Check Out Pete Müller's LinkedIn Stats (Last 30 Days)

When do you stop having imposter syndrome? I wasn't going to share the link to my speech. No matter how much great feedback There is always the nervousness When releasing a recording. But... Here it is https://lnkd.in/gpa8TBaR If you're interested in Strategic Risk And what to do to manage it, This might interest you. P.S. Has anyone else been called a Godfather of anything? Someone said I was the Godfather of Strategic Risk.... Not sure about it but will take the compliment.

Just got called the Godfather of Strategic Risk Analysis. Finished presenting the webinar at 1:00am. Started at midnight. Now, I would not call myself the Godfather. But if you want to read an article on Strategic Risks This one might do the trick https://lnkd.in/gdvjxNqP Learn how to manage strategic risks Learn some key tips often not considered Learn the difference of operational and strategic risks Help reveal tactics to prove strategic risk is not a dark art Ok, off to bed now. Like I said, it's 1:00am 😴 P.S. If you liked the article then subscribe for more like it and join 1000+ peers reading 𝗧𝗵𝗲 𝗥𝗶𝘀𝗸 𝗣𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀 𝗪𝗲𝗲𝗸𝗹𝘆 𝗡𝗲𝘄𝘀𝗹𝗲𝘁𝘁𝗲𝗿 https://lnkd.in/gfKMEpXF

When I knew the GM Risk didn’t understand controls I knew the business was in trouble. They were working on key control definition And their definition was going to lead to gaps. Gaps in the risk and control environment. Wrong definition: Key controls are controls that support residually high rated risks. Only focus of control testing was key controls. Lesson: This means controls of residually low rated risks Are not on the radar for assessment. Which is a risk based view. Which is fine. Wrong. What if the low rated risk is inherently a critical risk? These controls (if working) are very important. They bring a risk from the extreme negative To (hopefully) within appetite. But you’re not testing them.  What if they fail? Hint: It’s bad. It leads to a risk event of a critical nature occurring. Risk isn’t hard. But somewhere along the path it has been made hard. If in doubt Reach out. Speak to an expert. Don't pretend and fake it. You will create risk sludge. You will create risk administration. You will create a poor risk environment. The amount of toing and froing over controls I’ve seen It will blow your mind. ↳ Is this a control.  ↳ Is this not a control. ↳ Well this should be a key control. ↳ Oh you don’t say this and you need to.  ↳ This control is worded slightly differently. I’ve seen people spend more time on the wording of controls than actually making sure they work. Don’t do risk administration.  Do risk management. If you don’t set solid foundations for controls → And you leave ambiguity → And you leave uncertainty → And you don't know what you're talking about ↳ You will create a whole bunch of risk administration. Ultimately hurting the business.  Taking the focus away from the customer. P.S. Have you seen toing and froing over what a control is? It doesn't need to be hard. 🔔 Follow Pete Müller for more on risk management 🇦🇺 Join 1000+ peers and subscribe to 𝗧𝗵𝗲 𝗥𝗶𝘀𝗸 𝗣𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀 𝗪𝗲𝗲𝗸𝗹𝘆 𝗡𝗲𝘄𝘀𝗹𝗲𝘁𝘁𝗲𝗿 https://lnkd.in/gfKMEpXF

The worst thing you can do when managing cyber risk Is to manage it differently. Cyber risks should be managed as business risks. Cyber is just another risk type. I’ve seen organisations run cyber programs without any integration into their risk process. Risk assessments are performed differently ↳ So can’t be integrated into reporting ↳ Outputs cannot be stored in GRC systems Critical system assessments start from scratch ↳ No integration with Business Continuity teams ↳ No leveraging of existing data Controls for cyber risk are documented differently ↳ Cannot be loaded into the GRC system ↳ Cannot be viewed against overall control environment There’s lots of good cyber consultants out there But they need to know your existing risk process. Tell them. Don't let them start without that knowledge. When managing cyber risk: Do: → Leverage existing information → Integrate into the risk process → Ensure data is compatible with GRC systems → Collect and report in line with previous risk reporting Don’t: → Start from scratch → Output data in a new format → Create new controls in a vacuum → Ask for already available information Start treating cyber risk as a business risk. Leverage the existing risk ecosystem: → Policies → Systems → Controls → Reporting → Governance → Frameworks → Committees → Data capture Don't start from scratch ... unless you have to... 🔔 Follow Pete Müller on LinkedIn and hit the 🔔 🇦🇺 Join 1000+ peers and subscribe to 𝗧𝗵𝗲 𝗥𝗶𝘀𝗸 𝗣𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀 𝗪𝗲𝗲𝗸𝗹𝘆 𝗡𝗲𝘄𝘀𝗹𝗲𝘁𝘁𝗲𝗿 https://lnkd.in/gfKMEpXF

The 1 critical mistake I see Chief Risk Officers make to mismanage compliance incidents. There is no such thing as a compliance incident. But everyone calls them compliance incidents for ease. They are technically an operational risk incident But with a compliance impact. But who wants to say that each time? Hence we call them a "Compliance Incident". The number 1 mistake I see organisations forget Is that every Compliance Incident has a breakdown in: → People → Process → Systems AKA an operational risk breakdown. I’ve seen in more than 1 organisation A tendency to treat ONLY the compliance impact. They might: → Report it → Remediate it → Close the incident Great. You closed it from a Compliance perspective. But what about other impacts? Have you considered any other risk types? And this is why Compliance and Op Risk need to 🤝. Compliance handles the “Compliance Incident”. We all know they need to: → Assess → Determine → Report → Remediate But who ensures the root cause is identified And the root cause is rectified? Is Compliance doing this? If not, then who? There needs to be a process established to handover Compliance Incidents to Op Risk teams. Don’t get me wrong. Compliance can manage the incident to ensure any breakdown in: → People → Process → Systems Is fixed. But do they? Does your Compliance team manage Compliance Incidents and that’s the last you see of them? Or do you have a process to ensure the op risk breakdown of a Compliance Incident is managed? P.S. Here is article I released today on Compliance Culture v Risk Culture https://lnkd.in/gvHz4TPi 🔔 Follow Pete Müller on LinkedIn and hit the 🔔 🇦🇺 Join 919+ peers subscribing to 𝗧𝗵𝗲 𝗥𝗶𝘀𝗸 𝗣𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹𝘀 𝗪𝗲𝗲𝗸𝗹𝘆 𝗡𝗲𝘄𝘀𝗹𝗲𝘁𝘁𝗲𝗿 https://lnkd.in/gfKMEpXF

People yawning w/out covering their mouth make me 😡 They know it is wrong. We just went through COVID. But some people revert back to the easiest path. Even if it is not following the rules. Same with culture. Rules guide us when people are watching. Values guide us when no one is watching. It’s not about the rules that exist or don’t exist. And to be honest it is not about the values of the organisation. It is about the values of the individuals within that organisation. Create that culture. One where individuals value following the rules. Doing the right thing. And this is how you create a strong risk culture. P.S. Do people yawning without covering their mouths annoy you as well? 📌 You get it. You’re trying to drive the right risk culture. Here’s an article on risk culture you will find interesting https://lnkd.in/etDDNNxB