GRC Articles

Show Me: Jump to:

Latest Articles

March 2, 2017 by: James Bone Categories: Risk Management Program RiskID from Sysenex – Sponsored Post

You must be logged in to view this document. Click here to login

Organizations are striving to manage projects more efficiently, yet many fail each year at great cost. Over 50% of all projects exceed budgets or miss deadlines. Project risk plays a big role.  Sponsored Post



January 30, 2017 by: James Bone Categories: Risk Management Reintroducing TheGRCBlueBook: Business Brochure of Services

cyber-security-pictureYou must be logged in to view this document. Click here to login

TheGRCBlueBook combines risk advisory services with cutting edge research, a knowledge of the GRC marketplace and a platform for GRC solutions providers to educate and showcase their products and services to a global market for risk, audit, compliance and IT professionals seeking cost effective solutions to manage a variety of risks.  Partner with TheGRCBlueBook to help educate corporate buyers about your GRC products and services.

January 10, 2017 by: James Bone Categories: Risk Management A Contextual Model of a Cognitive Risk Framework for Enterprise Risk Management


Behavioral economics has only recently begun to garner gradual acceptance by mainstream economists as a rigorous discipline that may serve as an alternative perspective on decision-making. However, the broad acceptance and growing adoption of behavioral economic theories and concepts along with advancements in computational firepower present opportunities to put into practice practical applications for improving risk management practice. The goal of this article is to develop a contextual model of a cognitive risk framework for enterprise risk management that frames the limitations and possibilities for enhancing enterprise risk management by combining behavioral science with a more rigorous analytical approach to risk management. The thesis of this paper is that managers and staff are prone to natural limitations in Bayesian probability predictions as well as errors in judgment due in part of insufficient experience or data to draw reliably consistent conclusions with great confidence. In this context, a cognitive risk framework helps to recognize these limitations in judgment. The Cognitive Risk Framework for Cybersecurity and the Five Pillars of the framework have been offered as guides for developing an advanced enterprise risk framework to deal with complex and asymmetric risks such as cyber risks.

“A major task in organizing is to determine, first, where the knowledge is located that can provide the various kinds of factual premises that decisions require.” – Herbert Simon


In a 1998 critique of Amos Tversky’s contributions to behavioral economics (Laibson and Zeckhauser) discussed how Tversky systematically exposed the theoretical flaws in rationality by individual actors in the pursuit of perfect optimality. Tversky and Kahneman’s Judgment under Uncertainty: Heuristics and Biases (1974) and Prospect Theory (1979) demonstrated that actual decisions involve some error. “The rational choice advocates assume that to predict these errors is difficult or, in the more orthodox conception of rationality, impossible. Tversky’s work rejects this view of decision-making. Tversky and his collaborators show that economic rationality is systematically violated, and that decision-making errors are both widespread and predictable. This now incontestable point was established by two central bodies of work: Tversky and Kahneman’s papers on heuristics and biases, and their papers on framing and prospect theory.”[1]

Much of Tversky and Kahneman’s contributions are less well known by the general public and misinterpreted as a purely theoretical treatment by some risk professionals. As researchers, Tversky and Kahneman were well versed in mathematics, which helped to shine light on systemic errors in complex probability judgments and the use of heuristics in inappropriate context. As groundbreaking as behavioral science has been in challenging economic theory, Tversky and Kahneman’s work centers on a narrow set of heuristics: representativeness, availability and anchoring as universal errors. The authors used these three foundational heuristics broadly to describe how decision-makers substitute mental shortcuts for probabilistic judgments resulting in biased inferences and a lack of rigor in making decisions under uncertainty.[2]

Cognitive Risk Framework: Harnessing Advanced Technology for Decision Support

In the thirty years since Prospect Theory data analytics expertise and computational firepower have made significant progress in addressing the weakness in Bayesian probabilities recognized by Tversky and Kahneman. Additionally, the automotive industry and Apple Inc., among others, have been successful in incorporating behavioral science in product design to reduce risk, anticipate human error and improve the user experience adding value in financial results. This paper assumes that these early examples of progress point to untapped potential if applied in constructive ways. There are distractors, and even Tversky and Kahneman admitted to inherent weaknesses that are not easy to solve. For example, observers are skeptical that laboratory results may not replicate real-life situations; that arbitrary frames don’t reflect reality as well as a lack of mathematical predictive accuracy.

