approach - Blog - Global Risk Community2024-03-29T12:15:53Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/approachIn the Midst of COVID-19, Is Your Supply Chain Resilient?https://globalriskcommunity.com/profiles/blogs/in-the-midst-of-covid-19-is-your-supply-chain-resilient2020-07-18T05:38:42.000Z2020-07-18T05:38:42.000ZJoseph Robinsonhttps://globalriskcommunity.com/members/JosephRobinson808<div><p></p><p><a href="https://flevy.com/browse/flevypro/supply-chain-resiliency-4147">Supply Chain Resiliency</a> is the capability of the Supply Chain to be prepared for unexpected risk events. It is the Supply Chain’s ability <a href="https://flevy.com/blog/wp-content/uploads/2020/05/pic-1-Supply-Chain-Resiliency-200x300.jpeg" target="_blank"><img src="https://flevy.com/blog/wp-content/uploads/2020/05/pic-1-Supply-Chain-Resiliency-200x300.jpeg?profile=RESIZE_710x" width="200" class="align-right" alt="pic-1-Supply-Chain-Resiliency-200x300.jpeg?profile=RESIZE_710x" /></a>to respond and recover quickly to potential disruptions. It can return to its original situation or grow by moving to a new, more desirable state in order to increase customer service, market share, and financial performance.</p><p>Resilience is currently an increasing concern in the Supply Chain caused by globalization. The Supply Chain is globally being subject to diverse types of disturbances. The largest disruption so far in the global Supply Chain in modern history was the earthquake and tsunami in Japan in March 2011. With the rising level of logistical complexity, the resiliency of the Supply Chain has not kept pace. These disturbances need to be handled in the right way, compelling the use of tools and approaches that can support resilient Supply Chain decisions.</p><p>With the onset of the COVID-19 pandemic, resiliency in the Supply Chain is further emphasized.</p><h3><strong>Understanding Supply Chain Resilience</strong><strong> </strong></h3><p>The risk of Supply Chain disruption is increasing. A recent study by Aon Risk Solutions showed that the percentage of global companies reporting a loss of income due to a Supply Chain disruption increased from 28% in 2011 to 42% in 2013. The MIT Scale Network Study further showed that many large companies are unable to create contingency rules and procedures for operations during a complex, high-risk event.</p><p>According to the MIT study, approximately 60% of surveyed managers either do not actively work on Supply Chain risk management or do not consider their company’s risk management practice effective. Managers have been found to be lacking in a framework that will guide them in the deployment of risk management practices. In fact, it has been noted that there is little understanding of risks resulting in a lack of knowledge of what kind of framework fits a particular Supply Chain dynamics.</p><p>For <a href="https://flevy.com/business-toolkit/supply-chain-management">Supply Chain Management</a> to keep up with the increasing level of logistical complexity, there is a need to reconfigure the Supply Chain.</p><h3><strong>The 5-phase Approach to Supply Chain Resilience</strong></h3><p>In 2005, Cisco had difficulty coping when Hurricane Katrina struck. The Supply Chain performance level was not maintained to cope with the sudden surge in orders for new equipment to replace damaged telecommunication infrastructure. The Cisco teams cannot locate all products in the Supply Chain or understand the financial impact of emergency sales. However, in 2011, that was a turning point for Cisco. Cisco had deployed a very solid Supply Chain resiliency program that addressed the impact of external vulnerabilities and the aftereffects it caused to the Supply Chain.</p><p>Cisco has succeeded by executing a <a href="https://flevy.com/browse/flevypro/supply-chain-resiliency-4147">5-phase approach to Supply Chain Resiliency</a>.</p><p><a href="https://flevy.com/browse/flevypro/supply-chain-resiliency-4147" target="_blank"><img src="https://flevy.com/blog/wp-content/uploads/2020/05/pic-2-Supply-Chain-Resiliency.png?profile=RESIZE_710x" width="750" class="align-full" alt="pic-2-Supply-Chain-Resiliency.png?profile=RESIZE_710x" /></a></p><p>In reconfiguring its Supply Chain to make it more resilient, Cisco first identified its strategic objectives.</p><p><strong>Phase 1: Identify Strategic Objectives</strong>. The first phase is focused on identifying competitive priorities for particular product categories. It matches priorities with Supply Chain capabilities.</p><p>Through <a href="https://flevy.com/strategic-planning">Strategic Planning</a>, Cisco was able to build its competitive advantage which depended on its ability to match global opportunities to outsource production with global market opportunities. This is known as the Cisco Lean Model.</p><p><strong>Phase 2: Mapping Supply Chain Vulnerabilities.</strong> This focused on understanding the company’s vulnerabilities. Supply Chains are vulnerable on many fronts—political upheavals, regulatory compliance mandates, increasing economic uncertainty, natural disasters, etc. Being aware of the vulnerabilities will enable the organization to come up with the appropriate design to achieve Supply Chain Resiliency.</p><p>In undertaking the second phase, Cisco focused on supporting a responsible global Supply Chain characterized by product differentiation, high value, and high margins. Mitigation measures were also implemented to make a resilient Supply Chain.</p><p>With the 5-phase approach, Cisco was able to achieve a resilient Supply Chain capable of effectively managing disruptions. It has also prepared them in addressing risk management warning signs and deploying the appropriate reactive tools to every kind of significantly disruptive event.</p><p>Interested in gaining more understanding of <a href="https://flevy.com/browse/flevypro/supply-chain-resiliency-4147">Supply Chain Resiliency</a>? You can learn more and download an <a href="https://flevy.com/browse/flevypro/supply-chain-resiliency-4147">editable PowerPoint about <strong>Supply Chain Resiliency</strong> here on the Flevy documents marketplace</a>.</p><p><strong>Are you a management consultant?</strong></p><p>You can download this and hundreds of other <a href="http://flevy.com/pro/library/frameworks">consulting frameworks</a> and <a href="http://flevy.com/pro/library/consulting">consulting training guides</a> from the <a href="http://flevy.com/pro/library">FlevyPro library</a>.