Understanding Risk

There is a fundamental truth about risk, if you don’t understand it, stay away from it. This is true when you try to repair the washing machine. Ask the repair man when you’re afraid of being electrocuted. Same when you finance your house, if the mortgage construct is so complex you don’t understand it, stay away. Same in business, if contracts are so complex you don’t understand them, stay away. Similarly, when it looks too good to be true, it probably is. This too good to be true rule is actually the same as the understanding rule, because when it’s too good to be true, you probably don’t understand it. Read more

The challenge of implementing Risk Appetite

I just read a very good and comprehensive paper from COSO on Risk Appetite. Written by Dr. Larry Rittenberger and Frank Martens, the paper provides a practical and well-substantiated framework for implementing Risk Appetite. It is truly a paper to study carefully and put into practice. Well written and full of good examples, the paper will help companies take an important step forward in implementing Risk Appetite across the enterprise. The COSO website provides the full document.
Read more

The Issue with the Heat map

Traditional Risk Assessment tends to look at the impact and likelihood of risk events. These get nicely plotted onto heat maps of all dimensions. There are varieties of heat maps that replace likelihood with frequency, which is similar on an abstract level. There are varieties that look at risk readiness rather than likelihood; the idea being that it is more important to understand whether the organization is ready for the event rather than know the likelihood of the event’s occurrence. Once the risk event strikes, you better know what to do. Debating its likelihood is no longer relevant. You need to act.
Read more

Assessing risks: Inherent or Residual

Triggered by a conversation with a Chief Risk Officer, I thought it would make sense to write down a few lines on the assessment of risks. What seems like a regular practice for many, is quite difficult for even more it turns out. The CRO said, “Aha, you’re assessing inherent and residual risk. We’ve been discussing this for a long time, and never got to the right answer.” This was a result of me just showing one example, as assessments are done in so many varied ways.
Read more

Assessing Operational Risks and Managing Incidents

I’d like to write about some basic things, nothing groundbreaking, simply using existing information you might probably have. Many organizations have a lot of information on their risks, but do not find ways to properly use it or do not find ways to garner business intelligence from it. Organizations may regularly perform risk assessments, some in a very structured way, many others in less structured ways. Many organization already collect incidents, sometimes just for compliance purposes with no particular business reasoning. Few use the combined intelligence; could it be valuable to compare risk assessment results with incident data? Certainly for operational risk events, there should be a relation between the two. One would expect that a risk that is assessed and is happening frequently, would also result in demonstrable incidents. The interesting data results when you have the information, but you do not find the relation.
Read more

Continuous Auditing

A small note on our vision of Continuous Auditing (CA), or at least the way we interpret the terminology. There are many point solutions for support of Computer Assisted Audit Techniques (CAAT), Audit Data Analysis, Segregation of Duties analysis and Continuous Monitoring. For many of our customers it is now becoming more obvious that there are clear benefits in having these integrated in your GRC Suite: Read more

A New Way of Working in GRC

We have been working hard on our latest release, BWise 4.1 Service pack 3. A big thank you to the R&D and testing team who worked hard on yet another significant step forward. The release was recently shipped to our customers. We’ve added a lot of new features, but most importantly we focused on usability.
Read more

Independent Research Firm Forrester Research, Inc. names BWise a Leader in EGRC Platforms

While on my way to a client meeting I got stuck in one of the worst traffic jams I’ve seen in a long time. On any other day, this would have seriously affected my good mood – to put it lightly. But today, no glitch — not the traffic’s crawling pace and nor my inevitable tardiness for a meeting — could wipe a smile off my face. I just received excellent news about BWise. I received excellent news

The Forrester Wave report on Enterprise Governance, Risk Management and Compliance (GRC) was just released Forrester has always ranked us as a leading provider of GRC solutions but this latest Wave report placed us at the top. When I received the final version of the report, I was exhilarated to read the glowing review of BWise from this independent researcher. Please request a complimentary copy of the “The Forrester Wave™: Enterprise Governance, Risk, and Compliance Platforms, Q4 2011” report.

Read more

300,000 Financial Analysts can’t be wrong, right?

I have been working for BWise for roughly half a year now. My job is to develop and manage our Sustainability and Environmental Health and Safety (EHS) solutions. It is going well. We have developed a concept and solutions around sustainability and EHS. BWise’s vision is that these issues are important to the corporate value of an organization and should be integrated into the daily business operations using a risk management methodology. Read more

IT GRC, what’s the difference?

There is a lot of discussion about Enterprise Governance, Risk Management and Compliance and IT Governance, Risk Management and Compliance. Are they different, are they the same, is the one part of the other?
Read more