The firm of Arthur J. Gallagher & Co. has published an interesting and challenging paper, Collaborative Risk Management: “Risk Management” vs. “Managing Risk”. While it is targeted at organization s in higher education, its message is relevant for all.
The firm is an insurance broker that provides consulting services related to risk management. One of their principals, Dorothy Gjerdrum, was one of the individuals involved in the paper. She is their Executive Director for the Public Entity & Scholastic Division; the leader of the committee (the Technical Advisory Group of which I am a member) that represents the US standards agency (ANSI) in risk management related standards (especially the global risk management standard, ISO 31000:2004); and a friend.
I am putting that friendship and my respect for her as a risk management practitioner aside to review this paper.
Let’s get the main criticism out of the way: this whole idea of Collaborative Risk Management (CRM) is a repackaging of proven and long-established principles. The authors say that they are writing the paper because too many organizations are treating risk management as a project instead of a continuing management process. However, I don’t think they need to provide a new name for established best practices.
Yet, I agree with many of the statements in the paper and we should focus on those instead of the name the authors put to risk management. Here are some excerpts with my comments:
“There can be a tremendous difference between institutions that have risk managers and institutions that manage risks. One end of the spectrum is represented by the often-overworked individual with an overstuffed portfolio. At the other end…will be found… multiple integrative teams and a culture that rewards risk ownership and builds risk assessment into every initiative. These teams take into account an appropriate stratification of risk, assuring that board-level, administration-level, and operational-level risks all have proper owners and teams working on them. Support and a structure are established whether or not, and long before, exhaustive “risk registers” are created. Rather than slogging through a cumbersome catalog of many and unequal risks, a strategic, carefully selected few have coalesced and become the main focus. “Risk” has become a category incorporated in the planning process, like staffing and budget, for every enterprise of the institution—woven into the culture not by the efforts of one employee, but by many teams.”
The paper restates the argument more simply: “the key is an understanding of the difference between ‘risk management’—perhaps assigned to one harried Director of Risk Management (or Chief Risk Officer, or Audit, Compliance, Legal, or Finance)—and ‘managing risk,’ which top-flight institutions realize is a collaborative, distributed, networked assignment for everyone.”
Comment: It is indeed time to move to the management of risk, where the risk manager neither owns the fish nor gives them to executives and the board. Instead the CRO teaches the organization how to fish and assesses his own performance by the number who can fish without help. The CRO counts the fish harvested by others and provides the board with consolidated reporting.
The paper continues:” Much positive collaboration can take place when teams are utilized, and the team leader sees the job of the team as ‘managing risk’ for the institution as a whole. On such teams, the risk manager may be a frequent participant but may be the leader on only a select few, if any.”
I don’t know why, but the refrain I have been using the past few years seems to becoming popular. I use it for both risk management and internal audit, saying that they “have to stop being the department of ‘no’, and become the department of ‘how’. Gallagher says it well:
“Operational risk managers have long bemoaned the fact that, like a James Bond villain, we are occasionally nicknamed “Dr. ‘No!’” Internal clients sometimes feel they have exciting ideas for programs and opportunities with great institutional benefits, but when they run those ideas past risk management, all they hear is “No!” because operational risk management focuses on the negatives. Admittedly, part of this is defensive: someone needs to point out the risks and possible downfalls of ideas for which the proponents only see the positive. But this role may cast operational risk managers in an unpleasant light. No one wants to talk with risk management if it only means their ideas will be shot down.
The new landscape of risk management is bringing a simple, one-word change: risk management is now the process of trying to help others get to “Yes!”
The paper tackles the need to remember that risk management is not only about navigating the possible adverse effects of uncertainty; it is also about seizing opportunities:
“[Effective] risk management specifically aims to incorporate positive risks. That is, [it] means to consider opportunities and the cost of not being able to leap at them—such as letting other schools gain a competitive advantage, or missing out on a clear demographic shift. While operational risk management has historically weighed the cost of a course of action, [effective risk management] also considers the potential costs of not acting—the “carpe diem!” failures…..ERM is about… achieving success as much as avoiding failure.”
The authors have suggestions for bringing the disciplines of risk management to the decisions and actions of the board and top executives:
“One significant challenge with integrating risk management throughout the institution is determining whose job it should be. Strategy is traditionally the province of the Board. A healthy Board asks strategic questions: “Where should the institution go next? What major initiatives should we undertake? What societal and demographic forces may threaten our success, or propel us to further greatness?” Few operational risk managers are asked to consider these high-level issues, or to report on them to the Board, much less to manage them. Since ERM incorporates consideration of strategic issues (along with any issues that keep the institution from reaching its objectives), there is a common disconnect between it and what institutional risk managers have traditionally done each day.”