</p></div>Integrated Cost Management: An Organization’s Prescription for Lower Costhttps://globalriskcommunity.com/profiles/blogs/integrated-cost-management-an-organization-s-prescription-for2020-07-17T08:00:00.000Z2020-07-17T08:00:00.000ZJoseph Robinsonhttps://globalriskcommunity.com/members/JosephRobinson808<div><p></p><p>There is a general belief among organizations that a large percentage of a product’s costs are locked in by design. It is assumed that <a href="https://flevy.com/blog/wp-content/uploads/2020/05/pic1-Integrated-Cost-Management-300x193.jpeg" target="_blank"><img src="https://flevy.com/blog/wp-content/uploads/2020/05/pic1-Integrated-Cost-Management-300x193.jpeg?profile=RESIZE_710x" width="300" class="align-right" alt="pic1-Integrated-Cost-Management-300x193.jpeg?profile=RESIZE_710x" /></a>little can be done once the design is set. This assumption has influenced cost management programs across diverse products’ life cycles. As a result, the focus during the design phase is <a href="https://flevy.com/business-toolkit/cost-reduction">Cost Reduction</a> and <a href="https://flevy.com/business-toolkit/cost-containment">Cost Containment</a> during the manufacturing phase.</p><p>Yet, organizations that operated in a highly competitive market and demanded aggressive cost management showed that costs can be aggressively managed throughout the <a href="https://flevy.com/business-toolkit/product-lifecycle">product life cycle</a>. Various cost management strategies or techniques may be used to increase the program’s overall effectiveness. One of them is the <a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172">Integrated Cost Management</a>.</p><h3><strong>A Purview on Integrated Cost Management</strong></h3><p>Integrated Cost Management is every organization’s prescription for lower cost and higher profits. It is the 21<sup>st</sup> business approach to achieving Cost Management efficiency.</p><p>Integration is necessary for <a href="https://flevy.com/browse/stream/strategy-development">Strategy Development</a> as it can promote the achievement of the company’s profit objectives. In fact, there are major benefits to Integrated Cost Management. One of which is lowering of overall costs throughout the product life cycle.</p><p>Integrated Cost Management can facilitate a steady decrease in costs all the way to discontinuance. In fact, it can result in an annual cost reduction of about 17% during manufacturing, savings that exceed 30$%, and a designed-in cost of below 70%.</p><p>Achieving this requires an understanding of the Integrated Cost Management Approach.</p><h3><strong>The Integrated Cost Management Approach</strong></h3><p>The <a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172">Integrated Cost Management Approach</a> focuses on the integration of cost management techniques which can lead to higher levels of cost reduction and superior overall performance.</p><p><a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172" target="_blank"><img src="https://flevy.com/blog/wp-content/uploads/2020/05/pic-2-Integrated-Cost-Management.png?profile=RESIZE_710x" width="750" class="align-full" alt="pic-2-Integrated-Cost-Management.png?profile=RESIZE_710x" /></a></p><p>The Integrated Cost Management Approach takes into consideration 5 Cost Management Strategies.</p><ol><li><strong>Target Costing</strong>. This is the technique used or applied during the design stage. It is a feed-forward mechanism that enables the retooling of the design of new products to reduce costs while maintaining the desired level of product functionality and quality.</li></ol><ol start="2"><li><strong>Product-Specific Kaizen Costing</strong>. This is a technique that enables the rapid redesign of a new product during the early stages of manufacturing to correct any cost overruns. (Note: <a href="https://flevy.com/business-toolkit/kaizen">Kaizen</a> is the general term for Continuous Improvement and often associated with <a href="https://flevy.com/lean-management">Lean Management</a>.)</li></ol><ol start="3"><li><strong>General Kaizen Costing</strong>. General Kaizen Costing is a technique that focuses on the way a product is manufactured with the assumption that the product’s design is already set. It is generally effective in addressing manufacturing processes that are used across several product generations.</li></ol><ol start="4"><li><strong>Functional Group Management</strong>. This is a technique that is used to break down the production process into autonomous groups and treat each as a profit center.</li></ol><ol start="5"><li><strong>Product Costing</strong>. Product Costing is a technique that coordinates the efforts of the other four (4) techniques by providing important, up-to-date information.</li></ol><p>The 5 Cost Management Strategies enable organizations to better manage costs throughout the product life cycle, with just one (1) technique taking place during the product design and the rest during manufacturing.</p><h3><strong>The Key Takeaways</strong></h3><p>The application of the <a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172">5 Cost Management strategies</a> has its key takeaways. These can be used as a guidepost in its application and a model of general concepts that organizations may consider.</p><p>One key takeaway is significant savings can still be achieved with short life cycle products and aggressive cost management focused on product design. Taking to note this key takeaway, we have to consider that as the length of the manufacturing phase of the product’s life cycle increases, the opportunity for cost reduction increases. Further, there is a need to explore the value of integrating multiple cost management during manufacturing.</p><p>Interested in gaining more understanding of <a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172">Integrated Cost Management</a>? You can learn more and download an <a href="https://flevy.com/browse/flevypro/integrated-cost-management-4172">editable PowerPoint about <strong>Integrated Cost Management</strong> here on the Flevy documents marketplace.</a></p><p><strong>Are you a management consultant?</strong></p><p>You can download this and hundreds of other <a href="http://flevy.com/pro/library/frameworks">consulting frameworks</a> and <a href="http://flevy.com/pro/library/consulting">consulting training guides</a> from the <a href="http://flevy.com/pro/library">FlevyPro library</a>.</p></div>The Key to Continuous Security Improvement? A Rugged Culture of Information Securityhttps://globalriskcommunity.com/profiles/blogs/the-key-to-continuous-security-improvement-a-rugged-culture-of2020-01-14T07:12:54.000Z2020-01-14T07:12:54.000ZMark Bridgeshttps://globalriskcommunity.com/members/MarkBridges<div><p><img class="align-right" src="{{#staticFileLink}}8028308088,original{{/staticFileLink}}" alt="8028308088?profile=original" width="500" /></p><p>In the age of rapid technological progress, where Digital Transformation has become pervasive, business applications are getting increasingly complex and interconnected. The advancement in technology has also helped attackers get more aggressive and inflict more damage to IT systems and applications. Application security tools and techniques are evolving too, yet most organizations still fall prey to vulnerabilities. Cybersecurity has become a bigger threat than ever before.