Governance, risk and compliance – related but not the same.
I was sitting in a meeting this week listening to a group of very bright people talking about an initiative centered on installing a software solution and I realized something rather disturbing;...
View ArticleGRC presents a broad spectrum; is it too broad?
In early 2004 I co-authored my first Sarbanes-Oxley (SOX) controls framework for a client. Just about the entire thing required manual testing that, if everything worked as planned would require a...
View ArticleAnyone remember the Heartland breach?
Two weeks ago news broke about a huge, massive leak of credit card information from a processor called Global Payments and I braced for a firestorm of media coverage that was sure to follow. Two weeks...
View ArticleInternal Audit: Whose side are they on anyway?
My first encounter with an auditor was back in the mid-90′s while working as an application project manager for a Fortune 100 company. The group responsible for change management was going through an...
View ArticleRisk: The core issue behind regulatory requirements
There’s a joke of sorts within my personal circle of family and friends regarding what it is that I do these days. Ask me and I’ll tell you that I’m a regulatory compliance expert who advises...
View ArticleMetrics Reporting: Are pretty colors always pretty accurate?
I have an odd relationship with management reporting. I know it’s a necessity and quite often see clear value in what’s packaged for senior management and board review. But a significant piece of the...
View ArticleAre self-assessments the right way to go?
About a decade ago a family member chastised me for having an auto repair shop do my oil changes for me. She (yeah, you’re reading that right – “she”) pointed out how ridiculously easy it was to drain...
View ArticleAre banks unfairly scrutinized?
A few years back when I first cut over to working somewhat exclusively with financial institutions I memorized an elevator speech that still somewhat defines who I am and what I do professionally....
View ArticleHurricane Sandy: An epic storm and the ultimate DR test
I’ve written similar posts in that past where I start off by apologizing for appearing opportunistic when leveraging a significant news event to generate site content. However when considering roughly...
View ArticleSecurity Standards: What’s in a name?
I had an interesting phone call recently with someone in a CISO-type position. They were looking for a consultant to help them keep a seat warm working with information security risk assessments and...
View Article
