You are currently browsing the archives for the Myths category.
Nassim Taleb, in his book The Black Swan, The Impact of the Highly Improbable, repeatedly tells us that “what you don’t know is far more relevant than what you do know.” Taleb believes that the world is dominated by the extreme, unknown and the very improbable. Events such as the Russian financial crises in August, [...]
[Read More]Attrition.org maintains a list of public, high profile data breaches. The list is staggeringly long, and goes back to the year 2000. TJX, while a high profile data breach and perhaps one of the biggest stories of 2007, is only one of the many that were publicly reported. And, companies have a vested interest in [...]
[Read More]“There are really no cook-book solutions. One has to use creativity and a lot of common sense.” – May 16, 2000, email response from ENRON risk expert Vince Kaminski when asked by a colleague to recommend a good book on operational risk.
As ENRON proved, creativity is a No-No and common sense just isn’t enough [...]
In “The End of Enterprise Risk Management” [Martin and Power] the authors claim that ERM frameworks are outmoded because they embody a rather unrealistic and outdated theory of organizations – the “bird’s eye view” from the top. These “ERM models are deeply hierarchical in a way which is out of line with a great deal [...]
[Read More]A traditional model to planning the audit process typically examines 10-20 risk factors for each element of the audit universe, and buckets each auditable entity into a risk categorization which will drive the frequency with which it is audited. While this approach may have worked well in the past, modern audit departments are being asked [...]
[Read More]Spreadsheet gurus have carved out a significant role in managing financial and operational data in many companies. The problem with this approach is that it’s a) manually intensive and b) highly reliant on the individuals that manage and operate these spreadsheets. Further, the processes for linking, updating and archiving data in spreadsheets is mostly ad hoc, [...]
[Read More]ERM, similar to most business processes, is not a “one-size-fits-all” solution. It has to be customized and tailored for each firm. As Mark Olson of the Federal Reserve notes, “An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization’s corporate strategies, business activities and external environment.” [...]
[Read More]As we mentioned last week, during the heyday of buying for Sarbanes-Oxley (SOX) compliance solutions, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. SOX solutions were generally purchased with the tacit approval of IT, but, given the range of solutions currently in deployment (spreadsheets, custom applications [...]
[Read More]In November, I blogged about the difference between IT Risk Management and Information Security. For the full post, read here.
There’s a big different between tactical execution and strategic oversight. Therein comes the challenge with most information security programs; they place far too much emphasis on the how and what, and far too little on the [...]
On a daily basis, we’re out speaking with prospects, customers, analysts, press, and thought leaders in the GRC/ERM space. Over the course of the last year, we’ve heard many myths about risk management, and, over the course of the next couple weeks, we’ll address these myths. But we thought that we would give you a [...]
[Read More]