They continue: “Certain types of risk should be managed directly by the Board, through the use of Board committees. On the other hand, the Board does not run many aspects of the ERM process—the Board is not in a position to drive ERM initiatives through the institution on a daily basis. The way forward is to delineate carefully the respective roles of the Board, senior administrators, and operational risk managers. Stratification is key—some risks, such as strategic questions, major initiatives, and general societal and demographic shifts, are the role of the Board. We might call this true “strategic risk.” Senior administrators, by contrast, are responsible for implementing the decisions of the Board as operations of the institution, and minding specific risks facing the institution as a whole (“institutional risk”). Likewise, operational risk management will likely be aware of, and in a position to address, risks that may be below the sight lines of the Board or senior administrators, but nevertheless might affect the eventual success of the institution in achieving its objectives (“unit risk”). These different risk types should be handled by different groups across the institution. Successful [risk management] must incorporate the perspectives of all of these participants, in their proper strata. Thus risks, besides having aspects such as frequency and severity, have an altitude, a level at which they are best managed. A Board thus manages risk via linkage between various levels of stratification: committees report up to certain senior-level administrators, who may report to Board committees and thus to the full Board.”
Comment: this idea of altitude is intriguing. It may work for some and not for others. They key is to understand who owns and is responsible for managing risk (typically the individuals who own and manage performance and achievement of the related objectives). This requires that top-level objectives and risks are cascaded down across the enterprise and that people take ownership of that slice of the objective and risk that is in their area of responsibility.
The authors spend a lot of time reviewing what causes risk management initiatives and programs to fail. I will let you read through these, just excerpting one point. This talks to a feature of many risk management programs where management (and the CRO) may feel, in error, that they have effective risk management.
“The biggest problem……… was that once a board committee or senior administrator indicated an ERM program was wanted, the institution often plunged at once into a process of risk identification. Long lists of risks—risk registers— were created, some with hundreds of entries. Risk managers, and ERM teams, are getting stuck at this risk register phase and are having difficulty moving on to actual management of the risks. There seems to be an 80/20 problem: 80% of scarce ERM time is spent on identification and assessment (frequency, severity, velocity and the like), and only 20% is applied to strategic thinking.”
Comment: I frequently lament (such a good word) two things: 1. There is too much emphasis on identifying the risk and not enough on taking action to optimize outcomes, and 2. People are managing a relatively static list of risks instead of implementing a risk management program that is “dynamic, iterative, and responsive to change” and embedded into organizational processes (ISO and COSO both say this). As I said earlier, the CRO must teach managers and executives to fish.
The document also provides advice for getting risk management right. Again, I won’t go into detail: it repeats many of the suggestions others have made about support from the top, ensuring the right risk culture, selective appropriate guidance (they prefer the ISO 31000:2009 risk management standard), and more.
There is one important point that they infer but don’t state directly.
Risk managers have used workshops as an effective technique for identifying, assessing, and treating risk. But we should ask whether it makes sense to have a team (for that is what this is) that is only responsible for the risk aspect of the decision-making process. There are probably teams (if not in name) that come together to address the performance side of the decision-making process, and it would be better to have them include the risk side rather than set up and run a separate risk workshop.
I welcome your thoughts on this and the other aspects of this interesting paper. It is worth downloading and reading.
Deloitte has given us food for thought in an article “The Four Faces of the CIO”.
Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.
The roles are:
- Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
- Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
- Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
- Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”
In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.
This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:
- 36% as an operator, compared to a desired level of 14%
- 43% as either strategist of catalyst, compared to a desired level of 71%
I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.
Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.
I welcome your views.
If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.
After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:
- Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
- Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
- How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
- Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
- What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
- What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
- How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
- How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
- Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
- Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
- How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
- How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
- What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?
I have probably missed a few items. What would you add?
Please share your comments and views.
While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.
This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.
Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.
In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.
So let’s turn to the more common usage of GRC – governance, risk management, and compliance.
Earlier this year, in April, I wrote companion pieces on GRC:
Seven months on, I am starting to think that the term is becoming even more meaningless in practice.
Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.
The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).
But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:
“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”
I love and agree with this sentiment.
To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:
“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”
We could leave it there, in a confused and confusing world.
But enough is not enough.
Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):
- Identity and Access GRC
- Legal GRC
- 3rd Party GRC
- Enterprise GRC
- GRC gamification
Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.
Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?
I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:
“The reliable achievement of objectives while addressing uncertainty and acting with integrity”
Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).
What do you think?
Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?
I welcome your views.
How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?
None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?
Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?
Do you really expect to hire exceptional people with just-above-average compensation?
Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?
At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.
I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.
The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.
I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.
Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.
I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.
I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.
Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?
How many of your sales team are “average”?
How many of your engineers are “average”?
What are you doing about it?
I welcome your comments and stories.