</p><p>The current application security methodologies mainly count on detecting weaknesses and correcting them. Most organizations, primarily, rely on utilizing penetration testing or automated tools, at the most. They ignore to concentrate on establishing strong defenses against threats, merely do patch work, and leave the weaknesses unguarded. A small fraction implement threat modeling, security architecture, secure coding techniques, and security testing—but even they are typically unsure of how these approaches link with their strategic business objectives.</p><p>A few weaknesses constitute majority of break-ins--e.g., <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injections</a> and <a href="https://en.wikipedia.org/wiki/Buffer_overflow">buffer overflows</a>. Major security threats and application vulnerabilities include compromised credentials, failure to patch promptly, SQL injections, and cross-site scripting. A large number of security threats can be neutralized just by taking care of security hygiene.</p><h3><strong>Secure Software Development</strong></h3><p>State-of-the-art technology and best practices available today offer effective yet economical methods to prevent security breaches and threats. These tools and practices work well without affecting the pace of delivery or straining the users unnecessarily.</p><p>Secure software development not only warrants analyzing the technology but also looking at the entire organization that creates the software—people, processes, tools, and culture. Secure software development culture inspires security by promoting and improving communication, collaboration, and competition on security topics and rapidly evolving the competence to create available, survivable, defensible, secure, and resilient software.</p><h3><strong>Rugged Software and a Culture of Security</strong></h3><p>Rugged software, or Rugged DevOps, promotes developing secure and resilient software by embedding this practice into the culture of an organization. A Rugged culture of security is more than just secure—secure is a state of affairs at a specific time whereas Rugged means staying ahead of threats over time. The rugged code aligns with the organizational objectives and can cope with any challenges. Rugged enterprises constantly tweak their code and their internal organization—including governance, architecture, infrastructure, and operations—to stay ahead of attacks. All applications developed by “Rugged” organizations are well-secured against threats, are able to self-evaluate and distinguish ongoing attacks, report security statuses, and take action aptly.</p><p>Rugged software is a consequence of the efforts to rationalize and fortify security. This is achieved by communicating the lessons learnt from experimentation, setting up stringent lines of defense, and adopting and sharing rigid safety procedures across the board. Adopting Rugged software development practices across the enterprise help execute more applications promptly, improve security, and achieve cost savings across the software development life-cycle. Rugged software development is cost efficient because of fewer labor and time requisites during the requirements, design, execution, testing, iteration, and training phases of the development life-cycle.</p><p>The following 10 guiding principles apply to all organizations aiming to develop a Rugged <a href="https://flevy.com/browse/flevypro/culture-of-security-4020">culture of security</a>:</p><ol><li><strong>Perpetual Attacks Anticipation</strong></li><li><strong>Staying Informed</strong></li><li><strong>Security Hygiene</strong></li><li><strong>Continuous Improvement</strong></li><li><strong>Zero-defect Approach</strong></li><li><strong>Reusable Tools</strong></li><li><strong>One Team</strong></li><li><strong>Comprehensive Testing</strong></li><li><strong>Threat Modeling</strong></li><li><strong>Peer Reviews</strong></li></ol><p><a href="https://flevy.com/browse/flevypro/culture-of-security-4020"><img class="aligncenter size-full wp-image-6120" src="http://flevy.com/blog/wp-content/uploads/2020/01/Culture-of-Security.png" alt="" width="1000" height="751" /></a></p><p>Let’s discuss the first 5 principles for now.</p><h3><strong>Perpetual Attacks Anticipation</strong></h3><p>A Rugged software development organization anticipates nonstop vulnerabilities and attacks—deliberate or accidental.</p><h3><strong>Staying Informed</strong></h3><p>Rugged organizations appreciate staying informed about security issues and potential threats, seek recommendations from security specialists, and identify and update security policies and rules.</p><h3><strong>Security Hygiene</strong></h3><p>Rugged organizations take good care of their security hygiene by limiting the sharing of user accounts, carefully guarding the passwords and sensitive personal information. They employ secure software practices.</p><h3><strong>Continuous Improvement</strong></h3><p>Continuous Improvement is the management principle foundational to Lean Management that should be embraced by all areas of an organization. In case, sensitive information is left lying on somebody’s desk at night, Rugged organizations ensure that this does not recur in future and gathers feedback from the people who happen to notice it.</p><h3><strong>Zero-defect Approach</strong></h3><p>Rugged organizations leave no room to tolerate any known weaknesses. An issue is resolved as soon as it is detected.</p><p>Interested in learning more about the guiding principles to develop a <a href="https://flevy.com/browse/flevypro/culture-of-security-4020">Rugged culture of security</a>? You can download <u>an editable PowerPoint on the </u><strong><u><a href="https://flevy.com/browse/flevypro/culture-of-security-4020">Culture of Security</a></u></strong> <strong><u>here</u></strong> on the <a href="https://flevy.com/browse">Flevy documents marketplace</a>.</p><h3><strong>Are you a Management Consultant?</strong></h3><p>You can download this and hundreds of other <a href="http://flevy.com/pro/library/frameworks">consulting frameworks</a> and <a href="http://flevy.com/pro/library/consulting">consulting training guides</a> from the <a href="http://flevy.com/pro/library">FlevyPro library</a>.</p></div>Capabilities-Driven Strategy: The Key to Getting your Growth Strategy Righthttps://globalriskcommunity.com/profiles/blogs/capabilities-driven-strategy-the-key-to-getting-your-growth2019-12-04T06:30:00.000Z2019-12-04T06:30:00.000ZJoseph Robinsonhttps://globalriskcommunity.com/members/JosephRobinson808<div><p>Formulating a <a href="https://flevy.com/browse/flevypro/capabilities-driven-strategy-cdr-3677">Capabilities-Driven Strategy (CDR)</a> is easy, but the execution is difficult, especially in turbulent times. This is not the time to<a href="http://flevy.com/blog/wp-content/uploads/2019/03/Capabilities-Driven-Strategy-300x200.jpeg" target="_blank"><img src="http://flevy.com/blog/wp-content/uploads/2019/03/Capabilities-Driven-Strategy-300x200.jpeg?profile=RESIZE_710x" width="300" class="align-right" alt="Capabilities-Driven-Strategy-300x200.jpeg?profile=RESIZE_710x" /></a> find a cave and hibernate until the economic storm passes. It is unlikely that the storm will pass anytime soon. Capabilities-Driven Strategy is the only way to remain equipped for perpetually stormy weather.