When Risk Maps become Risk Traps
Let us step back and consider the process of collecting risk information for the purpose of communicating to senior management and the Board about the most important threats to their organization (that they may or may not be currently aware of) with sufficient credibility to cause them to sponsor further action.
Risk Appetite and Risk Tolerance
George Bernhard Shaw has been quoted to state that “The English and Americas are two fine people, separated by a shared language”. It appears the drive to increase confusion has not stopped yet. Personally, having English as my second language, I mentally like the ISO vocabulary better than the COSO – but I can easily live with either. So:
Dear ISO and COSO organisations. Get together and agree on terminology.
Leverage your ERM as a powerful Decision Tool
Many companies and organisations have an Enterprise Risk Management (ERM) program where they identify, evaluate and decide on action to take on key risks to the company/organisation. For some this is a very systematic and well documented approach using scientific methodologies etc. – for others it is a collection of managerial perceptions. In most all process, some decisions are taken, and the organisation believes it executes well on ERM.
Managing Legal Risks
The other day, I had a chat with a risk management consulting colleague who was working with and focusing on legal risks. He had trouble doing this well as he found that people with a legal background:
• Have limited or no insights into statistics
• Rarely, if ever, work with a spreadsheet
• Find it hard to quantify risks and opportunities
Heat Maps and Risk Management
Heatmaps are commonly used as reporting and discussion tools in risk management. However, there are two different types/categories of heatmaps, only one of which is useful.