• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / The crown jewels and risk management

By Occasional Contributors | 2 Minutes Read April 15, 2016

The crown jewels and risk management

Image: FreeDigitalPhotos.net | jscreationzs
Image: FreeDigitalPhotos.net | jscreationzs
When considering information security or cyber risk, you usually concentrate on risk to the ‘crown jewels’ – those information assets and services that are most vital to the enterprise.
I am going to suggest that we can extend the concept of a focus on crown jewels to broader risk management.
I think we all know that risk is created or modified with every decision.
We also know that those decisions are made by people, who we know are imperfect.
In my last post, Why do some take risks while others do not?, I talked about the fact that different people will make different decisions in the same circumstances. We need them to make the ‘right’ decisions, taking the desired level of risk. But, policies and procedures, even risk appetite or criteria statements, may not be enough to ensure they will do so.
People are influenced not only by the perceived ‘culture’ of the organization, but also by a number of personal factors including their prior experience, whether they feel ‘at risk’ if they take too much or not enough risk, and even whether they have a sunny disposition that day.
So we are dependent on these individuals and their actions.
What can be done? How can we obtain reasonable assurance that risks will be managed, by them and through their decisions and actions, at desired levels?
I suggest that we consider which individuals are making the decisions and taking the actions that are most likely to have the greater impact on whether the more significant risks to organizational objectives are at desired levels. Which individuals, which actions, and which risks?
If we can identify these individuals, the decisions and actions that need to be made, and the affected risks and objectives, then we can focus on them as the crown jewels of risk management.

  • Do these individuals understand the potential for their decisions and actions to affect risk levels and the achievement of enterprise objectives?
  • Do they understand desired levels of risk, whether in risk appetite or criteria statements?
  • Do they have sufficient information to make intelligent decisions and take the desired level of risk?
  • What might affect their decision-making in an adverse way, and what can be done about it?
  • What is the likelihood that they will make a decision that takes the level of risk outside desired parameters?
  • How will senior management know when they stray from the desired path?
  • How will we know when the decision-makers change?

There’s probably more that can be said and more that can be done to provide assurance that individuals, whether on the board, in top management, or at other levels, will take the desired level of risk.
What do you think? What should be done?
Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com. Join us!
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022
  • Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Privacy / Corporate culture, crown jewels of risk management, decision-makers, desired level of risk, information security or cyber risk, policies and procedures, risk management, risk to the ‘crown jewels’

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy