Titanic Risks
With the whole world talking about the Titanic disaster of 100 years ago, it might be good to put this into a risk perspective. It’s an interesting case for any risk manager out there, especially the ones who feel confident that they are in control. The story is well known, the Titanic was the ship that couldn’t sink and still . . .
Read more
Local or central documentation
Local or central documentation is consistently a trending business topic, but for some reason the number of discussions on this is larger than ever. I think this is caused by the larger number of true GRC implementations being executed now. Let me first try to describe the issue, and then try to give some guidance.
Read more
The GRC Journey
BWise always seems to have been in the travel business. When BWise sold process optimization projects, or business transformation, we always advocated the concept of thinking big, and starting small. Governance, Risk Management and Compliance is not any different. For many, this is such an over-arching idea, that the concept needs to be digested step by step.
Read more
Understanding Risk
There is a fundamental truth about risk, if you don’t understand it, stay away from it. This is true when you try to repair the washing machine. Ask the repair man when you’re afraid of being electrocuted. Same when you finance your house, if the mortgage construct is so complex you don’t understand it, stay away. Same in business, if contracts are so complex you don’t understand them, stay away. Similarly, when it looks too good to be true, it probably is. This too good to be true rule is actually the same as the understanding rule, because when it’s too good to be true, you probably don’t understand it. Read more
The challenge of implementing Risk Appetite
I just read a very good and comprehensive paper from COSO on Risk Appetite. Written by Dr. Larry Rittenberger and Frank Martens, the paper provides a practical and well-substantiated framework for implementing Risk Appetite. It is truly a paper to study carefully and put into practice. Well written and full of good examples, the paper will help companies take an important step forward in implementing Risk Appetite across the enterprise. The COSO website provides the full document.
Read more
The Issue with the Heat map
Traditional Risk Assessment tends to look at the impact and likelihood of risk events. These get nicely plotted onto heat maps of all dimensions. There are varieties of heat maps that replace likelihood with frequency, which is similar on an abstract level. There are varieties that look at risk readiness rather than likelihood; the idea being that it is more important to understand whether the organization is ready for the event rather than know the likelihood of the event’s occurrence. Once the risk event strikes, you better know what to do. Debating its likelihood is no longer relevant. You need to act.
Read more
Assessing risks: Inherent or Residual
Triggered by a conversation with a Chief Risk Officer, I thought it would make sense to write down a few lines on the assessment of risks. What seems like a regular practice for many, is quite difficult for even more it turns out. The CRO said, “Aha, you’re assessing inherent and residual risk. We’ve been discussing this for a long time, and never got to the right answer.” This was a result of me just showing one example, as assessments are done in so many varied ways.
Read more
Assessing Operational Risks and Managing Incidents
I’d like to write about some basic things, nothing groundbreaking, simply using existing information you might probably have. Many organizations have a lot of information on their risks, but do not find ways to properly use it or do not find ways to garner business intelligence from it. Organizations may regularly perform risk assessments, some in a very structured way, many others in less structured ways. Many organization already collect incidents, sometimes just for compliance purposes with no particular business reasoning. Few use the combined intelligence; could it be valuable to compare risk assessment results with incident data? Certainly for operational risk events, there should be a relation between the two. One would expect that a risk that is assessed and is happening frequently, would also result in demonstrable incidents. The interesting data results when you have the information, but you do not find the relation.
Read more
Continuous Auditing
Filed under: Continuous Monitoring, Governance, Risk and Compliance
A small note on our vision of Continuous Auditing (CA), or at least the way we interpret the terminology. There are many point solutions for support of Computer Assisted Audit Techniques (CAAT), Audit Data Analysis, Segregation of Duties analysis and Continuous Monitoring. For many of our customers it is now becoming more obvious that there are clear benefits in having these integrated in your GRC Suite: Read more
A New Way of Working in GRC
We have been working hard on our latest release, BWise 4.1 Service pack 3. A big thank you to the R&D and testing team who worked hard on yet another significant step forward. The release was recently shipped to our customers. We’ve added a lot of new features, but most importantly we focused on usability.
Read more
-
BWise Bloggers
Luc Brandts
Chief Technology Officer
Anton Lissone
Product Manager
Mikko Valtonen
Business Development Director Sustainability and EHS