Blog

In 2015, Amair Saleem was named the Global Risk Management Professional of the Year by the Institute of Risk Management. Saleem manages safety, risks, and regulations for Dubai’s Roads and Transport Authority (RTA), which serves many of the same functions the U.S.’s DOT does. So what has made Saleem such a preeminent risk management expert?

According to The Wall Street Journal’s “Risk & Compliance Journal,” the Dubai RTA sees more than a million passengers every day and manages 40 departments, wh

Interview with Aretina Trepczyk, Vice President, Enterprise Risk Manager at Umpqua Bank

The increased regulatory pressures on third party vendor risk have increased focus on this key area of operational risk. And, despite institutions implementing changes to their third party risk strategies, many programs still need to be optimized and enhanced to ensure strong due diligence of vendors and minimize the risk exposure to the enterprise. Institutions need to incorporate their third party risk stra

News last week broke that a CNA Financial Corp. unit is seeking a judicial ruling that would waive its obligation to pay a $4.1 million settlement to Cottage Health System, on the grounds that the health system failed to meet the “minimum required practices” for cybersecurity risk management.

Cottage Health System, a Santa Barbara based non-profit organizations, suffered a breach of over 30,000 medical records in the fall of 2013. The breach was caused by a third party vendor that housed personal

Enterprise Risk Management (ERM) Software, unfortunately, is a poorly defined (and often poorly executed) concept, but by structuring your vendor selection around the core concepts of Enterprise Risk Management, Risk Managers can mitigate the inherent risks that accompany a software implementation.

Common Pitfalls of ERM Programs

The common maturity process of an ERM programs looks something like this: define our purpose with an ERM charter, define our process, and then seek automation to support

The Baker/baker complex, as illustrated in Joshua Foer’s Moonwalking with Einstein, states that if you ask one person to remember a baker and another to remember a man named Baker; the person asked to remember the proper noun will struggle far more than the person asked to recall the bread maker.

Same word, two very different outcomes because one provides your memory with context, while the other floats independently, devoid of the connections and methodology that improve our recall.

At LogicManag

The RIMS Risk Maturity Model, co-developed by LogicManager CEO, Steven Minsky, and the RIMS Risk Management Society, has been adopted by yet another governance body in an attempt to formalize how organizations achieve risk management competency.

The NAIC specifically identifies the Risk Maturity Model (RMM) as an effective tool for evaluating the state of an organizations program, and indicates that Insurers should strive to meet a ‘Repeatable’ level of Enterprise Risk Management maturity in eac

The RIMS Risk Management Society (LogicManager’s co-author for the RIMS Risk Maturity Model) promotes the adoption of Risk Committees for organizations looking to formalize their enterprise risk management processes.

With more organizations adopting risk committees or similar governance groups, the question remains: What should risk managers present to their risk committee; or conversely, what should risk committees ask that their managers present to them?

Forrester Research, in their report on me

One of the most frequently cited differences between Software-as-a-Service (SaaS) and On-Premise installations is the degree of flexibility between each type of solution. With SaaS solutions on the rise for GRC and Risk Management Software, more and more organizations are realizing that everything they thought they understood about the differences between SaaS and On-Premise is wrong. So what can we learn from their mistakes?

A Conflict of Interest

On-Premise vendors make about 50% of their revenu

The year 2014 has come and nearly gone, and it’s clear that enterprise risk management will not go quietly into the night. Following a 2013 that saw Edward Snowden NSA leaks, a Carnival Cruise line generator fire, and Target’s credit card heist (to name only a signature few), this year has proven to be no slouch: FINRA has disciplined thousands of companies with over $34 million in fines, Home Depot and Sony fell victim to IT security threats, and GM issued one of the largest recalls in automake

Online media outlet TechTarget recently visited the 2014 Advanced Cyber Security Center (ACSC) conference right in our hometown of Boston, MA. Their findings? A successful cybersecurity risk management framework must be built around “Coordination. Cooperation. Collaboration.”

