Leech & Co GRC - Governance Risk & Compliance Services

Blog: Leech Talks Risk

Tim Leech, Leech & Co GRC Managing Director, offers a range of commentary on GRC related topics via his risk blog. The primary audience for this IIA sponsored blog is internal auditors. Readers are encouraged to provide comments and feedback based on their personal risk and GRC related experiences.

www.theiia.org

Best Short Risk Guidance

Australia/New Zealand played a key role bringing structure to the risk management discipline with the release of risk management standard 4360 in the 1980s.   Every risk professional should have a copy of this short and powerful risk management standard in their library.

www.riskmanagement.com.au

Best Terminology Guide

ISO has published a guide that has risk management terminology definitions. The intent of this document is to encourage standard setters in countries around the world to use standardized terms in regulatory guidance related to risk.

www.iso.org

Best Global Guidance

ISO is scheduled to release ISO 31000 – Risk Management Principles and Guidelines in June 2009.  This represents years of effort to distil existing national standards and guidance.

www.iso.org

U.S. COSO ERM Guidance

COSO, the committee that was responsible for the 1992 COSO Integrated Framework, issued guidance on ERM in 2004.  The authors of the ERM guidance elected to use the now very dated core COSO guidance on internal control as the foundation for this framework. The guidance was written by authors from a Big 4 public accounting firm with input from the committee members of the 5 accounting centric organizations that comprise COSO.  As ERM guidance, it has been criticised by risk specialists for its length, the absence of a process to update and improve it, the distortion created by bolting it on to the outdated 1992 control framework, its lack of appeal to senior executives, and other technical deficiencies.  In spite of its many deficiencies, it is heavily promoted and referenced by the IIA, AICPA, IMA and academics and has to be listed as a “must read/have” for any risk practitioner.

www.coso.org

OCEG

The Open Compliance and Ethics Group is a relatively new but highly influential resource in the GRC space.  OCEG has produced an excellent resource in the form of the OCEG GRC Capability Model.  This framework is, in our opinion, in a number of respects technically superior to the COSO ERM framework. The OCEG framework, currently version 2, has already undergone one full round of improvements and future enhancements based on input from users and OCEG members is expected.   Access to the full GRC Capability Model is restricted to full OCEG members .

www.oceg.org

Michael Rasmussen & Corporate Integrity

Michael Rasmussen has tracked and influenced the evolution of the GRC movement with an emphasis on the emergence of GRC related software offerings since the term GRC was first coined.  (NOTE: who was the first person to use the term “GRC” is a contentious issue)  His corporate website is a valuable resource that tracks many of the most notable GRC related developments.    

www.corp-integrity.com

RIMS

RIMS stands for the Risk and Insurance Management Society. The roots and primary focus of this organization has been on insurable risks, however there has also been some overage of the evolution of the ERM movement.  All GRC practitioners should be knowledgeable about the opportunities to share/transfer risk via insurance.  RIMS provides a resource to learn and track developments in the insurance area with some very good ERM commentary.  It is our experience that many internal auditors and ERM practitioners are not knowledgeable and don’t take adequate steps to learn and consider the impact of insurance coverage and self-insurance options on their findings and recommendations.

www.rims.org

RMA

For GRC practitioners in the financial services sector the Risk Management Association provides coverage of relevant developments in the credit, market and operational risk arenas. Although RMA coverage tends to be U.S. centric, many of the articles are relevant to financial sector entities anywhere in the world.

www.rmahq.org

ERM Education

As a result of the strong influence of the various “risk management silos”, including the influence of insurance, credit risk, and market risk practitioners, and the distortions created by the accounting/auditor centric COSO 2004 ERM framework, academia has been slow to offer broadly based training that covers the full range of GRC related topics.  While still not covering the full range of GRC related topics, a link to one Canadian master level program that shows promise in terms of broad coverage of the GRC discipline is offered. We will be monitoring and reporting on emerging GRC education opportunities via the IIA blog, Leech Talks Risk

seec.schulich.yorku.ca

Global Risk Regulator

For Leech & Co website visitors from the EU or that work for international financial institutions, an excellent resource that tracks global developments in the risk and compliance field is a monthly newsletter out of the UK called Global Risk Regulator.  A subscription is required for this resource.

www.globalriskregulator.com

Notable Book

There are scores of books available on the many facets of risk management with more coming on stream each month.  One book that we think deserves particular mention is a Wiley publication titled: “Auditing The Risk Management Process” by K. H. Spencer Pickett.  We have provided a link to the Wiley site where more details are provided.

ca.wiley.com