Do practitioners practice what they preach?

0
106

As practitioners, we talk about understanding and incorporating risk (including opportunities) into management practices, both strategic and tactical.

But do we practice what we preach?

Let me take three different groups:

  1. Risk officers (which would include safety, InfoSec and cyber risk practitioners, and so on)
  2. Internal auditors
  3. Board members

Risk officers

Risk is our job, but do we practice it?

Do we identify, assess, evaluate, and respond to these sources of risk to our effectiveness?

  • We are risk-averse, focusing only on reducing or mitigating risk instead of knowing when it should be taken.
  • We fail to gain and maintain the respect (and time and attention) of management as their partners.
  • We don’t listen to management, but instead see ourselves as better at understanding the business and related risk than they are.
  • New or changed sources of risk are not identified.
  • Changes in risk are not assessed sufficiently promptly.
  • Risk assessments are not kept current and used by those who need them on a timely basis.
  • Risk assessments are inaccurate.
  • The wrong people assess and address sources of risk.
  • Risk assessments are not used, are not understood, or are not used properly by the right people.
  • Risk models have errors or omissions.
  • Risk management is not considered of value by management, who therefore invest…

Подробнее…