The interaction between audit committees and management can be frustrating. Audit presents identified risks, and leaders want context. Management doesn’t want to be seen as uncooperative, but even the slightest push back can be perceived that way. Poor internal control design may be the driving force behind this ongoing debate.

Risk and compliance self-assessments aren’t the truest indicators of actual risk exposure. So you could say there’s an inherent risk in performing a risk self-assessment. Not only is there no real science behind them, the outcome of an RCSA is entirely subject to one’s memory. A self-assessment can be a good jumping-off point, but it can’t be your sole method of understanding...

Think of simplicity as an organization's end goal. It's an ideal that can be strived for in product design, process, governance -- you name it. This was the mindset of Steve Jobs as he drove innovation at Apple, and clearly they're doing something right. The benefits of simplicity are far-reaching.

Asymmetric risks – risks for which the potential gains are far greater than the potential losses (or vice versa) – can be difficult to plan for, and the events associated with asymmetric risk tend to sneak up on us, regardless of how predictable they may seem. So what impact do these risks have on ERM? Perhaps a mental shift is in order.

The violence perpetrated on innocent civilians in Paris last week stunned the world. Unfortunately, these acts of terrorism have become far more frequent in recent years. Consequently, the conversation around risk management is shifting. How do we -- as professionals charged with minimizing risk -- respond when the unthinkable happens?

The CRO of the Future is almost here. James Bone posits that before long, risk management professionals may be replaced by various “risk intelligent systems knowledgeware,” or RISK, able to process volumes of data in an instant, detect threats and respond to them just as quickly. Technology advances at breakneck speed, and so does our dependence on it to manage enterprise risk.

Ethics and success aren't mutually exclusive terms. We know this, and yet firms still cut corners. We've become so accustomed to the misbehavior of financial services firms we're no longer shocked by it; their misconduct has become routine. Expected even. James Bone discusses the dilemma of mitigating conduct risk when it feels good to be bad.

Volkswagen, a long-trusted and highly respected brand, will be dealing with the fallout of its emission scandal for quite some time. It's clear to everyone that their massive deception is inexcusable, but we'd do well to remember that the hugest transgressions happen one failure in decision making at a time. Volkswagen's was likely born out of panic.

Managing risk effectively requires first an understanding of the risk that needs managing. It sounds so elementary, but there's often a great deal of uncertainty about what an organization's risks actually look like. It's no wonder why risk management programs fail. Fortunately, there are a host of ERM tools that can help to bridge this gap.

COSO's Enterprise Risk Management Integrated Framework has become something it was never intended to be; as a risk management standard, it fails for at once being too broad (robust risk management programs would be far more effective) and too narrow (in its focus on internal controls as the primary risk management tool). It's time to adopt a multidisciplinary approach.

The tulip was the source of what's widely believed to have been the first speculative bubble, and like all bubbles, it eventually burst. That crisis was not unlike the collapse of the dot-com bubble -- rational behavior was replaced by "irrational exuberance." Effective risk management means being wary of an overvalued market and accounting for human emotion in the pursuit of financial...

Overly complicated systems aren't necessarily superior to more simplistic ones. Take FIFA's matrix for determining team ranking, for example. It takes either a lifelong, die hard fan to understand it or an advanced degree in math. It could be argued, in fact, that unnecessarily complex systems simply serve to distract attention from what's really going on.