forced the group to really understand when a risk (threat) becomes a risk issue in our environment. In other words, what are the various lenses we analyze threats or risk through to determine that we need to document a risk finding?

I will let you noodle the image and underlying concept on your own. However, below are a few parting points I would like to make.

1. There is a difference between grandstanding on risks (threats) that pose no threat to your company versus managing risk issues within your own risk ecosystem. Think “solar storm heading directly to Mars” versus “a storm cell that is 10 miles away with 65 mile per hour winds headed directly towards us”.

2. If a risk (threat) is important enough to grandstand on AND to begin mitigating – then it is no longer a risk, but a risk issue – and should be managed as such.

3. Emerging risks – or threats – somewhat fall in between the two above. You may want to let management know about some potential exposure – but there is nothing that needs to be addressed today.

Feel free to share any thoughts you have!

CIO: Don't attempt BPM system without mapping process flows

2009-11-02T23:17:38Z

Successful BPM system implementations and process automation efforts begin with mapping process flows and fixing bad processes, our CIO columnist says. Learn more here.

Twelve free project management templates

2009-11-03T23:39:35Z

To make your next project run like a dream, check out our link library that directs you to more than a dozen free project management templates and resources, including a free alternative to Microsoft Project, and Gantt chart how-tos.