Since Laibson and Zeckhauser’s (1998) critique of Tversky’s contributions to economics a large body of research in cognition has evolved to include Big Data, Computational Neurosciences, Cognitive Informatics, Cognitive Security, Intelligent Informatics, and rapid early stage advancements in machine learning and artificial intelligence. A Cognitive Risk Framework is proposed to leverage the rapid advancement of these technologies in risk management however technology alone is not a panacea. Many of these technologies are evolving yet additional progress will continue in various stages requiring risk professionals to begin to consider how to formalize steps to incorporate these tools into an enterprise risk management program in combination with other human elements.

The Cognitive Risk Framework anticipates that as promising as these new technologies are they represent one pillar of a robust and comprehensive framework for managing increasingly complex threats, such as, cyber and enterprise risks. The Five Pillars include Intentional Controls Design, Intelligence and Active Defense, Cognitive Risk Governance, Cognitive Security Informatics, and Legal “Best Efforts” Considerations. A cognitive risk framework does not supplant other risk frameworks such as COSO ERM, ISO 31000 or NIST standards for managing a range of risks in the enterprise. A cognitive risk framework is presented to leverage the progress made in risk management and provide a pathway to demonstrably enhance enterprise risk using advanced analytics to inform decision-making in ways only now possible. At the core of the framework is an assumption about data.

One of the core tenets of Prospect Theory is the recognition of errors made in decision-making derived from small sample size or poor quality data. Tversky and Kahneman noted several observations where even very skilled researchers routinely made errors of inference derived from poor sampling techniques. Many recognize the importance of data however organizations must anticipate that a cross-disciplinary team of expertise is needed to actualize a cognitive risk framework. Data will become either the engine of a cognitive risk framework or its Achilles Heel and may be the most underestimated investment in ramping up a cognition driven risk program. A cognitive risk framework anticipates much more diverse skills than currently exists in risk management and IT security.

Data is but one of the considerations in developing a robust cognitive risk framework. Other considerations will include developing structure and processes that allow ease of adoption by practitioners across multiple industries and in different size organizations. While it is anticipated that a cognitive risk framework can be successfully implemented in large and small organizations risk professionals may decide to adopt a modified version of the Five Pillars or develop solutions to address specific risks such a cybersecurity as a standalone program. It is anticipated that if cognitive risk frameworks are adopted more broadly that technology firms and standards organizations would take an active role in developing complementary programs to leverage these frameworks to advance enterprise risk using advanced analytics and cognitive elements.






[1] LAIBSON/ZECKHAUSER Kluwer Journal @ats-ss8/data11/kluwer/journals/risk/v16n1art1 COMPOSED: 03/26/98 11:00 am. PG.POS. 2 SESSION: 15


January 4, 2017 by: James Bone Categories: Risk Management Executive Perspectives on Top Risks for 2017 N.C. State Poole College of Management

You must be logged in to view this document. Click here to login

Protiviti and North Carolina State University’s ERM Initiative are pleased to provide this report focusing on the top risks currently on the minds of global boards of directors and executives.  This report contains results from our fifth annual risk survey of directors and executives to obtain their views on the extent to which a broad collection of risks are likely to affect their organizations over the next year.hacker-on-keyboard

January 1, 2017 by: James Bone Categories: Risk Management Fear, Uncertainty, Confusion, Hope: Defining the “Risk” in Risk Management


“Never let the facts get in the way of a good argument”

Facts, or more precisely, our understanding of facts or the truth have become more transient in the information age or has it?  The Internet has radically changed how we access information in ways that few appear to challenge or even understand.  Today, anyone can Google a fact or story or news event about any topic imaginable to “learn” about a topic instantly with only a few keystrokes.  We are bombarded today with opinion pieces, rumors, false news stories and innuendoes without bothering to check the validity of the stories.  In fact, depending on the viewer of said data, the facts are easily dismissed when the “information” disagrees with one’s views or beliefs about the topic.  So the question here is “has the information age inhibited critical thinking?”  Risk managers are not immune to these same biases and the implications may help explain why risk management is at risk of failing.

