Redefining the Role of ERM Standard Setters Reimagining COSO to create knowledge from beliefs and performance from knowledge and ending our fear of risk, addiction to controls and sedation by assurance The essence of professionalism is service to the public. Standard setters create a body of knowledge and provide metrics to demonstrate the practices they […]
Author Archives: Bruce McCuaig
Frightened by Risks, Addicted to Controls, Sedated by Assurance
Can belief-based practices survive in a data driven world? The paradigms, professional practices and regulatory standards guiding business risk and assurance professionals have been developed over many years, long before the digital world we live in today. Do the practices we have used as risk, control and audit practitioners actually “work”. We fear risks, we […]
Addicted to Controls. Sedated by Assurance.
Reliance on Control Activities is enabling bad risk decisions and corporate misconduct. . Is there a way forward? The fundamental paradigms of risk and control professionals are being tested. Extreme, reactionary advocates of Control Activities to mitigate risk have influenced standards and practices that do not work. In a recent blog I suggested that we […]
Addicted to Controls: How Radical Control Activists Have Hijacked Business Risk Management
Research by the US National Transportation Safety Board (NTSB) suggests that 80% of aviation incidents are caused by human error. Internal control professionals looking through the lens of internal control paradigms might conclude that this situation is “totally out of control”. Aviation experts rely on risk management paradigms. They measure these things. They focus on […]
The Serial Failure of Item 1A Risk Factor Reporting
Its time to replace Risk Factor reporting with comprehensive reporting on governance, risk and compliance (GRC). Call it ERM or whatever you please. Beginning in 2005, the SEC required filers to include qualitative disclosures of risk factors in item 1A of their annual 10-K forms. Item 1A Risk Status disclosures have consistently failed to predict […]
Pandemic! Who Knew? What Now?
We need far better public reporting of risk factors. The tools and technology are available. Practices must improve. Pandemic Like many of the posts on GRC and COVID 19 these days, this one is another case of closing the barn door after the horse has escaped. But its sometimes worth looking back, not to assign […]
Can Internal Audit Be Agile?
Should It Be? I’ve always been uncomfortable with the term “agile” when applied to GRC generally or Audit specifically. I guess I still have some internal auditor left in my DNA, but it sounded like the flavor of the month. “Agile” seemed a little too furtive and vague to be an attribute to aspire to. […]
Quick Reaction to” OnRisk 2020: A Guide to Understanding, Aligning and Optimizing Risk”
Refreshing and powerful new insights from the IIA This report, available here, is a must read for anyone interested in scaling and sustaining risk management to drive business value. Its not necessary to agree with the reports approach or conclusions. The question is can we build on and refine practices from this starting point? The […]
Internal Controls: Designed to Fail or Designed for Failure?
All controls will fail. They will fail at a predictable rate. Internal controls not designed for failure are designed to fail. The week of Oct 14 was “Risk Awareness Week” (RAW), a series of interactive workshop that began on Oct.14. The workshops were designed to raise awareness about risk management applications in planning, forecasting, budgeting, […]
Is Enterprise Risk “Accounting” (ERA) Blocking Enterprise Risk Management (ERM)?
In reflecting on the state of Enterprise Risk Management (ERM) recently, (I will use the term ERM generically for all its current variations) I have come to conclude ERM is far from reaching its potential and may be in a state of decline. As a profession we have developed what I will call Enterprise Risk […]
