Fundamental Governance and Risk Management Questions

First Governance. I try to get my head around:

  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting them done well?
  4. Do we see expected benefits?

Secondly I try to see where I am at in terms of culture:

  1. Is it a Vulnerable-kind of organization?
  2. Is it a Reactive-kind of organization?
  3. Is it a Compliant-kind of organization?
  4. Is it a Proactive-kind of organization?
  5. Is it a Resilient-kind of organization?

Then, going slightly deeper:

  1. Should we analyse Access Risks?
  2. Should we analyse Availability Risks?
  3. Should we analyse Cyber and Information Risks?
  4. Should we analyse Emerging Technology Risks?
  5. Should we analyse Infrastructure Risks?
  6. Should we analyse Integrity Risks?
  7. Should we analyse 3RD Party Risks?

And then the hard questions:

  1. Have we identified any risks in those categories?
  2. Have we already analysed, evaluated and assessed those risks?
  3. Do we have respond strategies?
  4. How do we control and report those risks?

Only then the real fun starts!


Leave a Reply

Your email address will not be published.