Risk Management Insights

I want to join the BLOG

13/12/2017 / Protecht News & Events, Risk Culture, Risk Management

2017 Wow... What a Year

Protecht's 2017 in Review! Thank You for Your Support

The last 12 months have been full of amazing changes and challenges for Protecht and we want to take this opportunity to thank all our clients, partners, staff members and blog readers for all the support. We have many reasons to celebrate; continued growth in our wonderful advisory, development and support teams, record growth in client numbers as well as the move of our Sydney head office to a bigger and better space. It was almost 20 years ago that David Tattam and I commenced working together on the Protecht concept, dreaming of one day having a leading risk management training, advisory and software company. There is still more to do as always, but it has been the most rewarding business risk that we have ever taken. 

Below are some of the milestones that made this year unforgettable for us and also some pictures of our clients and staff Christmas parties. Merry Christmas and Happy New Year 2018. 

Read More

13/12/2017 / information security management

Infographic: Information Risk Management Framework

transform_your_data.png

In previous articles, we have talked about the increasing importance that data collection and data management have in business strategy. On this occasion we are inviting you to consider, what are you doing with the information that the company is receiving and storing? Is there a robust process to manage, secure and protect it in an effective way and is that process an integral part of your Enterprise Risk Management framework?

In the infographic below you will see the four key stages that should make up the process. The starting point is to identify all sources of information that are used and managed by the organisation. To do this, you need to design an "Information Asset Register". Once this has been developed, you can then apply risk management to manage the risks that could stop your information management objectives being achieved.

Read More

08/12/2017 / Operational Risk, Key Risk Indicators, Risk Manager, KRIs

How do Key Risk Indicators work?


In February this year, I ran a blog highlighting the power of the human brain and its senses in acting as a personal key risk indicator (KRI) system for personal early warning risk awareness as we journey through this inherently risky world.

This blog looks at the potentially awesome power that a well-designed and well applied
KRI system can have in the business world.

KRIs have multiple purposes. The main one is to act as an early warning system to prompt initial investigation and response so as to deal with a risk early in its life. It helps a firefighting risk manager to become a proactive risk preventer. At a wider level, KRIs allow us to “measure” risk and incorporate risk into risk-based performance measurement, risk-based decision making and risk-based incentive schemes.

So how do KRIs work?

KRIs operate on the fact that as risk develops through its life, from root cause(s), through event(s) to final impact(s), red flags, symptoms and other evidence may be given off.  KRIs tap into this information and turn it into intelligence to then be investigated and acted upon to deal with the risk most appropriately.

Read More

20/11/2017 / Compliance Management, Risk Culture, Risk Management

Compliance Risk Management Real Example

Gorillas and Bears – Comply or Die!

The story of Harambe, the Cincinnati Zoo’s much-loved Gorilla, went global in its interest. A defenceless animal was shot and killed to save a child who had fallen into its enclosure, not to mention the trauma suffered by the child. Investigations have since found that the barrier separating the public from the gorilla was not in compliance with primate-housing standards and requirements.

This simple story serves as a reminder as to the real reason for the compliance requirements and obligations we face, that is, protection of the various stakeholders of our businesses.

Read More

06/10/2017 / Enterprise Risk Management, Risk Culture, GRC

Making Risk Sexy

This article was written by Vicki Wilder , Board Director, Governance Professional. Edith Cowan University. We are sharing it with the Protecht Risk Management Insights Blog readers. 

sexy
ˈsɛksi’
adjective

1. Sexually attractive or exciting. "Sexy French underwear". Synonyms: sexually attractive, seductive, desirable, alluring, inviting, sensual, sultry, slinky, provocative, tempting, tantalizing; more

2. Informal - very exciting or appealing.
"business magazines might not seem like the sexiest career choice"
synonyms: exciting, stimulating, interesting, appealing, intriguing. Source here.

Have I got your attention?

As our team barrelled down the road in an SUV on our way to a team builder last year, a sign blared “Sexy Salmon Fillets” near a fishmonger. The mind boggles. Sexy (definition No. 1) , I’m pretty sure they weren’t, but topic of conversation they remained for months, so hats off to the advertiser - they had our attention. Given the apparent multiple definitions perhaps they meant that the fillets were appealing?

Read More

14/09/2017 / Enterprise Risk Management, Protecht News & Events, Risk Culture

Risk and Compliance Conference Season 2017

The Protecht team is looking forward to this year's conference season. Our focus will be on industry specific conferences where we will showcase how Protecht's full suite of risk management training, advisory and software services map to the needs of each industry sector.

Read More

12/09/2017 / Compliance Management, Risk Culture, ERM

Reputation Damage - Risk Event or Risk Impact?

Looking back over the last 12 months, corporate scandals continue with the finance industry seemingly always managing to make the headlines. Wells Fargo fake accounts in the US, CBA anti money laundering issues in Australia are two examples. The flow on effects from these scandals are often similar:

  1. Executives and CEO's involved are ushered out the door - key person risks arise.
  2. Fines were or will be imposed by regulatory agencies, which seem larger and more punitive in recent years.
  3. Class action lawsuits are attempted on behalf of disgruntled shareholders resulting in additional legal fees and potential settlement costs.
  4. Strategic growth objectives are derailed, as the companies involved need to batten down the hatches to recover from the scandal.
Read More

21/07/2017 / Enterprise Risk Management, Risk Culture, Risk Management, Risk Controls

Prevention is better than cure - and other risk management cliches

There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

Read More

19/06/2017 / Enterprise Risk Management, Risk Controls

Risk Event Libraries. Do your own sanity check.

At Protecht, we get to see a lot of risk event libraries. There continues to be some confusion as to what is actually a risk event that is worthy of its place in a central library of risks. We often see these libraries peppered with failed controls, impacts and causes rather than the true underlying risk event.

In this blog we hope to provide some tips for you to do your own sanity check on the quality of risks in your risk registers or library. 

It helps to first think about the output – what will our reporting to stakeholders at both management and Board level look like and be used for. If risk events are too broad, aggregation of supporting data such as incidents and internal audit findings connected to such broad risks will become less useful, as will any attempt to allocate a meaningful set of controls to the risk. Too specific with lots of detail, renders summation of the top risks in charts as too unwieldy and confusion as to what is the actual risk event.

Examples would be as follows:

Criminal activitytoo broad. In this example, there are too many sub risks with different controls that need to be assessed. If all internal audit findings and incidents relating to internal fraud were wrapped up to this ‘risk event’ the first thing any Board member would ask is what type of criminal activity are we talking about? Rather than a risk event – this would be a good risk category, similar to other risk categories such as Employment Practices and Safety and Business Disruption.

Read More

06/06/2017 / Enterprise Risk Management, Risk Culture, Operational Risk, Risk Controls

Reducing human error...

What is Human Error?

Risk events often have many contributing causes, a common one being ‘human error’. But what is human error can be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.

Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient – either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.

Outcomes? 
There are therefore six possible outcomes in the combination of plan and human action:

  1. An adequate plan that is intentionally followed will likely result in the avoidance of the risk event
  2. An adequate plan that is unintentionally not followed will likely result in failure – a risk event caused by human error
  3. An adequate plan that is intentionally not followed will likely result in failure – a risk event caused by malice
  4. An inadequate plan that is intentionally followed will likely result in failure – a risk event caused by poor planning
  5. & 6. An inadequate plan that is unintentionally or intentionally not followed has a higher likelihood of failure or success of meeting the ultimate objective.

An example…
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.

Read More