Risk Management Insights

I want to join the BLOG

10/05/2017 / Security Risk Management, information security management

Cyber security – will we ever be safe?

I recently read an article in the @TheEconomist (April 8 edition) entitled The Myth of Cyber Security, a somewhat depressing article on the poor state of cyber security globally. The author discussed numerous reasons behind the current problems:

  • Software complexity and speed of development
  • Users failure to protect themselves
  • The technology industry’s inability to self regulate and accept liability for product flaws

The last point drawing comparisons to the car industry in the early 1960’s. It was not until the government forced their hand on safety did the industry’s attitude change.  The author considered that perhaps additional government intervention could be beneficial to the technology sector.  Examples included increased reporting requirements for companies that are hacked, forced default password changes and legislated timeframes for fixes to "at risk" products.

Read More

25/04/2017 / Risk Management, Performance Management, Risk and Reward

Opportunity risk management

Writing blogs in risk management is risky. It has a potential upside and a downside.  On the upside, the hope is that the blog adds to the development of risk management thinking and at the least promotes discussion on ideas that could lead to improvements in this great discipline. On the downside, it opens oneself up to criticism, usually relating to the view that we are overcomplicating things and/or not being technically correct. 

I for one, think the risk is worth taking as I believe the upside outweighs the downside and by and large positive and/or constructive feedback outweighs any negative and or destructive comments.

Read More

21/04/2017 / Enterprise Risk Management, Inherent & Residual Risk

Inherent Risk: Friend or Foe?

What does Inherent Risk mean?
There are few common definitions in risk but "Inherent Risk" is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".

Read More

23/03/2017 / Risk Management Training, Inherent & Residual Risk

Risk Appetite - Inherent and Residual?

 The case for setting both an Inherent and Residual Risk Appetite

In the last two blogs, Inherent Risk - It is useful? and Expected and Targeted risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite. 

The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.

At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites.  Listening to the conversations it becomes clear that the discussion was at cross purposes.

Read More

16/03/2017 / Protecht News & Events, Risk Culture, Risk Management, Risk Management Training

Risk and Compliance Management Journey

A personal story

Behind every hard-working professional there is always a personal story to tell and one of the best ways of learning is listening, talking and sharing those stories and those personal points of view. A key philosophy at Protecht is to listen and learn from professionals across all lines of business.

I was recently invited to present the Governance Institute Dux Awards for Risk and Compliance, a recognition that Protecht has been sponsoring for a number of years. The award recipients generally don't have a background in risk and compliance management, with many coming from legal or accounting professions.

Read More

10/03/2017 / Enterprise Risk Management, Risk Culture, Risk Management

How to Achieve your Risk Management Goals

TEN KEYS to Risk Management Success 

Having worked with many clients over the years in implementing, maintaining and developing their risk management systems you learn what works and, on the other hand, what does not.

The following are my top TEN KEYS to success – get these right and you will have a risk management function that is seen as critical as any other management function in the value it adds.

1. Keep it Simple

With any developing discipline, there is a tendency to invent new words and use big words that sound smart but no one understands. Risk management is no exception with a myriad of fancy words and acronyms. 

Read More

23/02/2017 / Risk Management, Risk and Control Self Assessment, Risk Maturity, Risk Controls

Expected and Targeted Risks

Are they useful?

Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process. 

In a previous blog article,  we questioned whether inherent risk was useful. We concluded on balance that it can be a useful concept to recognise and assess. Inherent risk is useful in providing assistance when assessing the importance of controls and helping in the understanding of stress test scenarios.

This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful. 

Read More

09/02/2017 / Enterprise Risk Management, Risk Culture, Risk Manager

Our Top 5 Risk Management blogs in 2016

It is already February 2017. The year certainly feels like it is flying by. We are glad to see that our Risk Management Insights Blog continues to be read by thousands of professionals such as you, from all around the world. We all seem to receive a lot of information every day from many different sources. So to ensure that you didn't missed out on some of the articles that we have shared, we thought we would recap on some of our articles from 2016.

So we have made a selection of the '2016 Top five most read blogs'. We hope you enjoy the content and if you have not subscribed yet, just click here to receive the next articles directly in your Inbox. Enjoy.

1. What does it take to be a Risk Manager?

What are the key skills and characteristics needed to be successful in this role? Here is my list:

  • Risk management is to a large degree an art form. This requires a strong right hand (artistic) brain, able to cope with qualitative and inexact concepts and able to “see” into the future.
  • At the same time, the risk manager needs to be logical, analytical, problem-solving and exhibit a high degree of common sense.
  • The risk manager must be commercially astute and demonstrate a high degree of business acumen. Read more.

Operational Risk Management and the wider defined Enterprise Risk Management are often touted as a new concept. While the methodologies and processes employed may have been enhanced in the recent past, risk management is hardly new. Humans, arising from the instinct for survival, have been using and developing risk management techniques from the beginning of time. Continue reading here.

Read More

26/01/2017 / Enterprise Risk Management, Inherent & Residual Risk, Risk Controls

Inherent Risk – Is it useful?

The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment. The main areas of contention are:

What does Inherent Risk mean?

There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”. 

Read More

25/01/2017 / Risk Culture

The 6 key elements to creating and maintaining a good risk culture

You can take a horse to water but you cannot make it drink. You can take risk management to your business but you cannot make them do it. People, to be successful in anything they do, must have a desire to do it.

This breeds passion which drives people to excel.

Getting the right culture to support risk management across your business is the most important ingredient for success. 

So what does the right “risk culture” mean and how do we create and maintain it? Culture is embedded within people’s thoughts which then influence their behaviours and actions. Risk culture, is their thinking, behaviours and actions around risk and risk management.

Read More