Enterprise Compliance Today
Risk Appetite is such a simple concept that everyone thinks they know but invariably misunderstand. COSO and other regulatory requirements for boards to issue a Risk Appetite Statement has led to a belief a business has an overarching level of risk tolerance. Personally I don’t believe these Risk Appetite Statements add any value but regulators are regulators.
Corporate objectives are not the “bulls eye” of strategic planning they're just the dartboard. Boards are assessed by the quality of their Results not the quality of their Objectives.
COSO has announced its intention to review its 2004 ERM Framework and has already started soliciting feedback. Broadly panned by the Risk fraternity, I believe it can provide a valuable contribution to the GRC landscape. Although I expect critics from both sides (COSO & ISO 31000), here are my recommendations.
There is a gaggle of Management Consultants pushing the 20th century mantra of Good Management Practice as a panacea to all the ill of today’s business environment. The key plank in most of these methodologies is that old chestnut “the PDCA cycle” for Continuous Improvement. If your consultant wears this as a badge, run a mile!
We need to discard the continuing archaic attitude to Risk Appetite as a compliance policing action and develop it as a tool of improving management and system performance. In the brave new world of the 21st century volatile business environment not only are the goal posts moving, but the ground is moving under our feet.
In part 2 of my analysis of the ISO 31000 forum on “Does anyone really understand Emerging Risks?” I look at the 3rd question: How do you manage the unknown?
I recently opened an ISO 31000 Forum discussion on “Does anyone really understand Emerging Risks?” The discussion proved illuminating so in this week’s post I thought I would share a summary of the forum discussion.
Where was the QANTAS Board Risk & Audit Committee during the past 6 years of Alan Joyce’s systematic destruction of, at one-time, one of the world’s leading airlines?
Risk exists everywhere - the problem is knowing what to focus on. ISO31000 definition of risk as “the measure of uncertainty in a situation” hasn’t done a lot to clarify what corporate risk means for Directors providing "good corporate governance".