It turns out that the definition of the “truth” does not answer the question of what a truth really is.  Here are a few examples: Merriam-Webster states that truth is “sincerity in action, character, and utterance”. Or “the state of being the case: a fact. Or “the body of real things, events, and facts”. Or a transcendent fundamental or spiritual reality” Or “a judgment, proposition, or idea that is true or accepted as true. Or my favorite, “the body of true statements and propositions.” has 10 different definitions each in contrast with Merriam-Webster.  In other words, truth is what we believe it is.  You know you are in trouble when truth and transcendental or spiritual reality are used in the same definition.  Apparently, we have no idea what a truth is or we are simply more confused than ever as we get bombarded with different truths.

But why is this important for risk professionals?  If the truth changes based on evolving norms, opinions, perception and biases how does a risk professional manage emerging risks in an environment where a variance from the old truths conflict with new truths?  Operating models change as new leadership dictates his or her view on old operating models requiring risk professionals to question how does one assess these new risks?  What was once indisputable no longer applies and old assumptions are considered impediments to progress.  Or does it?

In the age of Big Data corporations are in search of the truth in customer behavior, buying preferences, and managing the risk of strategic plans.  However, even with the assistance of advanced analytics we are more “archaeologists “ than true scientists.  Archaeologists apply a body of knowledge and a great deal of conjecture in constructing their view of the past.  Each new discovery has the potential to disrupt or partially validate assumptions in our belief about what ancient civilizations or animals were really like.  We don’t have enough information to confirm these conjectures but instead believe them in the absence of data that fails to contradict them.  This is the crude method in how humans learn — through trial and error.  If something is proven to work reasonably well over time it becomes the truth.  If it is fails, miserably, it is considered to not be the truth.  But we know from scientific experiments that truth can be derived from failures, even massive failures like the space shuttle catastrophe or major battles in war.  We “learn” from mistakes and vow to never repeat them again.

The truth is we seldom, if ever, have perfect information.  Imperfect information is uncertainty NOT a risk.  Risk is a known quantity.  It can be measured and we know to avoid it or accept it and that is why we call it a risk.  The failure in risk management is not knowing the difference.  Fear, confusion, and hope are signs of uncertainty and are emotional signals that we have crossed the Rubicon of not knowing whether the outcomes will result in losses or gains.  This is when risk managers become archaeologists.  Archaeological risk managers try to develop stories from past experience and imperfect information to describe the new truths using old methods.  This happens in every industry from insurance to financial services and beyond and partly explains why we miss really big emerging risks until a “learning” experience teaches us what a risk really looks like.

Fear, confusion and hope are natural responses in our primitive brain of “Fight vs Flight” mechanisms of survival.  These emotional responses are also signals that we must tread lightly, gather information gradually and take measured risks without betting the farm on a new shiny thing that may be a train coming through the tunnel of darkness.

How can risk professionals avoid the freight train? Don’t be afraid to say you don’t know.  When worry, fear, and confusion permeates communications that is a signal a freight train may be barreling down the tracks.  Instead you must use this time to understand what you know and separate what you don’t know.  Understanding the difference is critical because it provides risk managers with direction to gather information, perform advanced assessments and provides definable boundaries where risks may be lurking.  It is also important to understand that huge potential is the other side of uncertainty.  Big rewards can be found when uncertainty is at its highest level however risk professionals must have a measure approach to understanding the upside of uncertainty.

This is not the time to follow the crowd.

