I like a very recent publication, Deloitte on Disruption.
They use a definition of strategic risk that I have not seen before (I don’t know whether they created the definition):
“Strategic risks are the ones that threaten to disrupt the assumptions at the core of a company’s strategy.”
I like it!
I also like these comments:
“Risk Is Not a Game: Because of the complex world in which companies now operate, strategic risk has earned a rightful position at the top of the executive agenda. Boards want to know that the executive team is “on it,” and CEOs want to make sure they’re not missing it.”
“We live in a world the U.S. Army War College has dubbed VUCA: volatile, uncertain, complex, and ambiguous.”
“You can be on top of the world today and hanging on for dear life five years from now.”
“Of course, the story is far from over: technological advances will only continue, and the speed of innovation will only increase, creating more and more opportunities to disrupt industries. Maybe even yours. The challenge facing organizations today is how to anticipate, adapt, maneuver, make decisions, and change course as needed in a VUCA world. And really, the only way to respond is by changing your approach to risk. You’re not out for a leisurely drive, sticking to the straightaway and steering clear of danger. You’re a Formula 1 driver, using every hairpin turn and unexpected development as an opportunity to secure the lead.”
“The trouble with strategic risks is there’s often no historical precedent to draw from to assess their potential nature and impact. Sometimes they’re the product of a visible trend, but often they appear as a surprise. Subtle and difficult to quantify, strategic risks can’t be managed in the traditional ways with Enterprise Risk Management programs or software. And hard as they are to spot in time or manage, they are extremely difficult to recover from.”
“Spotted early and handled well, they can be the basis for game-changing moves that reorder the field. They can decimate what had looked like an indomitable leader, but they can also point the way to new options or the next market – the way BMW has launched its own car-sharing service DriveNow, or the way Avis is positioning its acquisition of ZipCar.”
Deloitte identifies 4 elements to the process for addressing these disruptive, strategic risks:
- Accelerate discovery. Make sure you have the ability to identify these risks early, so you can act quickly to embrace the opportunity or navigate the threat
- Confront your biases. As Deloitte points out, management and the board are composed of humans with all their frailties, such as bias from past experience, that can inhibit our ability to identify risks and act appropriately
- Scan ruthlessly (which I would have included in #1)
- Prepare for surprises
When I was leading risk management at Business Objects (prior to its acquisition by SAP), we were very much aware of disruptive risks. We identified competitor actions and the emergence of new technology, as well as regulatory changes and other shifts in our external business environment, as risks to monitor.
Part of our process for these risks was to assign to individual executives the responsibility for monitoring them – in addition to our teams specifically tasked with monitoring competitors and new entrants to the market.
One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?
Is Deloitte correct in saying that traditional risk management is insufficient? My personal view is that if you follow guidance from ISO 31000:2009 and make risk management a dynamic activity that considers changes in the ‘external context’, you will have at least the skeleton of a process to follow that will work. But, if you have a periodic risk management process that is limited to a review of a limited number of risks, you are exposed and a candidate to be the next Blockbuster.
I welcome your comments.
Very few risk practitioners perform any kind of risk assessment regarding the possibility that the risk program at their organization might fail to deliver.
Yet we continue to read reports from consultants that executives and boards have less than full confidence in those risk management programs. For example, a 2013 Deloitte report found “only 13% of companies rate their risk management programs 5 out of 5 in terms of supporting the development and execution of strategy, and 40% consider them inadequate”.
We are also continually reading reports about organizations, many of whom probably feel that they have decent risk management in place, being badly surprised.
I am a strong believer that those responsible for risk management should understand, based on a regular assessment, the likelihood that their risk management processes might fail and how that might impact the organization.
With that in mind, here are a few questions to consider. I would appreciate your comments and also your suggestions of other questions to ask about risk management.
- How confident are you that new risks, or changes to existing risks, that might be significant to the organization’s success will be identified early enough to take necessary actions?
- Does the process for risk aggregation work in a reliable fashion, including the timeliness of aggregation?
- Will information about new risks or significant changes to known risks flow as quickly as necessary to the individuals able to take action?
- Will that information also flow as quickly as necessary to those responsible for risk oversight, especially when risks are now outside acceptable levels?
