Tackling Risk at the Line – The Separation of Awareness and Control Effectiveness

IREC’s sister Council, Investor Relations Roundtable, reports an interesting new trend in thinking about business units’ overall business risk levels. To encourage risk vigilance without fostering risk aversion, a few leading organizations now separately evaluate risk awareness and risk control effectiveness as part of their risk audit processes. Separating risk scores into awareness and control effectiveness ensures that the line is not punished for identifying risk weaknesses, rather the line is rewarded through a higher awareness score.

Progressive CISOs measure business units’ residual information risk levels to keep managers in line and promote healthy competition to keep information risks at appropriate levels. It is worth considering breaking out measurements of information risk and control effectiveness to avoid incenting managers to under-report or otherwise hide their information risk levels.

Explore posts in the same categories: Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: