Sunday, April 17, 2011
The appropriate definition of risk
Unhelpfully, there are lots of different definitions of risk. For example, "a risk" can mean "a potential event". What helps me is thinking about what people mean when they ask the question "what is the risk?": they mean "what is the probability and significance of the outcome". Therefore risk is the probability and level of impact associated with an event.
But should it just be "event"? In some circumstances it may be helpful to think in terms of outcomes, situations and occurrences. For example, having insufficient premises isn't something that fits the definition of an event, but rather a situation.
But should it just be "event"? In some circumstances it may be helpful to think in terms of outcomes, situations and occurrences. For example, having insufficient premises isn't something that fits the definition of an event, but rather a situation.
Working backwards from controls?
Where there are already controls in place, should the risk be added to the risk register?
For example, if an organisation is new to implementing risk management, is it appropriate to track back from the controls in place to ensure all controls and their corresponding risks are on the risk register?
For example, if an organisation is new to implementing risk management, is it appropriate to track back from the controls in place to ensure all controls and their corresponding risks are on the risk register?
Risk: how low do you go?
How complete does risk management need to be? How low (impact/probability) should you go? At what stage are you just making risk management bureaucratic? How do you evidence the consideration of this long tail without including it in the risk management process?
We think to ourselves "this risk is too low (impact/probability) to include in our risk management". But this undocumented thought is itself risk management.
Is there an opportunity to outsource risk management for low value risks? Such an outsourcing function would, based on business criteria and information provided to it, estimate the relevant low value risks to the business. This document can then be shared with the organisation for sense checking (and possible escalation of some risks into the core risk register).
We think to ourselves "this risk is too low (impact/probability) to include in our risk management". But this undocumented thought is itself risk management.
Is there an opportunity to outsource risk management for low value risks? Such an outsourcing function would, based on business criteria and information provided to it, estimate the relevant low value risks to the business. This document can then be shared with the organisation for sense checking (and possible escalation of some risks into the core risk register).
Saturday, April 9, 2011
Organisational responsibility database
Often it is very difficult, particularly in a large organisation, to find out who has responsibility for what. One possible solution would be an organisational responsibility database. All of the responsibilities are defined in the database, and then assigned to a particular person. Another possibility would be to encourage staff to detail their responsibilities on the internal directory (and upload their job descriptions to it).
SOX software
Anyone who enjoys SOX auditing needs their head examined. But SOX auditing can be made much better. One of the areas of weakness in SOX auditing is relying on spreadsheets and other documents that could well have been prepared when asked for rather than at the time. A solution to this problem would be to create a SOX database system that allows a person (preparer) to upload a file, which is then date stamped and locked. Another person edits/reviews that file, another version of which is then date stamped and locked. Such a system would ensure segregation of duty (as long as password sharing doesn't occur) and prove that audit trail existed at the time.
Subscribe to:
Posts (Atom)