Risk Governance - Revision history

User at 11:06, 18 September 2024

2024-09-18T11:06:58Z

User at 12:34, 17 September 2024

2024-09-17T12:34:26Z

User at 00:39, 20 January 2023

2023-01-20T00:39:40Z

User at 00:15, 6 January 2023

2023-01-06T00:15:40Z

User at 18:46, 6 December 2022

2022-12-06T18:46:56Z

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T18:05:41Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

User at 19:52, 25 September 2019

2019-09-25T19:52:18Z

User at 19:43, 25 September 2019

2019-09-25T19:43:53Z

User at 19:43, 25 September 2019

2019-09-25T19:43:02Z

User at 19:28, 25 September 2019

2019-09-25T19:28:34Z

@@ Line 2: / Line 2: @@
 Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.<ref>Defining Risk Governance [https://en.wikipedia.org/wiki/Risk_governance Wikipedia]</ref>
-Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. [[Governance]] delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>
+Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>
@@ Line 55: / Line 55: @@
 == See Also ==
 *[[Enterprise Risk Management (ERM)]]

← Older revision		Revision as of 12:34, 17 September 2024
Line 2:		Line 2:
	Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.<ref>Defining Risk Governance [https://en.wikipedia.org/wiki/Risk_governance Wikipedia]</ref>		Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.<ref>Defining Risk Governance [https://en.wikipedia.org/wiki/Risk_governance Wikipedia]</ref>

−	Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>	+	Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. [[Governance]] delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>

← Older revision		Revision as of 00:39, 20 January 2023
Line 55:		Line 55:

	== See Also ==		== See Also ==
−	~~[[Risk Analysis]]<br />~~	+	*[[Enterprise Risk Management (ERM)]]
−	~~[[Risk Assessment]]<br />~~
−	~~[[Risk Assessment Framework (RAF)]]<br />~~
−	~~[[Risk Management]]<br />~~
−	~~[[Risk Management Framework (RMF)]]<br />~~
−	~~[[Information Technology Risk (IT Risk)]]<br />~~
−	[[Enterprise Risk Management (ERM)]]~~<br />~~
−	~~[[Governance]]<br />~~
−	~~[[Governance, Risk And Compliance (GRC)]]<br />~~
−	~~[[IT Governance]]<br />~~
−	~~[[Information Technology (IT)]]<br />~~
−	~~[[IT Governance Framework]]<br />~~
−	~~[[Corporate Governance]]<br />~~
−	~~[[Enterprise Architecture Governance]]<br />~~
−	~~[[Compliance]]<br />~~