</p><p>Companies need to take care or build those capabilities that are genuinely needed and not those that do not serve our customers. Capabilities do not manifest themselves overnight. They take time to grow. But companies who have mastered the art of developing and implementing a Capabilities-Driven Strategy have grown to develop the world’s leading brands. Distinctive capabilities--i.e. <a href="https://flevy.com/business-toolkit/core-competencies">Core Competencies</a>--have been used to propel them to reach operational and business excellence.</p><h3><span style="font-size:12pt;"><strong>What is a Capabilities-Driven Strategy?</strong></span></h3><p>A capabilities-driven approach to strategy allows companies to become coherent. This leads companies to achieve scale by applying their distinctive capabilities throughout the entire company. Instituting a Capabilities-Driven Strategy requires articulation of capabilities that help companies succeed in the key market.<br /> The bulk of the company’s support should then focus on these capabilities. This can be achieved by taking on a <a href="https://flevy.com/browse/flevypro/capabilities-driven-strategy-cdr-3677">3-phase Approach to Capabilities-Driven Strategy</a>.</p><h3><span style="font-size:12pt;"><strong>The 3-phase Approach to Capabilities-Driven Strategy</strong></span></h3><p><a href="https://flevy.com/browse/flevypro/capabilities-driven-strategy-cdr-3677" target="_blank"><img src="http://flevy.com/blog/wp-content/uploads/2019/03/1st-slide-Capabilities-Driven-Strategy-1024x768.png?profile=RESIZE_710x" width="750" class="align-full" alt="1st-slide-Capabilities-Driven-Strategy-1024x768.png?profile=RESIZE_710x" /></a></p><ol><li><strong>Identify Capabilities</strong><br /> Phase 1 starts by identifying the drivers of demand in your market. It is essential to identify capabilities that could meet expectations and satisfy our customers.</li></ol><ol start="2"><li><strong>Build Capabilities</strong><br /> Building capabilities are the next critical phase underlying the Capabilities-Driven Strategy. Phase 2 looks into the building up of complementary, reinforcing capabilities vital in our capacity to execute and deliver.</li></ol><ol start="3"><li> <strong>Divest Business</strong><br /> Divesting business is the 3rd phase of Capabilities-Driven Strategy that requires a thorough analysis of our capabilities and actions. We can either streamline or sell our businesses. What we have – our capabilities play a vital role in this decision that we have to make.</li></ol><p>Whatever decision our company takes, what is essential is to have the foresight to anticipate future industry dynamics and customer needs.</p><h3><span style="font-size:12pt;"><strong>What Makes Starbucks Stand Out</strong></span></h3><p>Starbucks is the world’s most iconic brand and known for ambiance in its retail stores. Strategically, Starbucks used its distinctive capabilities to be the purveyor of the “third place” for conviviality. To achieve this means being the center for human activity after home and work.</p><p>Starbucks has to identify its distinctive capabilities before being able to use it strategically. Starbucks has stewardship over a globally available consumer experience. It can distinctively deliver its products and service, as well as design and develop a premium product line. Starbucks is known for recruiting and managing a cadre of dedicated employees.</p><p>Summing it all up allows Starbucks to develop the Capabilities-Driven Strategy that will establish itself as the purveyor of the “third place” for conviviality.</p><p>Distinctive capabilities are effective tools that companies can use to connect where they aim to go and what they can accomplish. Starbucks was able to effectively use these tools to lead them to where they want to go and be. The journey can be a challenge for each and every company. We can all be like Starbucks. We just need to have a good grasp of what we have and what we are capable of doing. This can make a big difference between becoming what we aim for and just being content with where we are now in the midst of uncertainty.</p><p>Interested in gaining more understanding of <a href="https://flevy.com/browse/flevypro/capabilities-driven-strategy-cdr-3677">Capabilities-Driven Strategy (CDR)</a>? You can learn more and download an <a href="https://flevy.com/browse/flevypro/capabilities-driven-strategy-cdr-3677">editable PowerPoint about <strong>Capabilities-Driven Strategy (CDR)</strong> here</a> on the <a href="https://flevy.com/browse">Flevy documents marketplace</a>.</p><p><strong>Are you a management consultant?</strong></p><p>You can download this and hundreds of other <a href="http://flevy.com/pro/library/frameworks">consulting frameworks</a> and <a href="http://flevy.com/pro/library/consulting">consulting training guides</a> from the <a href="http://flevy.com/pro/library">FlevyPro library</a>.</p></div>India's Demonetisation of Rs1000 and Rs500 denominations; Incremental Cash Flow into the Banking Systemhttps://globalriskcommunity.com/profiles/blogs/india-s-demonetisation-of-rs1000-and-rs500-denominations2017-08-11T13:53:25.000Z2017-08-11T13:53:25.000ZKANNAN SUBRAMANIAN RAMAKRISHNANhttps://globalriskcommunity.com/members/KANNANSUBRAMANIANRAMAKRISHNAN<div><p></p><p><span>Dear Friends,</span></p><p><span>You may be aware that the Government of India demonetised the highest two denomination bills of INR1000/- and INR500/- on 8th November 2016. Whilst, the usage of demonetisation as a tool to fight corruption and money laundering is debatable, the Indian case study, as per a Reserve Bank of India memo released on 11th August 2017 mentions that an estimated INR2.8 to INR 4.3 Trillion flowed incrementally (money kept outside the banking system) into the banking system. Circa INR64=1-USD.</span></p><p><span><a href="https://www.rbi.org.in/Scripts/MSM_Demonetisation.aspx">https://www.rbi.org.in/Scripts/MSM_Demonetisation.aspx</a></span></p><p><span> </span></p><p><span>There are costs associated to demonetisation and that includes loss of jobs in the unorganised sector. On 10th August 2017, media reported that the dividend paid by Reserve Bank of India dropped very significantly and one of the causes for the drop idemonetisation.</span></p><p><span><a href="http://economictimes.indiatimes.com/news/economy/finance/reserve-bank-of-india-dividend-to-government-halves-to-rs-30659-crore/articleshow/60006433.cms">http://economictimes.indiatimes.com/news/economy/finance/reserve-bank-of-india-dividend-to-government-halves-to-rs-30659-crore/articleshow/60006433.cms</a></span></p><p><span> </span></p><p><span>There are also other costs such as slowdown of economic activity, drop in productivity (disruptive) that need to be taken into consideration. The estimation of these costs are not easy.