Blog

Volkswagen has been side-stepping environmental compliance standards by “programming some diesel-fueled cars to turn on emission controls only when being tested.” In the days since this discovery, Volkswagen has been hit with over 30 federal lawsuits and 40%+ decline in stock value, all stemming from the same source—poor Enterprise Risk Management.

In this case, poor risk management regarding their investment in diesel, without developing a mitigation plan for if the technology didn’t meet emissi

Lack of transparency makes risk, performance and compliance information hard to discover, collect and maintain. Within every organization, governance areas are conducting activities, each based on different assumptions with different standards, all of which contain a risk component.

While these are typically not thought of as risk activities, when the responsibilities of each governance area are compared to a risk based process – identifying & assessing, mitigating, and monitoring – you find that

Governance functions are designed to manage risks that organizations face in operational and back office silos - financial misstatements, fraud, vendor management, disaster recovery, and other activities are all designed to address a subset of an organization’s risk profile. The concept of Enterprise Risk Management is not to create another function that exists in parallel to these areas, but rather creates a standardized methodology and language to objectively prioritize across functions and le

This week I faced the ultimate personal test of my risk management skills, where I had to soul search “do I practice what I preach as an ERM expert.”. Sunday, the night before the storm of the century Hurricane Sandy hit, I had tickets to fly to Texas as a speaker and expert on ERM. What would become of my home and family? Had I applied the same risk principles in my work as a CEO of the leading enterprise risk management software company in my personal life? Had I done put a personal business c

The first shoe to drop was government regulations holding the Board of Directors personally responsible for the effectiveness of enterprise risk management programs at their organizations. Boards are given a choice between proving their risk management programs are effective or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud, as not knowing about a risk is no longer a defense.

What does enterprise risk management effectiveness mean? No

In November 2009 I contemplated  "Should Board Audit and Risk Committees be Separate?"  and today I question "Should a Board have a risk committee at all?"

In 2009 I concluded:

• Management's responsibility is to identify, manage and report on risk with a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board.

• The Board has an "assurer role" to provide stakeholders with assurance that management has done the

Risk Appetite Explained
In the face of the many recent failures of financial institutions, following market and asset crises and in the context of mounting regulatory demands from Basel 3, Solvency 2 and Dodd Frank, risk management is a topic high on the executive agenda. In particular, much emphasis has been placed on risk appetite and the role it has to play in an enterprise risk management approach, as part of an overall strategy execution process.

But what is Risk appetite?
First and foremos