The upside of uncertainty requires risk managers to seek opportunity where others are fleeing or cannot see how the change in the new rules may benefit organizations poised to leverage change.  What risk professionals must avoid during uncertainty is becoming archaeologists.  Old methods may help to tell a compelling story but the real risks and upside to uncertainty will be lost as the new rules obscure what the truth really is.

December 2, 2016 by: James Bone Categories: Risk Management Cognitive Hack: The New Battleground In Cybersecurity

hacker-on-keyboardChristopher P. Skroupa, Contributor to Interviewed James Bone, Executive Director, TheGRCBlueBook on his upcoming book, “Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind”.  In the interview Chris explores the thesis of the book and major trends impacting cyber risk professionals, including topics such as the “Internet of Things” or IoT.  Lastly, James covers why a Cognitive Risk Framework for Cybersecurity is needed and briefly describes the Five Pillars that stand up the Cognitive Risk Framework.  The book is scheduled to be published in the first quarter of 2017

–  – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – —

Chris Skroupa’s bio:

“I focus on the intersection of government, Wall Street & Main Street.”

Opinions expressed by Forbes Contributors are their own.

I work with institutional investors and fund managers in the U.S., Europe and Asia on issues involving asset allocation, risk management, corporate governance, active investing and socially responsible investments. I focus on the intersection of government, Wall Street and Main Street. It’s an active crossroad these days as companies and investors address how to bring stakeholders into the discussion of value creation, beyond share price, and through sustainability. I encourage a constructive, solutions-based approach to many hot buttons on the current market agenda.

The author is a Forbes contributor. The opinions expressed are those of the writer.

November 29, 2016 by: James Bone Categories: Risk Management KPMG: Harnessing the Power of Cognitive Technology to Transform Audit

us-audit-cognitivereport cyber-security-picture







You must be logged in to view this document. Click here to login

Our [KPMG] work as audit professionals is fundamentally about “trust.” For the capital markets to operate effectively and to the benefit of investors and society more broadly, there must be integrity and confidence in the system. In serving the capital markets and the public interest, we work to help instill trust and confidence in the information used to make important decisions.
In the following pages, we begin to explore how we can continue to promote trust during a time of profound change across the business landscape. Given the explosion of data and the digitization of our lives, we want to promote a discussion about how the audit profession must evolve its tools and approach to keep up with the pace of change and remain relevant in a dynamic marketplace. Specifically, our profession must embrace the use of advanced technologies, including data and analytics (D&A), robotics, automation and cognitive intelligence, to manage processes, support planning and inform decision making. At KPMG we are constantly thinking about the development of innovative capabilities and technologies that will enhance quality and strengthen the relevance of our audit into the future.

November 27, 2016 by: James Bone Categories: Risk Management Commonsense Principles of Corporate Governance



You must be logged in to view this document. Click here to login

Open Letter: Commonsense Principles of Corporate Governance

For more than two centuries, the American free enterprise system has led to enormous prosperity for our country: the creation of jobs, increases in wages and savings, and the emergence and growth of dynamic companies. Because well-managed and well-governed businesses are the engine of our economy, good corporate governance must be more than just a catch phrase or fad. It’s an imperative – especially when it comes to our publicly owned companies. Though they account for only 5,000 of our country’s 28 million businesses, our public companies are responsible for one-third of all private sector employment and one-half of all business capital spending, both of which ultimately drive the productivity and health of the country. To ensure their continued strength – to maintain our global competitiveness and to provide opportunities for all Americans – we think it essential that our public companies take a long-term approach to the management and governance of their business (the sort of approach you’d take if you owned 100% of a company).

