We need to discard the continuing archaic attitude to Risk Appetite as a compliance policing action and develop it as a tool of improving management and system performance. In the brave new world of the 21st century volatile business environment not only are the goal posts moving, but the ground is moving under our feet.
Enterprise Compliance Today
In part 2 of my analysis of the ISO 31000 forum on “Does anyone really understand Emerging Risks?” I look at the 3rd question: How do you manage the unknown?
I recently opened an ISO 31000 Forum discussion on “Does anyone really understand Emerging Risks?” The discussion proved illuminating so in this week’s post I thought I would share a summary of the forum discussion.
Where was the QANTAS Board Risk & Audit Committee during the past 6 years of Alan Joyce’s systematic destruction of, at one-time, one of the world’s leading airlines?
Risk exists everywhere - the problem is knowing what to focus on. ISO31000 definition of risk as “the measure of uncertainty in a situation” hasn’t done a lot to clarify what corporate risk means for Directors providing "good corporate governance".
The Dept of Defence assesses capability in 7 categories: Purpose, Environment, Organisation, People, Process, Data, and Material. Below I have used this methodology to lay out the guiding principles for achieving a successful Enterprise Risk Management (ERM) system.
The “Risk Culture” Myth Part3: The blurring of the difference between Risk Culture & Organizational Culture has had a major detrimental effect on ensuring good governance in corporations. An independent Risk Culture to Organizational Culture is as vital to good governance as an independent judiciary is to good government.
The Risk Culture Myth isn't anti risk culture but that it's been hijacked to a belief system. In this 2nd article on the Risk Culture Myth I attempt to re-position Risk Culture back to it its original practical intent.
Risk Culture is the greatest myth perpetrated on business since the Y2K bug. Just like Y2K, an industry has now grown up around it assisting companies to improve their “risk culture”. The problem with “risk culture” is that it has been hijacked from its original practical intent to now being an impossible (and unrequired) philosophical pursuit.
Whilst the IT Industry has to bear the brunt of the responsibility, it is your business and your job that wears the consequences, and therefore it is in your best interest to intercede in the process to ensure your best possible outcome.