- Is there a possibility that management (at any level and for any reason) might intervene inappropriately and change the information flowing to decision-makers?
- What is the likelihood that the results of your processes for assessing risks (including changes to risks) will be in error to the extent that incorrect information is provided to decision-makers for action? Consider the reliability of models (including assumptions incorporated into the models); the level of attention given by those responsible for risk assessment; whether the best people ar involved in risk assessment; and so on.
- Is there a possibility that risk criteria/appetite statements used to evaluate risks are out of date or otherwise ‘wrong’ for the business?
- What is the likelihood that when decisions are made on whether the risk is acceptable or not (i.e., when the risk is evaluated), that the wrong assessment is made?
- What is the possibility that sub-optimal actions are taken to treat the risk, when needed? Consider the reliability of the information used in the decision, including whether all available options are considered, whether the appropriate individuals are making the decision; and, whether the risks inherent in each option are understood and appropriately considered.
- What is the likelihood that those responsible for taking risks (including in daily decision-making) are unaware of the level of risk that is acceptable and how their decisions will affect overall acceptable levels?
- What is the level of confidence that those responsible for taking actions, which may include many people across the organization, are aware of their responsibilities?
- What is the likelihood that individuals relied upon to take action in response to risk take those actions as desired?
I welcome your thoughts and suggestions for additional questions. I would love to hear from those who have assessed the risk of risk management program failures.
I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.
While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).
Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).
Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.
“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”
“…the secret to success is daydreaming.”
“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”
“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”
“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”
“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”
This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:
“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”
Do you agree?
An article in McKinsey’s Quarterly Journal that I strongly recommend is on the topic of Management intuition for the next 50 years. My only quibble is that title implies that there is time to act; I believe organizations that prepare now for the changes described in the article will thrive immediately and their competitive advantage grow in the next decade let alone 50 years.
I recommend a careful read of the entire piece. Here are some key excerpts to whet your appetite (emphasis added):
“We stand today on the precipice of much bigger shifts…., with extraordinary implications for global leaders. In the years ahead, acceleration in the scope, scale, and economic impact of technology will usher in a new age of artificial intelligence, consumer gadgetry, instant communication, and boundless information while shaking up business in unimaginable ways. At the same time, the shifting locus of economic activity and dynamism, to emerging markets and to cities within those markets, will give rise to a new class of global competitors. Growth in emerging markets will occur in tandem with the rapid aging of the world’s population—first in the West and later in the emerging markets themselves—that in turn will create a massive set of economic strains.”
“Any one of these shifts, on its own, would be among the largest economic forces the global economy has ever seen. As they collide, they will produce change so significant that much of the management intuition that has served us in the past will become irrelevant. The formative experiences for many of today’s senior executives came as these forces were starting to gain steam. The world ahead will be less benign, with more discontinuity and volatility and with long-term charts no longer looking like smooth upward curves, long-held assumptions giving way, and seemingly powerful business models becoming upended.”
The article discusses three key trends while acknowledging that there are many more:
- Dynamism in emerging markets
- Technology and connectivity
- Aging populations
This is what it says about technology and connectivity:
“As information flows continue to grow, and new waves of disruptive technology emerge, the old mind-set that technology is primarily a tool for cutting costs and boosting productivity will be replaced. Our new intuition must recognize that businesses can start and gain scale with stunning speed while using little capital, that value is shifting between sectors, that entrepreneurs and start-ups often have new advantages over large established businesses, that the life cycle of companies is shortening, and that decision making has never had to be so rapid fire.”
I think this is very well said! They go on to say:
“Emerging on the winning side in this increasingly volatile world will depend on how fully leaders recognize the magnitude—and the permanence—of the coming changes and how quickly they alter long-established intuitions.”
“It will be increasingly difficult for senior leaders to establish or implement effective strategies unless they remake themselves in the image of the technologically advanced, demographically complex, geographically diverse world in which we will all be operating.”
“Technology is no longer simply a budget line or operational issue—it is an enabler of virtually every strategy. Executives need to think about how specific technologies are likely to affect every part of the business and be completely fluent about how to use data and technology…… Technological opportunities abound, but so do threats, including cybersecurity risks, which will become the concern of a broader group of executives as digitization touches every aspect of corporate life.”