While most everyone agrees that we need good corporate governance, there has been wide disagreement on what that actually means. So we gathered a small group of executives to see if we could reach some consensus on what we think works in the real world. This group included the CEO of several major asset managers, one activist investor and one public pension plan, as well as several publicly owned companies. We did not convene a group of this size to be exclusive but, rather, so we could sit around a room and have a mature conversation about this important topic – something that would have been very difficult to do in a much larger forum. Indeed, even among our small group, we don’t agree on absolutely everything. But we do agree that, taken as a whole, these principles are conducive to good corporate governance, healthy public companies and the continued strength of our public markets. Thus, we are steadfast in our determination not to let our minor differences imperil this important effort.
The principles set forth a number of commonsense recommendations and guidelines about the roles and responsibilities of boards, companies and shareholders. We firmly believe that empowered boards and shareholders, both providing meaningful oversight, are critical to the long-term success of public companies. But knowing that there is significant variability among the thousands of such companies and understanding that both context and circumstance matter, we have tried not to be overly prescriptive in how to achieve those goals. We also recognize that we live in a dynamic, fast-changing world – and that while many of these principles are and should be part of the corporate governance permanent landscape, some will inevitably change over time.
These principles are not intended to be for or against activists, proxy advisors or special interest groups. While we know that not everyone will agree with everything in them, we hope that, at the very least, these principles will serve as a catalyst for thoughtful discussion. More than 90 million Americans own our public companies through their investments in mutual funds, and millions more do so through their participation in corporate, public and union pension plans. These owners include veterans, retirees, teachers, nurses, firemen, and city, state and federal workers. We owe it to all of them – and to all our shareholders and investors who have entrusted us with their savings – to get this right.


November 21, 2016 by: James Bone Categories: Risk Management The Future of Audit by Arnold Schilder, IAASB Chairman

stock-photo-13215386-business-people-in-hong-kong“In a rapidly changing world, audit does have a future.” That is how the report from Grant Thornton and ACCA sets the tone.

The title of this conference does not have a question mark at the end. Rightly so. I was attracted to this profession in 1971 by a Dutch report, called The auditor, Tomorrow? Yes, with a question mark—but one full of hope and perspectives. And earlier this year the Fédération des Experts Comptables Européens (Federation of European Accountants, or FEE) published a report with this promising quote: “The challenges that lie ahead for the profession go along with plenty of opportunities to further evolve and better serve new markets’ needs.”

To me, challenges and opportunities are two sides of the same future-of-audit coin. I would like to put four coins on the table today—each with its own sets of challenges and opportunities.

1. Understanding the business of the auditee, its corporate defense, and value preservation is a cornerstone of a robust audit.

The importance of the auditor’s understanding of the business was emphasized by many who commented on the IAASB’s Invitation to Comment (ITC), Enhancing Audit Quality in the Public Interest. It sounds like an open door. But it was mentioned so often with a twofold background. First, the rapidly changing world that all businesses are part of. Several panelists in the next discussion will elaborate on that. Second, a concern that audits have become a “check-the-box” exercise. Standards and rules can be good guides—but the real journey cannot be predicted. You have to find out yourselves. That is the essence of auditing—your professionalism and independence.

This understanding of the business includes how the auditee has organized its value preservation, and its corporate defense around that. I quote these concepts from a recent book by Sean Lyons that fascinated me. I don’t have the time to elaborate on this, but if I just mention the eight components of the “corporate defense umbrella,” the importance is clear: governance, risk, compliance, intelligence, security, resilience, controls, and assurance. Just one quote to illustrate: “Each organization is required to focus on bringing the dollar in through the front door (offense) while also focusing on preventing the dollar from leaving through the back door (defense).”

This certainly is a great challenge as well as an equal opportunity for assurance providers. This brings me to the next coin.

2. Professional skepticism and professional judgment are key inputs to audit quality. Professional skepticism, as a state of mind and attitude, should govern the performance of auditors (see ITC p. 12).

Professional skepticism is a fundamental concept and core to a high quality audit. The IAASB received many comments on this topic of the ITC (all comments are publically available on the IAASB website). Let me quote a few from one of our agenda papers—they illustrate both challenges and opportunities:

  • Professional skepticism is about the appropriate mindset of the auditor. It is relevant throughout the entire audit.
  • A sufficient knowledge of the business enables the auditor to ask probing questions, more effectively challenge management, and identify when evidence is contradictory.
  • Professional skepticism is about behavior—how can auditors be encouraged to act as critical challengers? And how can quality control at the engagement level stimulate this, such as putting together a team with the right skills, expertise, and experience?
  • Training and education is important to infuse a professionally skeptical attitude into the DNA of auditors.
  • There is a strong link between professional skepticism and the role of the “tone at the top” and the “tone at the middle.”

