Comments for Governance, Risk and Compliance

Comment on Principles of ERM: A Common Risk Language is Good; But Grammar Comes First by Les Hardin

Les Hardin — Wed, 30 Nov 2011 18:46:16 +0000

I think this is brilliant. You are spot on, so many risk registers are jumbles of things from root cause to downstream effects. Thank you very much for this article.

Comment on Risk Rating the Audit Universe: Focus on Economic Value by James

James — Fri, 16 Sep 2011 23:05:00 +0000

Hi Bruce,

This is a very interesting and challenging topic. I have worked with a few CAEs back in my consulting days and as I look back I realise this is an area where most of them struggled. Fortunately, or unfortunately, I am now in a position where I am tasked with this responsibility (in a bank by the way). I have drafted my rating system based on the below factors:

1 The economic value or exposure.
2 Risk assessment
3 The control environment

Each of the factors has related criteria depending on the areas being covered, for example assets under management, economic profit, expenditure, e.t.c.

Can you please critic the aproach and suggest ways of improving it,

Cheers

Comment on 24 Reasons to Read ISO 31000 Risk Management – Principles and Guidelines by Alex Dali

Alex Dali — Tue, 19 Apr 2011 17:47:56 +0000

We have set up a group to discuss issues related to the ISO 31000 Risk Management standard.
The ultimate idea is to gather information, knowledge and experiences on the use and implementation of the international risk management standard ISO 31000, which could be share and benefit from each other knowledge and experience.

To join discussions on ISO 31000, click here :
http://www.linkedin.com/groups/ISO-31000-2009-Risk-Management-1834592?mostPopular=&gid=1834592

Comment on Planning for Internal Audit Value by A S Pahwa

A S Pahwa — Thu, 13 Jan 2011 06:33:28 +0000

I agree with the core objective of internal audit is to protect and help enhancing economic value of the business by identifing risk and suggesting mitigation steps.

Comment on Governance, Risk and Compliance Roundup: November 1 – 15 by ethicstraining

ethicstraining — Thu, 18 Nov 2010 22:25:20 +0000

I just discovered your blog and am finding a lot of interesting posts so far. Great work.

We (the non profit Josephson Institute of Ethics) just started our own business blog. I would be honored if you came by and gave any pointers for improvements. Here’s one of the latest posts, a guide on establishing an ethical workplace culture -
http://josephsoninstitute.org/business/blog/2010/11/creating-an-ethical-workplace-culture/

Comment on Who is driving GRC? – Reflections on the nature of innovation by Bruce McCuaig

Bruce McCuaig — Sat, 23 Oct 2010 15:49:26 +0000

I’d like to hear your views. The process and technology part is difficult enough. The people and culture part is even tougher, but that is where the benefits really lie. What suggestions do you have? How are you approaching this in your practice?

Comment on Who is driving GRC? – Reflections on the nature of innovation by Vladimir B. Bidniuk

Vladimir B. Bidniuk — Tue, 19 Oct 2010 14:46:35 +0000

I am a GRC Consultant in my territory, and I argue for an adoption of a holistic vision of GRC integrating processes, technology, people and culture and I would like to know more about this vision of Paisley.

Thanks.

Best regards.

Comment on Fundamentals of GRC: What is an Audit? by Bruce McCuaig

Bruce McCuaig — Tue, 12 Oct 2010 16:16:18 +0000

Norman, Thanks for the reply. I think you see where I am going with the thought.
A casual reader of the IPPF, seeing the word “audit” used about 145 times in a 19 page document might reasonably conclude that “audits” were an outcome and not a means to an end. In addition, I have on file a number of benchmarking studies that measure the efficiency and effectiveness of audit departments in conducting “audits” and totally failing to measure the assurance or other value added. I’d like to see the word “audit” largely eliminated from the vocabulary of the audit profession and replaced with “engagement”, which has a much broader meaning to me. The toolkit of the assurance professional should contain a lot more than “audits”, which to me are the most costly and often least reliable tool for providing assurance. More on assurance later. I believe “audits” are still the primary form of providing assurance. I thinkthe “audit” paradigm is stifling innovation.

Comment on Fundamentals of GRC: What is an Audit? by nmarks

nmarks — Mon, 11 Oct 2010 22:15:59 +0000

Bruce,

I am going to reply “at an angle”. The role of the internal audit function is NOT to perform audits. It is to provide assurance. Audits, otherwise called audit engagements or activities, are in the auditor’s toolkit but are not the end product.

I suggest starting the search for a definition with consideration of the IPPF definition of an engagement.

Norman

Comment on Principles of ERM: A Common Risk Language is Good; But Grammar Comes First by Greg Wendorff

Greg Wendorff — Thu, 23 Sep 2010 20:43:38 +0000

What a perfect summary describing ERM! I think that we generally are intimidated by all of the potential attributes associated with various levels of business risk that we lose sight of the foundational risk principals. I believe this clarity can help us align and position our products to help our clients manage risk around these principals.