"You are not going to eliminate the risk of attacks, you are going to manage the risk," said Michael Chertoff, former secretary of the U.S. Department of Homeland Security. Chertoff directed organizations to focus on threat

Insurance regulators have made the Own Risk and Solvency Assessment (ORSA) into one of the global Insurance Core Principles that need to be adopted in all countries.

By Dave Ingram

Several countries have already adopted an ORSA requirement and in all cases, there is a need for a report to share with the regulator that documents the ORSA process.

The ORSA report itself is an example of risk management disclosure. A company that has no history of disclosure of risk management information may struggle

CMS Wire's Norman Marks recent article, "Why Risk Management Technology Projects Fail," captures a common but limited viewpoint of Risk Management that limits its ability to succeed in any environment, whether supported by software, spreadsheets, or pen & paper.

"To be successful, a risk program has to be designed to enable managers to make intelligent, risk-informed decisions every day. The requirements have to include the perspectives of both the risk officer and of management... You need to en

Home Depot hacked. http://t.co/qZROzHKWr2. This #risk preventable with #ERMSoftware. So why are ERM Programs failing? http://t.co/gcbLO6wCjz

-- Steven Minsky (@SteveMinsky) September 2, 2014

The goal of an ERM program is to put your organization in the best position to manage uncertainty, and to provide transparency into areas of vulnerability so businesses can make better decisions. Risk Management Software supports that process by providing insights and analytics that aren't obvious to the front

In Malcolm Gladwell’s “Blink,” he examines a hospital whose team had learned that to diagnose heart attacks, it’s more beneficial to gather a few key indicators than to try and take every measure into account. I’ve found that to judge the health of ERM programs, there are also a subset of characteristics that seem to immediately indicate success.

1. Does the ERM program engage the front lines?
2. Can the program analyze information across silos?
3. Has the program engaged, or integrated, with at least one o

Once SharePoint has taken root in a company, there’s a tendency to try to use it for everything. The mega-popular platform can accomplish many use cases, from social networking to document management. It’s no wonder then that Risk Managers have been asked to build their programs on SharePoint - and live and die with the consequences. If your organization is considering SharePoint for ERM or other governance activity, or you’re considering moving your program off SharePoint all together, consider

Jeffery Reynolds’ article in ABA Banking Journal, “ERM: Getting it, and getting it right”, equates the definition of Enterprise Risk Management with happiness.

"Before you start with ERM, you have to define it. If it were only that easy to nail down the definition of ERM—but it is not…Defining ERM is like defining happiness. Happiness is not the same for me as it is for you. Nor is it the same for me today as it was 20 years ago. And what drives happiness today will likely not be what defines hap

The healthcare industry has grappled with HIPAA for nearly 20 years. The ever-changing, extensive piece of legislation mandates the protection and security of patients' private health information, and HIPAA compliance is a costly and time consuming process for healthcare organizations.

With the amount of focus and effort directed towards HIPAA compliance, risk and compliance professionals at healthcare organizations can rest assured their patients' data is protected from hackers and data theft, r

Over the weekend while traveling, I was reading Malcolm Gladwell’s Outliers, and as coincidence would have it, I hit “Chapter Seven: The Ethnic Theory of Plane Crashes,” at a cruising altitude of 30,000 feet.

The challenge with Enterprise Risk Management is quantifying how many disasters have been prevented due to its efforts.  Because of this, there is still skepticism among senior management around exactly how ERM can help to prevent major operational, strategic, regulatory, and reputational di

Colleges and Universities are some of the most at risk institutions when it comes to high profiles failures in risk management. Reputational risk – and remaining off the homepage of CNN – requires an active approach to managing enterprise governance, and most universities are unsure where to start. An Association of Governing Boards of Universities and Colleges (AGB) report finds:

“After five years of change and upheaval, why is it that governing boards of colleges and universities continue to co

Many business cases for Enterprise Risk Management programs begin with what senior management can expect in terms of return on investment (ROI). While ROI may not be the best indicator of ERM success (it’s tough to quantify the monetary value of risks you’ve mitigated), there are simple and direct steps you can take to demonstrate the efficiency your program will gain through the implementation of an ERM system.

On average, risk managers spend 62% of their time on tactical, rather than strategic,