Immediate Vault Immediate Access

How to Influence Risk Management Standards, Frameworks and Guidelines

What do you want risk management standards, frameworks and guidelines to do for your success? Many people depend on these documents to provide needed guidance.

online pharmacy advair with best prices today in the USA

Yet, you have heard the reasons people give for not wanting to deal with risk management standards and frameworks. Perhaps you have even voiced these yourself, at one time or another:

  • Our organization is so unique, no one standard or framework could possibly apply.
  • Standards are the same as regulations—we don’t need more regulations.
  • We know what we are doing—we don’t need any guidance. Those things don’t apply to us anyway.

Whether we like it or not, standards are a part of life and our daily language. We refer to a gold standard as a measure of excellence. There are standard breeds of dogs, horses and even chickens. We have internet standards. And what would we do without standards of care, and food safety standards?

Standards have been around a long time, and actually have benefited society. When time was standardized along the prime meridian, commerce flourished. When the United States decided to build the transcontinental railroad using a standard gauge, deliveries of passengers and goods were made more efficiently. Anyone who has traveled internationally can attest to at least one outcome when there is a lack of standards: the proliferation of power adapters that are needed when representatives from different nations gather.

Standards and guidelines—which typically are voluntary—are not regulations. Standards are created through consensus, public comment and acceptance. Regulations, on the other hand, are mandated through legislation. A primary standard (or “recognized” standard) is an established norm or collection of “best practices” that evolve over time under the jurisdiction of an international, regional or national standards development body. Standards are published as a formal document that can establish criteria, methods, processes and practices. In contrast, a guidance document, company product, corporate standard, etc., that may be developed outside of a recognized standards setting body—but which becomes generally accepted—is often called a de facto standard.

Ultimately, standards provide value when they foster common understanding reflecting collective wisdom, while creating efficiencies and better results for the organizations using them. In benefiting organizations, risk management standards generally recommend, but do not require, risk management criteria, methods, processes and practices. Therefore, they boost risk management’s value—one of the reasons you should care about risk management standards, frameworks and guidelines. And shouldn’t you be involved in developing guidance about your daily work? Another reason to care.

The problem is not a shortage of risk management standards and frameworks, but the proliferation of standards and frameworks that, at times, seem to contradict each other. The result is confusion, even about how terms and concepts are used. Sorting through these contradictions is challenging, particularly when others in the organization may be advocating a different risk management approach. These differences lead respective proponents to argue about which one is “right” or “better,” rather than focusing on the value that risk management can deliver. Creating a new risk management standard does not necessarily help the situation, as it usually just becomes one more competing standard.

There is an unmistakable need for understanding how to apply various risk management standards.

online pharmacy azithromycin with best prices today in the USA

Another reason for you to care: how complementary—or contradictory—risk management standards and frameworks may be can either help or hurt your efforts.

ACT NOW

We all have a unique opportunity right now to influence two of the major risk management guidance documents: ISO 31000:2009 developed by the International Organization for Standardization and the COSO ERM Framework 2004 under the auspices of the Committee of Sponsoring Organizations. Both are undergoing revision reviews at this time.

To influence the ISO 31000 revision: Seek to join the national mirror committee of your country. In the United States, the Technical Advisory Group for the American National Standards Institute (ANSI) is administered by the Association of Safety Engineers (ASSE) and chaired by Carol Fox, RIMS vice president of strategic initiatives. If you are interested in joining the US TAG, contact Ovidiu Munteanu for information and an application (omunteanu@asse.org).

To influence the COSO revision: The revision is open for public comment June 15 through September 30, 2016. COSO has expanded its website, www.COSO.org, with a section on the Framework update that includes the proposed Framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec.

online pharmacy fluoxetine with best prices today in the USA

31, 2016.

Malware Threats from Unlicensed Software: The Critical First Step for Cyberrisk Management

Waking up to find your company on the front page news and at the center of a data breach is every CEO’s worst nightmare—and for a number of businesses, it has become reality. Today, the threats from cybercrime are real and frightening, and the risks are extraordinary. Cybersecurity is an incredibly complex issue and business leaders are grappling with how to best protect their businesses, understand the new business vulnerabilities, and identify what steps they can take to protect themselves and their customers from becoming a victim of cybercrime.

