TL;DR Organisations have no brains. And even humans, with brains, can barely imagine unexpected risks. Making sure we are adequately prepared for potential risks requires a thorough exercise of risk assessment. Each project or program requires such an effort. However, we often neglect that. Not so obvious When I mention the very simple idea that … Continue reading Failing to plan = planning to fail
This article is a rewrite of an article I originally wrote about six years ago on a now discontinued blog aptly titled “complexity risk management”. I am reviewing a paper on risk management and felt it relevant to update this post as an additional comment to one of my review points. Whenever I speak about … Continue reading Why I use a static and a dynamic phase in a risk management approach?
Mutual exclusivity? I'm hearing a lot of comments about the relevance and the redundancy of internal controls and especially internal controls development and internal controls training. A number of new management philosophies such as this one - pretty much unknown outside of the French speaking world, but mirrorred in philosophies such as the one of … Continue reading The real relevance of internal controls and their development
An interesting article on risk register obsolescence I recently read this article by Michael Werneburg which was subsequently updated here. The article deals with the evolution of risk management in organisations beyond the use of risk registers into a risk mature organisation. It restates and reiterates a number of points that have been made by … Continue reading Risk management maturity – moving beyond risk registers?
It has been quite a busy week, so I've not been able to write for the blog. I have, however, been reading a lot. While it was not primarily on my agenda, this article on risk management caught my eye. It makes a concise and very clear distinction between risks and risk sources. A recommended … Continue reading Risk versus risk sources
I wrote this article in 2012 for a foreign speaking engagement. It gives a short overview of risk management evolution in the Belgian federal government. When speaking about risk management, many people assume that the main drive started in 2004, after the publication of the long awaited COSO ERM. Quite often, public sector practices tend … Continue reading Looking back – Risk management in the Belgian federal public sector
What is a risk register? A risk register is an as complete as possible overview of all the risks that may potentially impact an activity, a process, a division or an entire organization within the scope of a risk assessment. What is the purpose of a risk register? A risk register is a tool to … Continue reading How to build a risk trigger list
We don't want to know what can go wrong When I'm looking at a risk management implementation from an audit point of view, I often worry about two fundamentally opposite problems. On the one hand, I note that quite often the risk identification exercise is not conducted to ensure completeness. Often heard excuses are: "we … Continue reading Too few risks are identified, too many are managed
The risk management context often lacks clear boundaries One of the challenges of risk management is that its context is for all practical purposes unlimited. Risk management is about dealing with all the potential risks an organization can be exposed to, covers the entire scope of activities of that organization and all activities deemed relevant … Continue reading Risk and contextual limitations
Introduction We 've established in the prior two parts of this series of posts that current EWRM practices may lead to situations in which the original and ultimately responsible parties, the process owners, become disenfranchised and no longer own the responsibility of managing risks to their objectives, although this is a key responsibility. Process owners … Continue reading The state of EWRM part III – Essential EWRM practices