</span></p><p><span> </span></p><p><span>On balance, bearing in mind FATF (<a href="http://www.fatf.org">www.fatf.org</a>) recommendations, Demonetisation is not a Risk based AML-CTF approach. It has been used a few time by countries fighting Very High Inflation and the value of the domestic currency is severely eroded. India has managed to pull through the first 8-months of demonetisation pretty well. The core elements (risk based approach) in the war against Money Laundering & Financing of terrorism are (a) Transparency, Accountability and Audit of Political Funding and functioning of political parties (b) Trade based laundering & Organised Crime (c) Accountability of Gateway keepers i.e. Accountants&Auditors, Lawyers, Registrars (companies, charities, properties and others) (d) Accountability of Regulators - Insider Trading, Conflict of Interest (e) Minimising the use of Anonymous (including bearer instruments and crypt currencies) assets in the economy. (Demonetisation has helped in shifting the focus on digital payments).</span></p><p></p><p><span>Money Laundering and Financing of Terrorism are intertwined. Laundered funds flows through the weakest channel. The twins risks are Real and Present danger for all of us.</span></p><p></p></div>Managing Regulatory Changes and Political Risk with Enterprise Risk Management (Part 2)https://globalriskcommunity.com/profiles/blogs/managing-regulatory-changes-and-political-risk-with-enterprise2017-06-02T18:00:00.000Z2017-06-02T18:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><strong><span class="font-size-3">Here's Why Compliance Solutions Are Inadequate for Managing Regulatory Changes</span></strong></p><p></p><p><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/grc-software/compliance-management/">Regulatory compliance</a></span> is mandatory, but it’s not the end goal; it’s the minimum operating standard. For strong companies, compliance is a mere byproduct of performing well and managing uncertainty. Compliance solutions can also cause difficulties in the face of <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2017/03/21/manage-domestic-political-risk/">domestic political risk</a></span>, which includes significant fluctuations in the regulatory environment.</p><p>The biggest differences between regulatory compliance and risk management are:</p><ol><li>Regulatory compliance has a known, black-and-white outcome (meet a set number of specific requirements).</li><li>Regulators give companies a predefined amount of time to adjust their operations, meaning there is <em>no</em> uncertainty as to when (and what) actions must be taken.</li></ol><p>The ROI of a software solution can be represented by:</p><p></p><p><a href="{{#staticFileLink}}8028259657,original{{/staticFileLink}}"><img width="750" src="{{#staticFileLink}}8028259657,original{{/staticFileLink}}" class="align-center" alt="8028259657?profile=original" /></a></p><p></p><p>However, when using compliance-specific software, this formula for return falls apart in the face of uncertainty. Software specializing in regulations like Dodd Frank or SOX is only useful when you know the regulation will not change.</p><p>Now, with regulations being rescinded, altered, and drafted in an unpredictable environment, it simply doesn’t make sense to invest in compliance-specific solutions. In order to manage domestic political risk, organizations need to be able to do the following:</p><ol><li>Thrive in an atmosphere of uncertainty by identifying <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root-cause risks</a></span> and <em>creating </em>certainty;</li><li>Stay abreast of regulatory changes, adapting as policies change;</li><li>Prioritize those risks so high-impact issues can be dealt with more quickly.</li></ol><p>A risk taxonomy helps corporations reorganize their processes, policies, and requirements while automatically preserving the links back to underlying risks, controls, monitoring activities. Change management is built-into enterprise risk management systems with robust taxonomy technology. Spreadsheets, Office products, and compliance solutions simply can’t do this. They’re not designed to manage change over time, which is within the inherent definition of effective risk management.</p><p></p><p><strong><span class="font-size-3">Why is ERM the Answer to Regulatory Changes and Political Risk?</span></strong></p><p></p><p>The cost of non-compliance is far greater than monetary fines or lawsuits; violations can substantially impact a company’s reputation for years. When it comes to protecting your company’s reputation, as stated by Ben Franklin, “an ounce of prevention is worth a pound of cure.” The cost of a proactive solution is minuscule compared to the cost of sustained reputation damage.</p><p>As is becoming more and more evident as time goes on, the straightforwardness of compliance – a concrete “what” and a concrete “when” – vanishes when regulations are altered. Even in an ideal world, where line items remain constant and unchanged, regulatory risk is but one source (among hundreds) of uncertainty.</p><p>Enterprise risk management makes it possible to thrive even when the environment surrounding your business is a cloud of uncertainty. It accomplishes this by helping you answer a simple question: what’s best for the business? Different processes, products, and assets have different value-adds, and ERM is the tool that provides senior management the means of identifying connections between activities to objectively prioritize and address emerging changes.</p><p>When the “when/what” is removed (or was never present, as is the case with all risk <em>except </em>regulatory risk), what’s the priority? Compliance solutions can’t help with this; they can only ensure you’re able to provide a report to a particular regulator. That report doesn’t even mean your business is managing uncertainty, it just means you won’t be slapped with a particular penalty.</p><p><u>Determining what will deliver a healthy ROI <em>and</em> ensure compliance is the key to operating amidst significant political risk.</u> As an example, consider a bank or other financial institution: meeting FFIEC requirements for third-party management should be a mere byproduct of robust contracts and vendor due diligence.</p><p>These activities allow for uninterrupted, safe operations, and must occur even in the absence of FFIEC requirements. Enterprise risk management, by helping organizations discover both vulnerabilities and opportunities, provides an ROI far greater than the direct cost of potential penalties.</p><p></p><p><strong><em>Learn more about the </em><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/risk-based-process/"><em>risk-based process</em></a></span><em> and why it’s so effective at managing uncertainty. Also download our free eBook, </em><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/download-ebook-risk-based-compliance/"><em>Implementing Risk-Based Compliance</em></a></span><em>, to learn more about adapting in the face of regulatory changes.