Enterprise Compliance Today
- Not being Outcome focused
- Not using Risk base targeting
- Not Value Adding
- Not being timely
An effective Corporate Risk management system (or ERM) requires developing a detailed inventory of all the drivers and influences and how they affect the organisation. It requires a methodical and introspective commitment to fully understand what makes things tick, but as with most things, a bit of effort upfront produces a lifetime of benefits.
Why, with the number of fertile minds that exist in our field, is it still a case of an irresistible force meeting an immovable object. The paradox I believe, like our would-be entrepreneurs, is one of approach.
Return of Investment (ROI) does not come for automating a process but from using it to add value. Value adding comes from targeting time and resources, risk based thinking, and Business Intelligence where they can deliver the greatest benefit to achieving the organisation’s strategic goals.
Risk Appetite is such a simple concept that everyone thinks they know but invariably misunderstand. COSO and other regulatory requirements for boards to issue a Risk Appetite Statement has led to a belief a business has an overarching level of risk tolerance. Personally I don’t believe these Risk Appetite Statements add any value but regulators are regulators.
Corporate objectives are not the “bulls eye” of strategic planning they're just the dartboard. Boards are assessed by the quality of their Results not the quality of their Objectives.
With the recent release of a new British standard BS 65000 on Organisational Resilience, and COSO’s announcement of a review of its 2001 COSO ERM framework, I believe that business is moving ahead of ISO 31000 as a necessary response the evolving business environment and accelerating rate of technical change; therefore there is a strong case for a taking a fresh look at ISO 31000.