There is a strong case for organizations to put protection from malware at the top of their risk agenda. In the past year, 43% of companies experienced a data breach. The average organization experiences a malware event every three minutes, and the costs of dealing with that malware can be astronomical. The International Data Corporation (IDC) estimates that enterprises spent $491 billion in 2014 as a result of malware associated with counterfeit and unlicensed software.

A threshold step to mitigating risk is gaining an understanding of your own network and if the software you are using is genuine and fully licensed. Unfortunately, many businesses are failing to take this basic and critical first step to protect themselves.

It has long been suspected that there is a connection between unlicensed software and cybersecurity threats. A new study commissioned by BSA | The Software Alliance and conducted by IDC confirms this as fact.

The study compared rates of unlicensed software installed on PCs with a measure of malware incidents on PCs across 81 countries. Given that 43% of the software installed on PCs globally in 2014 was unlicensed, it’s clear that many businesses are at risk. The findings were sobering. The correlation between the use of unlicensed software and malware is even higher than the correlations between education and income, or that between smoking and lung cancer. The implication for governments, enterprises and consumers is clear: assessing what is in your network and eliminating unlicensed software could help reduce the risk of cybersecurity incidents.

Fortunately there are proven best practices available to tackle the challenges around software licensing.  The world class standard for Software Asset Management is ISO/IEC 19770-1:2012. The importance of implementing internal controls for legal use of technology, including software, has become so critical that COSO now recommends it in its revised Internal Control – Integrated Framework.

While putting controls in place may sound simple, many businesses are missing this first step. Only 35% of companies have written policies requiring the use of properly licensed software. For CEOs, now is the time to start implementing best practices that will help mitigate security risks and avoid your business becoming tomorrow’s news headline. For more information on additional steps you can take, visit BSA’s website.

BSA Global Software Survey

How the RIMS Risk Maturity Model Works

Hack Wilson was an MLB star in the 1920’s, but he had a drinking problem. Realizing his potential, Hack’s manager pulled him into the dugout and said, “If I drop a worm into a glass of water, it swims around fine. If I drop it into a glass of whiskey, it immediately dies. What does this prove?”

Hack responded, “If you drink whiskey, you’ll never get worms.”

Hack’s observation, while misguided, provides a lesson in the difficulty of training and educating employees. Over the next several weeks, I hope to provide a step by step walk through of the RIMS Risk Maturity Model (RMM) for enterprise risk management (ERM), and while doing so provide a framework that can be used to educate, implement, and enhance the ERM program at your own organization.

Recently the target of a third party study of ERM programs, enterprise risk management maturity as measured by the RIMS Risk Maturity Model, is proven to add 25% to a corporation’s bottom line value, but how is that value achieved? What is it about ERM that makes these organizations more efficient, better operating, and ultimately more successful?

The answer is that the RIMS RMM is a step-by-step guide on how to implement, improve and measure the adoption of the best practices of ERM defined by ISO, COSO and other ERM standards. The RMM is broken down into seven attributes, and the resulting culture, processes, tools, and structure that allow organizations to realize potential opportunities while managing adverse events and surprises. As outlined by the RMM, enterprise risk management is particularly effective in addressing cross functional or silo specific challenges and gaps by providing a common framework.

That’s a loaded response, and as shown above, educating process owners, risk managers and even executives about the value of ERM can be tricky.

That’s the value of the RMM—it breaks down ERM into practical requirements, allowing organizations to assess their current capabilities, while providing concrete guidance for a pathway forward.

The seven core attributes are:

ORM-based approach—Executive support within the corporate culture

Risk appetite management—Accountability within leadership and policy to guide decision-making.

Root cause discipline—Binding events with their process sources.

Uncovering risks—Risk assessments to document risks and opportunities.

Performance management—Executing vision and strategy utilizing balanced scorecard.

Business resiliency and sustainability—Integration into operational planning.

In a few upcoming posts, we’ll cover more fully what a mature ERM program looks like from the perspective of one of our seven attributes. The goal is to improve your organization’s ability to manage risk, while exploring the correlation between business value and ERM maturity.

For an introduction to the RIMS approach to ERM, click here to watch LogicManager’s video on Getting Started with ERM.