ABSTRACT
Risk managers tend to be concerned with big, non-recurring risk events and often have insurance or engineering backgrounds. While risk managers tend to be better at getting involved in the big business issues and talking with senior management about things that really concern them, the internal controls community is getting better and better at running a 'system'. It's ironic that internal controls thinking, despite being a movement led by the big audit firms, has paid almost no attention to quantifying risks or the benefits of controls in a credible, mathematically competent, and data-supported way. Again, operational risk management in banks may be the leading edge of a trend towards better data gathering and quantification. Very often something stated as a 'critical success factor' perhaps on the scorecard, has a similar item in the risk register that is just the potential failure to achieve what is stated in the critical success factor.
