What we’re reading this week from the world of risk management.
CFO.com: Making Cybersecurity a Business Function Poses Challenges
“In cyber-security circles, the idea of ‘aligning security with the business’ gets a lot of lip service, but alignment is not a one-way street. There are some very real challenges associated with implanting cyber-risk management as a business function — challenges that are not just ‘cyber’ problems, but business problems with roots in areas beyond the cybersecurity domain.”
Volkov: Convergence of Audit and Compliance Functions
“If you think about it, the convergence of these functions makes sense and is long overdue. Compliance is an important aspect of a company’s internal controls. An internal auditor is devoted to oversight and monitoring of a company’s internal controls. An effective compliance program requires periodic audits and assessments to ensure proper operation of the compliance program.”
Business Continuity Institute: Supply chain resilience – The case for understanding the ROI in resilience
“What is the appropriate way to analyse the current levels of resilience within your supply chain, for those you are in contractual relationships with? How will you migrate future procurement competitive bidding processes to include resilience assessed total cost of ownership?:
NACD: Six Principles for Improving Board Risk Reporting
Jim DeLoach writes: “Board risk reporting is a subject of debate within many organizations as directors often consider reports to be too detailed or not actionable. Simply stated, risk reporting should enable the board and its respective committees to understand and govern the organization’s risks.”
See also Norman Marks’s response: Risk reporting to the Board
Federal Times: Agencies need cyber risk strategies for modern adversaries
“A cyber risk strategy takes organizations to a far more mature, holistic level. It recognizes that data protection extends to every single facet of an agency: public affairs, finance, HR, legal, engineering, recruiting and, ultimately, its culture. It assesses a comprehensive breakdown of everything your agency does — how it operates, who “touches” sensitive data, what third-party vendors are “allowed in,” etc. — to gain a full view of your risk posture throughout all operational functions. In other words, a cyber risk strategy drives toward a single, invaluable quality: trust.”
Join our Risk Intelligence group on LinkedIn to get our weekly update every Tuesday.