@@ Line 1: / Line 1: @@
 == Definition of Risk Governance ==
-[[Risk]] Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk [[management]] strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.<ref>Defining Risk Governance [https://en.wikipedia.org/wiki/Risk_governance Wikipedia]</ref>
+Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.<ref>Defining Risk Governance [https://en.wikipedia.org/wiki/Risk_governance Wikipedia]</ref>
-Risk governance is the [[architecture]] within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any [[business]], risk governance is a fundamental part of corporate governance. The British [[Standard]] BS13500 defines governance as: ‘[[system]] by which the whole [[organization]] is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance [[framework]] should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>
+Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.<ref>What is Risk Governance [https://www.ior-institute.org/sound-practice-guidance/operational-risk-governance IOR Institute]</ref>
@@ Line 17: / Line 17: @@
 *Provide the board, board committees and the SMT with regular, accurate and timely information regarding the organisation’s risk profile;
 *Measure, assess and report all material risks;
-*Provide robust (relevant, timely, complete and accurate) [[data]];
+*Provide robust (relevant, timely, complete and accurate) data;
 *Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
 *Provide a sound basis for making risk-based decisions.
@@ Line 23: / Line 23: @@
 == Risk Governance Framework<ref>Risk Governance Framework [https://irgc.epfl.ch/risk-governance/page-139715-en-html/ IRGC]</ref> ==
-The International Risk Governance Council (IRGC) has developed a Risk Governance Framework whose purpose is to help [[policy]] makers, regulators and risk managers both understand the concept of risk governance and apply it to their handling of risks.
+The International Risk Governance Council (IRGC) has developed a Risk Governance Framework whose purpose is to help policy makers, regulators and risk managers both understand the concept of risk governance and apply it to their handling of risks.
 The IRGC Framework provides guidance for early identification and handling of risks, involving multiple stakeholders. It recommends an inclusive approach to frame, assess, evaluate, manage and communicate important risk issues, often marked by complexity, uncertainty and ambiguity. The Framework is generic and adaptable. It can be tailored to various risks and organisations. The Framework comprises interlinked elements, with three cross-cutting aspects:
-*Pre-assessment – Identification and [[framing]]; setting the boundaries of the risk or system.
+*Pre-assessment – Identification and framing; setting the boundaries of the risk or system.
 *Appraisal – Assessing the technical and perceived causes and consequences of the risk.
-*Characterisation and [[evaluation]] – Making a judgment about the risk and the need to manage it.
+*Characterisation and evaluation – Making a judgment about the risk and the need to manage it.
 *Management – Deciding on and implementing risk management options
 *Cross-cutting aspects – Communicating, engaging with stakeholders, considering the context.
@@ Line 43: / Line 43: @@
 Many corporations' boards and senior management do not believe that the CIO should be concerned with corporate governance. This is a grave blunder, and I pity the CIO and the shareholders of any corporation with this attitude.
-Many risk governance-related risks have now fallen directly into the CIO's sphere of [[control]]. While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation.
+Many risk governance-related risks have now fallen directly into the CIO's sphere of control. While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation.
-For example, to abide by the requirements of Sarbox, corporations must be able to demonstrate the transparency of their financial transactions and the decision-making processes underlying financial transactions. Ultimately, it's up to the CIO to ensure that this transparency is possible. This means that how every financial transaction was generated and why must be possible to reconstruct. Anyone (and any system) with potential access to a financial transaction also must be able to be identified across the whole of the [[value]] chain. Can your enterprise resource planning (ERP) system easily do that?
+For example, to abide by the requirements of Sarbox, corporations must be able to demonstrate the transparency of their financial transactions and the decision-making processes underlying financial transactions. Ultimately, it's up to the CIO to ensure that this transparency is possible. This means that how every financial transaction was generated and why must be possible to reconstruct. Anyone (and any system) with potential access to a financial transaction also must be able to be identified across the whole of the value chain. Can your enterprise resource planning (ERP) system easily do that?
-The reason for this level of scrutiny is that, in the US, when companies such as Enron and WorldCom went belly-up, it reflected the fact that everyone in the compliance chain executives, boards of directors, outside auditors, and regulators had failed to do their job. Each believed that others were performing the necessary checks. And because of this widespread breakdown, the US Congress imposed draconian criminal and civil penalties to ensure that now all parties do. In their pursuit of corporate malfeasance, regulators have also changed from being reactive to being proactive. US regulators and federal prosecutors have been open about their desire to make examples of corporations and executives who don't follow the rules. I don't envy CxOs caught in the crosshairs of an SEC or congressional investigation. If the SEC decides to investigate a corporation, or if a corporation must restate its financials, [[shareholder]] lawsuits are almost a given. It will be interesting to see what happens on 16 November 2004, which is the deadline for large corporations to comply fully with Sarbanes-Oxley; the deadline for everyone else is July 2005.
+The reason for this level of scrutiny is that, in the US, when companies such as Enron and WorldCom went belly-up, it reflected the fact that everyone in the compliance chain executives, boards of directors, outside auditors, and regulators had failed to do their job. Each believed that others were performing the necessary checks. And because of this widespread breakdown, the US Congress imposed draconian criminal and civil penalties to ensure that now all parties do. In their pursuit of corporate malfeasance, regulators have also changed from being reactive to being proactive. US regulators and federal prosecutors have been open about their desire to make examples of corporations and executives who don't follow the rules. I don't envy CxOs caught in the crosshairs of an SEC or congressional investigation. If the SEC decides to investigate a corporation, or if a corporation must restate its financials, shareholder lawsuits are almost a given. It will be interesting to see what happens on 16 November 2004, which is the deadline for large corporations to comply fully with Sarbanes-Oxley; the deadline for everyone else is July 2005.
 Further, Sarbox requires accurate and timely disclosure of events that materially affect the business. How quick and, more important, how accurate these disclosures are largely depends upon how well a corporation's IT systems can produce the information. In some cases, data on these transactions may need to be kept and remain searchable for a period of 10 years or more. E-mail messages must be searched, which means that e-mail must be saved as well. While corporate lawyers may be the ones who set data or e-mail retention policy, it is the CIO's responsibility to ensure that the policy is enforced to prevent unauthorized destruction of e-mail (or other data).

@@ Line 79: / Line 79: @@
 *Risk Governance: Contemporary and Future Challenges [https://www.researchgate.net/publication/227036448_Risk_Governance_Contemporary_and_Future_Challenges Andreas Klinke, Ortwin Renn]
 *Introduction to the IRGC Risk Governance Framework [https://irgc.epfl.ch/wp-content/uploads/2018/10/IRGC.-2017.-An-introduction-to-the-IRGC-Risk-Governance-Framework.-Revised-version..pdf EPFL International Risk Governance Center]
-*[[White Paper]] on Risk Governance: Toward an Integrative Framework [https://link.springer.com/chapter/10.1007/978-1-4020-6799-0_1 Ortwin Renn]
+*White Paper on Risk Governance: Toward an Integrative Framework [https://link.springer.com/chapter/10.1007/978-1-4020-6799-0_1 Ortwin Renn]

← Older revision		Revision as of 19:52, 25 September 2019
Line 77:		Line 77:

	== Further Reading ==		== Further Reading ==
		+	*Risk Governance: Contemporary and Future Challenges [https://www.researchgate.net/publication/227036448_Risk_Governance_Contemporary_and_Future_Challenges Andreas Klinke, Ortwin Renn]
		+	*Introduction to the IRGC Risk Governance Framework [https://irgc.epfl.ch/wp-content/uploads/2018/10/IRGC.-2017.-An-introduction-to-the-IRGC-Risk-Governance-Framework.-Revised-version..pdf EPFL International Risk Governance Center]
		+	*White Paper on Risk Governance: Toward an Integrative Framework [https://link.springer.com/chapter/10.1007/978-1-4020-6799-0_1 Ortwin Renn]

@@ Line 20: / Line 20: @@
 *Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
 *Provide a sound basis for making risk-based decisions.
@@ Line 33: / Line 51: @@
 Further, Sarbox requires accurate and timely disclosure of events that materially affect the business. How quick and, more important, how accurate these disclosures are largely depends upon how well a corporation's IT systems can produce the information. In some cases, data on these transactions may need to be kept and remain searchable for a period of 10 years or more. E-mail messages must be searched, which means that e-mail must be saved as well. While corporate lawyers may be the ones who set data or e-mail retention policy, it is the CIO's responsibility to ensure that the policy is enforced to prevent unauthorized destruction of e-mail (or other data).
-The real change is that the CIO can no longer be satisfied with merely improving the capture and dissemination of information; now he or she must be concerned about the content of that information as well. Most CIOs probably disagree with this statement, asserting that CIOs should not be responsible for the information in their corporate IT systems [3]. However, CIOs must put themselves in the shoes of a CEO or CFO: would either sign off on the accuracy of the corporation's financial statements without assurance about the information in his or her system? If the answer is no, the CIO and the corporation have a risk governance issue to deal with.
+The real change is that the CIO can no longer be satisfied with merely improving the capture and dissemination of information; now he or she must be concerned about the content of that information as well. Most CIOs probably disagree with this statement, asserting that CIOs should not be responsible for the information in their corporate IT systems. However, CIOs must put themselves in the shoes of a CEO or CFO: would either sign off on the accuracy of the corporation's financial statements without assurance about the information in his or her system? If the answer is no, the CIO and the corporation have a risk governance issue to deal with.

← Older revision		Revision as of 19:28, 25 September 2019
Line 20:		Line 20:
	*Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;		*Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
	*Provide a sound basis for making risk-based decisions.		*Provide a sound basis for making risk-based decisions.
		+
		+
		+	== Risk Governance and the CIO<ref>Risk Governance and the CIO [https://www.csoonline.com/article/2118508/risk-governance-understood.html CSO Online]</ref> ==
		+	Many corporations' boards and senior management do not believe that the CIO should be concerned with corporate governance. This is a grave blunder, and I pity the CIO and the shareholders of any corporation with this attitude.
		+
		+	Many risk governance-related risks have now fallen directly into the CIO's sphere of control. While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation.
		+
		+	For example, to abide by the requirements of Sarbox, corporations must be able to demonstrate the transparency of their financial transactions and the decision-making processes underlying financial transactions. Ultimately, it's up to the CIO to ensure that this transparency is possible. This means that how every financial transaction was generated and why must be possible to reconstruct. Anyone (and any system) with potential access to a financial transaction also must be able to be identified across the whole of the value chain. Can your enterprise resource planning (ERP) system easily do that?
		+
		+	The reason for this level of scrutiny is that, in the US, when companies such as Enron and WorldCom went belly-up, it reflected the fact that everyone in the compliance chain executives, boards of directors, outside auditors, and regulators had failed to do their job. Each believed that others were performing the necessary checks. And because of this widespread breakdown, the US Congress imposed draconian criminal and civil penalties to ensure that now all parties do. In their pursuit of corporate malfeasance, regulators have also changed from being reactive to being proactive. US regulators and federal prosecutors have been open about their desire to make examples of corporations and executives who don't follow the rules. I don't envy CxOs caught in the crosshairs of an SEC or congressional investigation. If the SEC decides to investigate a corporation, or if a corporation must restate its financials, shareholder lawsuits are almost a given. It will be interesting to see what happens on 16 November 2004, which is the deadline for large corporations to comply fully with Sarbanes-Oxley; the deadline for everyone else is July 2005.
		+
		+	Further, Sarbox requires accurate and timely disclosure of events that materially affect the business. How quick and, more important, how accurate these disclosures are largely depends upon how well a corporation's IT systems can produce the information. In some cases, data on these transactions may need to be kept and remain searchable for a period of 10 years or more. E-mail messages must be searched, which means that e-mail must be saved as well. While corporate lawyers may be the ones who set data or e-mail retention policy, it is the CIO's responsibility to ensure that the policy is enforced to prevent unauthorized destruction of e-mail (or other data).
		+
		+	The real change is that the CIO can no longer be satisfied with merely improving the capture and dissemination of information; now he or she must be concerned about the content of that information as well. Most CIOs probably disagree with this statement, asserting that CIOs should not be responsible for the information in their corporate IT systems [3]. However, CIOs must put themselves in the shoes of a CEO or CFO: would either sign off on the accuracy of the corporation's financial statements without assurance about the information in his or her system? If the answer is no, the CIO and the corporation have a risk governance issue to deal with.