More on this book
Kindle Notes & Highlights
Risk management is the action of addressing known risks until they are at acceptable levels, identifying potential risks and associated impacts, and prioritizing both against our business goals.
Reducing risk is called mitigation,
and the way we mitigate risks is by implementing one ...
This highlight has been truncated due to consecutive passage length restrictions.
Compliance is the act of measuring policies, procedures and controls to ensure they are being enacted and effective.
GRC pulls them all three together – governance, risk management and compliance
“What is our goal?” While the question is straightforward, getting to the answer is surprisingly difficult. Many companies assume the answer is obvious – we want to protect the organization’s information assets. The problem here is that we are assuming two things: 1) Information assets are known to any degree of precision 2) We understand what ‘protect’ means
The problem is that it is nigh impossible to prove that we have avoided a bad thing if the bad thing never happened because we took steps to avoid it. You just can’t prove a negative like “We avoided a car accident because we chose to drive down a different street.”