“New priorities in this environment include ensuring that companies are using machine intelligence in innovative ways to change and reinvent work, building the next-generation skills they need to drive the future’s tech-led business models, and upskilling and retraining workers whose day-to-day activities are amenable to automation but whose institutional knowledge is valuable.”
McKinsey closes with a reiteration of the problem that is also an opportunity for those prepared to take the risk and embrace the need for change:
“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”
I welcome your comments.
Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.
The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.
What is risk appetite?
In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:
Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.
Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.
The FSB document includes some useful language (emphasis added):
“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”
The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):
“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;
“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;
“c) establish and actively monitor adherence to approved risk limits;”
The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.
Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.
The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):
“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;
“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;
“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;
“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;
“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;
“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and
“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “
This is useful for anybody who wants to audit risk management, even if for a non-financial institution.
I translate all of the above to answering these questions:
- Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
- Is that guidance updated and communicated as business conditions (internal and external) change?
- When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
- Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
- Are exceptions appropriate reported and addressed?
- Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?
That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.
What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.
I welcome your comments.
If you think you are world-class, it is time for you to consider change.
Our organizations and the risks they face are changing constantly and the pace of change is increasing.
Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”
We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.
Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:
OK, you and your team have been recognized as adding huge value and being world-class.
Do you stop there, confident and happy in your success?
No. What is world-class for your organization today may be insufficient for tomorrow.
The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.
I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.
Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.
We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.
This is what I had to say about the future of internal audit:
Internal audit has made great strides since I first became a CAE in 1990.
We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.
The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.
But that leading edge is a thin one.
Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.
Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.
As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.
Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.
Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.
Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.
Those that do will create a competitive advantage for their organizations.
Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?
Are you ready to adapt to tomorrow’s challenges?
I welcome your comments.
One of the new Core Principles for the Professional Practice of Internal Auditing proposed by the IIA’s Exposure Draft (if you haven’t seen it, read it, and responded please do so) is:
- [Internal Audit is] insightful, proactive, and future-focused.
The last two adjectives, proactive and future-focused, translate to internal audit “auditing forward”.
This is an expression I only heard for the first time this year. It may have been one of the other members of the IIA Task Force that used it; but whoever said it, it resonated with me.
I have a chapter on “Auditing Forward” in my book on World-Class Internal Auditing and the best way for me to explain my thinking is through excerpts.
I assess my effectiveness as CAE by my ability to prevent internal control or risk issues when I can, rather than identify them (and find fault) when they already exist and represent an obstacle to organizational success.
If you are familiar with the CSI TV series, you can imagine a crime scene investigator entering a room and telling a detective “you have a dead body”. If I can, I prefer to be working with management to ensure there are reasonable controls that would prevent a dead body.
That means a couple of things: seeing the value of internal audit as helping improve risk management and controls, and “auditing forward”.
“Auditing forward” means being involved in new initiatives and projects [such as a pre-implementation controls review of a new IT system], providing consulting advice that helps management implement a reasonable level of controls and security.
It means seeing our success as linked to the success of management. If management implements a new system without sufficient controls or security, when we had an opportunity to warn them, it reflects as a failure on our part. Either we failed to identify the issue, to persuade management it was important, or to work with them on corrective actions that addressed the problem.
“Auditing forward” also means auditing the risks that impact today and tomorrow, not limiting your focus to what has happened in the past.
Is there value in somebody telling you that the road in front of the house you lived in last year is being repaired? You only want to know about road conditions where you are likely to drive now or in the future.
In the same way, internal audit needs to provide assurance and consulting advice on the risks of today and tomorrow. Telling management what has been a problem in the past has some limited value, but only to the extent that those conditions continue to exist and similar problems may continue into the future.
Wayne Gretzky’s father advised him to “skate where the puck’s going, not where it’s been”.
Internal auditors need to take this advice to heart and audit where the risk is going to be, not where it has been.
- Being sufficiently agile to change the internal audit plan as risks and business conditions change; and,
- Knowing that risks and business conditions are changing.
Business leaders and the board like it when internal auditors talk about the business using the language of the business; when we can demonstrate that we understand what the company is doing and where it wants to go; and, where we can show that our work is directed to helping them succeed – arriving safely where they want to go.
Do you “audit forward”?
I welcome your views and comments.