</em></strong></p><p></p></div>Cyberattack Prevention: Use ERM to Defend Against Ransomware and Data Breacheshttps://globalriskcommunity.com/profiles/blogs/cyberattack-prevention-use-erm-to-defend-against-ransomware-and2016-05-04T18:13:19.000Z2016-05-04T18:13:19.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028244268,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8028244268,original{{/staticFileLink}}" width="300" class="align-left" alt="8028244268?profile=original" /></a>Cyberattack prevention measures will always be necessary. The constant threat of data breaches and other hacks is simply a fact of business. Priority targets are no longer limited to retailers and banks; insurers, hospitals, energy producers, and (most recently) a host of law firms are all at risk.</p><p>“Hackers broke into the computer networks at some of the country’s most prestigious law firms,” according to <span style="text-decoration:underline;"><a href="http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504"><em>The Wall Street Journal</em></a></span>. This doesn’t come as much of a surprise: What do organizations like banks, insurers, hospitals, and law firms all have in common? Repositories of sensitive data.</p><p>This data does include personally identifiable information (PII) such as credit card info and social security numbers, but that’s old news. The “bigger fish” is confidential corporate information – data about M&As that might be used for insider trading, for example.</p><p>Clients (and potential clients) have been understandably concerned about the security of their information. As a result, they are spending more time and resources doing their homework. How do the firms they’re considering patronizing handle cybersecurity? Are they keeping up with recent trends, like <span style="text-decoration:underline;"><a href="http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504">phishing attacks</a></span> and <span style="text-decoration:underline;"><a href="http://www.computerweekly.com/news/4500248823/Ransomware-costs-business-at-least-18m-says-FBI">ransomware</a></span>?</p><p>When it comes to such sensitive info, it’s clearly better to beef up cyberattack prevention measures instead of the ability to reduce fallout <em>after </em>an attack. And yet it often takes a headline event to galvanize organizations into action.</p><p></p><p><strong><span class="font-size-3">Take Action on Cyberattack Prevention</span></strong></p><p></p><p>The first order of business is to accept that addressing these risks is obligatory. <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/2016/04/13/risk-management-negligence/">As we discussed earlier this month</a></span>, <em>all </em>companies are now being held liable for their security procedures. Perhaps more importantly, this liability exists even if no breach ever occurs. Dwolla, for example, was hit with a major penalty for its negligent cyberattack prevention strategy.</p><p>Also <span style="text-decoration:underline;"><a href="http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504">consider</a></span> that “Hackers often steal large amounts of information indiscriminately and then analyze it later to see how it could be useful…”. In other words, even if you think all your data would be useless to a hacker, you’re still at risk of suffering all the consequences of a major cyberattack.</p><p>The only way to keep up with evolving attacks is with a holistic approach to security. All departments should be on the same page, informing everyone from managers to front-line employees about password and network policy (basic cyberattack prevention), slightly suspicious emails (signs of attempted phishing attacks), etc.</p><p></p><p><strong><span class="font-size-3">Protecting the "Front Door" Isn't Enough</span></strong></p><p></p><p>Traditional cybersecurity measures revolve around the protection of the so-called “front door.” We’re conditioned to look out, rather than in, for threats. After all, hackers and other criminals are external threats, so the best form of protection is logically a barricade in the form of advanced firewalls and malware scans.</p><p>These days, however, reinforcing the front door is not a sufficient cyberattack prevention plan. Wide-reaching attacks like phishing emails and ransomware make every single employee a risk. This is a holistic governance-function issue that won’t be solved by buying a new piece of hardware. Seemingly innocent emails may contain only subtle red flags, fooling victims into thinking they’re legitimate. It’s certainly an IT problem, but it also extends to vendor management (are your vendors’ standards up to yours?), incident management (if there is an attack or an attempted attack, how do you cascade it out to the rest of the organization?), and compliance.</p><p><a href="http://www.logicmanager.com/erm-software/product/">Enterprise risk management software</a> offers the only solution – the problem itself is an enterprise-wide problem. Everyone needs to be on the lookout for things like suspicious emails, and everyone needs to know how to react. ERM facilitates the whole cyberattack prevention process because it:</p><p></p><ol><li>Helps each department identify its vulnerabilities with industry-specific, root-cause <a href="http://www.logicmanager.com/erm-software/product/assess/">risk libraries</a>;</li><li>Ensures every department is performing this analysis with the same criteria, <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">framework</a>, and timeline, making collaboration easy;</li><li>Reveals how department-specific approaches leave certain vulnerabilities unanswered, as well as which risks are already being covered by another department’s mitigations;</li><li>Makes it straightforward to engage <a href="http://www.logicmanager.com/erm-software/product/assess/">risk assessments</a> and send <a href="http://www.logicmanager.com/erm-software/product/dashboard-reports/">reports</a> back and forth from senior management to front-line employees (and everyone in between);</li><li>Allows risk assessments, control documentation, and monitoring automation to evolve as new threats emerge.</li></ol><p></p><p><strong><em>Download LogicManager’s </em><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/it-governance-security-datasheet/"><em>whitepaper on IT Governance and Security</em></a></span><em> to learn more about how a risk-based approach can help you strengthen your cyberattack prevention strategy.</em></strong></p><p></p></div>Here’s Why Merely Implementing Internal Controls Procedures Isn’t Enoughhttps://globalriskcommunity.com/profiles/blogs/here-s-why-merely-implementing-internal-controls-procedures-isn-t2016-04-06T14:27:17.000Z2016-04-06T14:27:17.