Each of us can, and should, stimulate this professional behavior. It is difficult enough!

3. Audits are not dying yet, but they do need to adapt to the digital age.”

And now the third coin. This quote from the Grant Thornton-ACCA report says it all. And let me add another one from a book by Rob Nixon: “Industries all over the world are being disrupted by technological advancements, social change and innovative thinking.” So the scene is set. The impact of new technologies including data analytics on both businesses and audits can only be underestimated. The IAASB recently published a paper, Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics. The link between these new innovative technologies and understanding the business with all its ongoing changes is obvious. But equally important is the impact on new audit practices and methodologies. Obviously our standards were not, and could not be, written with tomorrow’s technological challenges and opportunities in mind. But the use of data analytics in the audit can lead to 1) better informed risk assessments, through understanding the business of the auditee and 2) more available evidence to support professionally skeptical behavior.

It is important that we pursue this area with great intensity and an open mind. A constructive dialogue between businesses, auditors, regulators, and standard setters is a must to make effective and efficient progress. So please send us your comments on this paper and advise us about the best way forward.

4. The new auditor reporting with key audit matters cannot be encouraged enough. It innovates the audit by clearly speaking out to users. And it provides a link to wider forms of assurance on emerging external reporting, including integrated reporting.

This brings us to the fourth and final coin and so let me conclude with my favorite topic: the innovation in auditor reporting. For many decades external users of financial statements and the attached independent auditor’s report received only one sentence from the auditor, the audit opinion. A binary pass or fail. That is now changing completely. Auditors will now provide a number of observations on key matters in the audit that are most relevant to users, in a very readable way. We know from surveys in early adoption countries, notably the United Kingdom, how much this is valued by these users. There are even investor awards for the most innovative and most insightful auditor’s reports. This new more informative and relevant reporting by the auditor helps clarify the public’s perception of what an audit is. It also stimulates professional dialogues between the company, its investors, auditors, and regulators.

It is vital that we continue to stimulate highly relevant auditor reporting. At the IAASB we have a special auditor reporting implementation support group. But all of us have a role to play here.

The new auditor’s report will also have an impact on other forms of assurance reporting. There are many interesting developments in external reporting and providing assurance thereon. Integrated reporting is a well-known example. The IAASB published a discussion paper in September 2016 on this subject, and we have recently extended the deadline for comments to February 3, 2017 so we invite you to please send us your feedback.

Nov 16, 2016
at ACCA-Grant Thornton Future of Audit Conference
Brussels, Belgium

Related Resources

November 19, 2016 by: James Bone Categories: Risk Management A New Model for SEC Enforcement: Producing Bold and Unrelenting Results

The U.S. Securities and Exchange Commission (SEC) seal is displayed outside headquarters in Washington, D.C., U.S., on Wednesday, Oct. 26, 2011. The SEC approved a rule requiring hedge funds and private-equity funds to reveal internal information to U.S. regulators. Photographer: Andrew Harrer/Bloomberg via Getty Images

The U.S. Securities and Exchange Commission (SEC) seal is displayed outside headquarters in Washington, D.C., U.S., on Wednesday, Oct. 26, 2011. The SEC approved a rule requiring hedge funds and private-equity funds to reveal internal information to U.S. regulators. Photographer: Andrew Harrer/Bloomberg via Getty Images









You must be logged in to view this document. Click here to login

Mary Jo White is resigning from the Securities and Exchange Commission as the new administration has made clear that SEC legislation is a target.  This speech by the head of the Commission appears to highlight Ms. White’s accomplishments and initiatives to fight white collar crime.