Are You Ready for the ISO Standard on Compliance Management?

 The new ISO standard 19600 should get your attention. Its the impetus, or motivating factor, that is as compelling to companies on the fence about whether they are interested in investing in a company-wide GRC initiative as Sarbanes Oxley was for publicly traded companies (listed on US stock exchanges) in 2003. Yet this is an international standard. Why should we, as a small company even care?

Group Decision-Making

We recently had a question about our suggested approach to group decision-making. We thought that our response might be of interest to our community.

The Reengineering of Risk Assessment

It's amazing how often we come across companies that are spending millions of dollars having their employees rate risks using ordinal or Likert scales within a commercially purchased tool or in a home-grown spreadsheet or Word document.

Requirements-driven Knowledge Management

We recently came across the International Atomic Energy Agency's ( definition of knowledge management (KM). We wanted to share this with you to get your take on it and compare and contrast your own definition with it. We'd like to get your input. Following is our own take on how best to institutionalize the practice of KM.

Risk Assessment Bibliography

Doug Hubbard of Hubbard Decision Research recently published a list of interesting sources (on the Society of Information Risk Analyst listserve) that he has used in his work writing on various risk assessment methods and tools. I thought that you might find this list to be of interest. Doug's contact information can be found at the end of this BLOG. Here's what Doug has to say...

Is your Risk Assessment Approach Too Simplistic?

We just spotted this article in Coprporate Risk & Insurance’s risk magazine:


Merrill Lynch criticised by regulator for ‘simplistic’ risk management

What comes after executive education?

Many of us within our GRC community often brainstorm on the best steps to take when a firm is just starting to consider investing in a GRC program initiative or system of record. Our team has seen a lot of responses to this question that range from writing a program charter to investing in a Strategic Value Assessment (SVA) to applying for corporate funds to make the investment.

PCAOB and SEC are Keeping Watch

It's amazing that after 12 years of collective experience with SOX-related audits of Internal Controls over Financial Reporting (ICFR) that companies and external auditors are struggling. Look at this factoid:


Contextual Data Will Become Vital

I just came across Brenda Boultwood's article for GARP; "How People, Data and Conduct Will Shape Risk Management in 2015".

Vendor / Product Assessment & Recommendations

We often assess GRC vendors and their "pure" enterprise-class GRC applications (including applications oriented towards Internal Audit and Security) using a proven process that has a number of mission-critical business objectives associated with the work.The top objectives are to reduce the risk of technology insertion, reduce the risk assocated with employee adoption of the technology (or, God forbid, technology rejection), building rapor between the acquiring firm and their chosen vendor, building employee motivat