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><strong><span class="font-size-3">Risk Management's 3 Basic Steps</span></strong></p><p></p><p>In order to be effective, risk management must involve three phases:</p><ol><li><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/assess/">Risk identification & assessment</a></span></li><li><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/mitigate/">Mitigation</a></span> design & implementation</li><li>Active <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/monitor/">monitoring</a></span> of mitigation activities</li></ol><p>If an organization misses any of these steps or does not directly link them to one another, it is not fully managing risk. Here’s what can happen if a step isn’t fully executed:</p><ol><li>Improper risk identification often results from identifying a risk’s symptom instead of its <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">root cause</a></span>. When this happens, controls don’t neutralize the root cause (even if they are designed well), leaving the organization vulnerable. If the management does not reach out to supervisors on the front lines, the individuals who can take effective action may not be apprised.</li><li>Mitigation activities can be ineffective either because they’re directed at a symptom (see #1) or simply because they’re not designed well. In either case, threats aren’t neutralized and the organization remains at risk. When risks are identified by one department but aren’t communicated to those who need this information, unnecessary collateral damage results.</li><li>If internal controls procedures exist but are not used or updated, the organization is vulnerable not just to existing risks, but to an increased chance of negligence charges. If mitigation activities are not linked to risk, how is it possible to monitor the control? When controls are not linked to a root cause, people responsible for the control, or the business policy, monitoring does not meet compliance requirements. This leaves the enterprise open to class action suits for negligence.</li></ol><p>Below, we’ll explore how Nordion Inc., a global health science company, missed phase three and paid the consequences:</p><p></p><p><a href="{{#staticFileLink}}8028244259,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8028244259,original{{/staticFileLink}}" width="191" class="align-center" alt="8028244259?profile=original" /></a></p><p style="text-align:center;"><em>Even though Nordion self-reported to and cooperated fully </em><em>with the SEC, it was still forced to pay $375,000 in penalties.</em></p><p style="text-align:center;"><em>This would have been avoided if the organization had </em><em>adhered to its own internal controls procedures.</em></p><p style="text-align:center;"></p><p style="text-align:left;"><span class="font-size-3"><strong>Internal Controls Procedures Could Have Shielded Company from Embezzlement Scheme</strong></span></p><p style="text-align:left;"></p><p style="text-align:left;"></p><p><a href="{{#staticFileLink}}8028244082,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028244082,original{{/staticFileLink}}" class="align-left" alt="8028244082?profile=original" /></a>Between 2004 and 2011, one of Nordion’s employees reportedly “arranged improper payments” from the company to bribe Russian authorities, <span style="text-decoration:underline;"><a href="http://blogs.wsj.com/riskandcompliance/2016/03/04/sec-settles-bribery-case-with-engineer-employer/">according to</a></span> the<em>Risk & Compliance Journal</em>. Although Nordion was never complicit, the fact that it didn’t discover the scheme made it liable.</p><p>Here’s an important detail: The employee in question was very thorough in his deception. He kept the plan secret “by preparing multiple drafts of documents and by misrepresenting how the agent would use the funds received from Nordion, the SEC alleged.”</p><p>Even though Nordion didn’t know about the scheme, it could have better prepared itself for such scenarios. Specifically, the company could have trained its employees on its adapted operational procedures for branches in more corruption-prone regions. Additionally, the company “didn’t do any due diligence on the agent or follow its internal controls procedures in place at the time.”</p><p>On the bright side, the company earned no profit from the embezzlement scheme, and once the situation came to light, fired the employee and cooperated fully with the investigation. For this reason, the company avoided more severe penalties. Those good-faith actions, however, still didn’t save it from the initial $375,000 penalty.</p><p>An ERM solution would have prevented Nordion from making any headlines. Risk-based, enterprise-wide systems support all three phases of risk management. In this case, the company had performed phases one and two by merely having internal controls procedures in place. The slipup was letting the process go slack – not devoting a constant resource flow toward maintaining and monitoring those procedures.</p><p>LogicManager provides <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/erm-software/product/monitor/">robust risk monitoring capabilities</a></span> designed specifically to provide insights into how effective controls are (or, in this case, if they’re even being performed). Certain parties can also be made accountable for specific components of the controls. Customizable surveys, tasks, and emails can all be automated to recur at particular intervals, making internal controls easy to plan and prioritize.</p><p> </p><p><strong><em>For more specific information on ERM software’s proven return on investment, download our </em><span style="text-decoration:underline;"><a href="http://www.logicmanager.com/ebook-roi-of-erm-software/"><em>free eBook</em><em>: The ROI of ERM and ERM Software</em></a></span><em>.</em></strong></p><p></p><p></p></div>Advice for Risk Managers: Treat Compliance Like a Risk, Not a Checklisthttps://globalriskcommunity.com/profiles/blogs/advice-for-risk-managers-treat-compliance-like-a-risk-not-a2016-01-19T20:30:00.000Z2016-01-19T20:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://www.logicmanager.com/wp-content/uploads/2014/11/framework.jpg" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2014/11/framework.jpg" class="align-left" width="220" height="146" alt="framework.jpg" /></a>Many companies share some problematic habits when it comes to compliance. The worst of them is treating compliance like a checklist. In other words, thinking, “If we meet these specific compliance requirements, our company should run efficiently and securely.” While this is a simplified outlook, the point remains the same. Being compliant guarantees neither efficiency nor security, but failure to meet requirements can have long-lasting negative effects.</p><p>At LogicManager, we view compliance as the minimum operating standard, and focus more on aligning our priorities with a risk-based approach. This affects how our own governance structure functions, as well as how we advise our customers.</p><p>The shift in how compliance is viewed is gaining momentum. New COSO and ISO updates, like ISO 19600 and COSO’s upcoming ERM update, specifically emphasize a risk-based approach to compliance. Moreover, organizational understanding of the relationship between risk and compliance is changing.</p><p>For example, Fitch Ratings, one of only three nationally recognized ratings agencies, has created and assigned a new role: Chief Compliance Officer. This is part of the agency’s plan to “bulk up” its compliance efforts and “broaden” its approach to risk, according to the <a href="http://blogs.wsj.com/riskandcompliance/2015/11/02/fitch-names-compliance-head-as-it-widens-risk-focus/"><em>Risk & Compliance Journal</em></a>. Who is the new CCO reporting to? John Olert, Chief Risk Officer of Fitch’s parent company. This mirrors the new understanding of compliance, as a subset of risk:</p><p><a href="http://www.logicmanager.com/wp-content/uploads/2016/01/Compliance-Risk-Pie-Charts-500x248.png" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2016/01/Compliance-Risk-Pie-Charts-500x248.png?width=500" width="500" class="align-center" alt="Compliance-Risk-Pie-Charts-500x248.png?width=500" /></a></p><p>Olert contends the need for a Chief Compliance Officer became evident when he was responsible for handling both risk and compliance. Even though the former contains the latter, compliance’s scope and complexity warrants its own departmental governance (which can also often be said for IT and operational risk). The key is to manage compliance with a <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">risk-based approach</a>. Fitch Ratings is doing just this, widening its risk focus to include more than just market and credit risks.</p><p>Fitch identified a few other points of importance for its compliance program, all of which resonate with the LogicManager approach. For example, another point of emphasis is the development of communication between employees and departments. We strongly agree with this assessment. No matter how insightful data and other information are, they cannot be useful unless delivered to the proper party. Organizations with a “stovepipe” mentality often fail to share information cross-functionally, resulting in redundancy. A control used to mitigate risk may also be used to meet a regulatory requirement, and the utilization of ERM systems can help track and manage those complex relationships.</p><p><strong><em>For more information about presenting Enterprise Risk Management solutions to the board, take a look at our free eBook</em>, <span style="text-decoration:underline;"><a href="http://www.logicmanager.com/ebook-presenting-erm-to-the-board/">Presenting ERM to the Board</a></span>.</strong></p></div>How Risk Management Technology Projects Succeedhttps://globalriskcommunity.com/profiles/blogs/how-risk-management-technology-projects-succeed2014-10-06T13:30:00.000Z2014-10-06T13:30:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">CMS Wire's Norman Marks recent article, "<a href="http://www.cmswire.com/cms/information-management/why-risk-management-technology-projects-fail-026691.php">Why Risk Management Technology Projects Fail</a>," captures a common but limited viewpoint of Risk Management that limits its ability to succeed in any environment, whether supported by software, spreadsheets, or pen & paper.</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">"To be successful, a risk program has to be designed to enable managers to make intelligent, risk-informed decisions every day. The requirements have to include the perspectives of both the risk officer and of management... You need to enable managers to see both performance and risk status for each of their objectives and strategies."</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">A risk based program can only be successful if it applies the iterative ERM Process Steps (Identify, Assess, Evaluate, Mitigate, Monitor) to not just risk, but also performance, compliance, and every other governance function throughout the organization.</p><h4 style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;"><strong>Risk Based Compliance</strong></h4><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;"><a href="http://www.logicmanager.com/grc-software/compliance-management/">Risk based compliance</a> has been interpreted many ways - with very few adding value to the compliance professionals. But if we examine Compliance in the framework of the ERM Process, it looks something like this.</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">Identify requirements (legal, regulatory, internal, etc.). Assess the applicability of requirements (typically Yes, No, or Not Applicable). Evaluate whether further action is necessary. Mitigate with policies & procedures (how you meet the requirement).And finally, Monitor through audit's testing of controls and your adherence to internal policies.</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">The same exercise can be conducted with governance processes, but why does it help to apply the ERM process to all Governance, Risk, and Compliance (GRC), functions?</p><h4 style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;"><strong>Risk Based Performance</strong></h4><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">The process works equally well for performance. Objectives and goals are identified and assessed based on their positive impacts if achieved, the likelihood of achievement, and their general timeframes. They can then be supported with activities and projects (in effect, mitigating the changes they are not realized), and monitored with performance metrics and KRIs.</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">The same exercise can be conducted with governance processes, but why does it help to apply the ERM process to all <a href="http://www.logicmanager.com/grc-software/">Governance, Risk, and Compliance (GRC)</a>, functions?</p><h4 style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;"><strong>Value of Risk-Based Process</strong></h4><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">By standardizing governance with a risk based process, you enable the re-use of information and relationship building that creates efficiencies throughout an enterprise. Controls used to mitigate risk might also be the same controls ensuring your organization stays compliance. Regulatory requirements have risks that should be associated with them. Metrics and testing that indicate the effectiveness of your control environment can also be used to drive audit scoping and resource allocation.</p><p style="font-family:Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif;font-size:13px;line-height:19px;">The possibilities with a Risk-Based approach are numerous, but cannot be realized without the support of an <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">ERM Taxonomy</a> and <a href="http://www.logicmanager.com/">Risk Management Software</a>. The reason Risk Management Technology projects fail is that they take a silo-specific view of risk management, rather than viewing risk as the common link between performance, compliance, and enterprise governance.</p></div>