The other day, I was on a call with other members of an oversight committee. We were talking about the high level project plan for our new products and I asked to see a version that showed key deliverable dates. The chair of our small committee agreed, suggesting that the project manager add a diamond to the dates or otherwise indicate when the various deliverables would be completed.
But the project manager replied that the deliverable dates were in the detail of each “sprint” (the project was being managed using agile management techniques). We were looking at a higher level and he would be happy to show us the plans for each individual sprint.
I told him that I understood that the deliverables were in the sprint-level detail, but needed to see the deliverable dates on the higher-level project plan. Without that, I would not be able to see whether the plan was acceptable and the products would hit the market at the right time. For example, I could not see whether the timing of it made sense to work on deliverables serially or in parallel, or when oversight activities needed to occur.
His response was that he couldn’t run the project using two different project management techniques. Implying that my requirement was old-fashioned (I admit here that I have been managing or overseeing major projects since he was in grade school), he reiterated that he was using agile project management.
I tried to tell him that agile is how you run the project day-to-day, but for oversight purposes I needed to see the big picture – especially when the deliverables were to be completed.
Noting my rising tone, the chairman intervened and suggested that the project manager take the chart he was showing us and simply overlay the deliverable dates. He needed them as well.
The lesson here is that I, as an oversight and big picture person (at least in this role on this project), was talking a different language than the project manager.
I respect the project manager for his expertise and experience in running projects to successful completion. But, he was unable to put himself in my shoes, understand my needs, and then express himself in a way that communicated what I needed to know.
The same issue applies when technical experts, whether in finance, information security, risk management, internal audit, or other area, need to communicate with people in a more senior management or board position. They tend to think and talk in technical detail, while senior management and board members think and talk in terms of the bigger picture.
- Understand the questions that senior management and the board need answers to.
- Answer those questions directly.
- Only provide additional detail when necessary to answer the questions – to their satisfaction, not yours – or when asked for more detail.
- Get to the point quickly.
For example, when a risk, security, or audit practitioner is talking to an executive officer, recognize that they want to know (a) is there anything I need to worry about, (b) is there anything I need to do, and (c) is there a need for me to continue to monitor the situation. They don’t need to know details when there is nothing for them to spend time on.
I welcome your views. If you can share experiences and stories, that would be appreciated.
Hopefully, you are familiar with the global risk management standard, ISO 31000:2009.
ISO has now developed and just published ISO 31004. This is a “Technical Report” titled “Risk management – guidance for the implementation of ISO 31000″.
Because it is a global document, you can download it from your national standards board’s site. In the US, you can find it on the ANSI site as well as on the ISO Swiss site. It is not free, but it is not expensive either.
The Technical report “provides: a structured approach for organizations to transition their risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the characteristics of the organization; an explanation of the underlying concepts of ISO 31000; [and,] guidance on aspects of the principles and risk management framework that are described in ISO 31000″.
In addition to advice on upgrading risk management using ISO 31000, the Technical Report has useful appendices including a discussion of underlying concepts and principles. This latter starts by explaining that “Organizations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which, they will achieve or exceed their objectives. The effect that this uncertainty has on the organization’s objectives is risk”.
Another useful section says “Controls are measures implemented by organizations to modify risk that enable the achievement of objectives. Controls can modify risk by changing any source of uncertainty (e.g. by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.”
It concludes this appendix with “Risk management is an integral component of management, as it involves coordinated activities concerned with the effect of uncertainty on those objectives. That is why, in order to be effective, it is important that risk management is fully integrated into the organization’s management system and processes.”
Perhaps of most use is the discussion and explanation of risk management principles. I am not going to list or discuss them here, as you should really read and consider themselves for yourself.
I recommend purchase of ISO 31000:2009 (if you don’t already own it) and the new 31004:2013.
I welcome your comments.
The effect that a CEO can have on corporate culture is, in my experience, not as great as CEOs like to think. However, when their actions stand out and startle, as they do in the two stories I am going to share, they can have a significant impact and shape how employees feel about their leaders and company.
Both companies in these stories failed a few years later, for very different reasons. One failed because of inept management (my opinion); the other in spite of good management, because the company had failed five or ten years earlier to address structural problems leading to high cost and slowing innovation.
In 2003, I was working for a large global company that was experiencing significant pressure from customers to cut costs. As revenue dropped, profits slipped to losses and the company’s position in the market started its slip from #1 to #4.
The new CEO decided that across the board cuts in headcount were needed and perhaps a thousand people lost their jobs. At the same time, he was rebuilding his executive team. He wanted them to be compensated for the turnaround he believed he was going to deliver, so he gave each of them hundreds of thousands of options to purchase shares in the company (then trading around $12) at one tenth of a penny per share. But this was not the action that startled.
At the same time that the company was letting many people go, he invested a million dollars to rebuild the executive floor. Each top executive got a fancy new office, replacing the cubicles previously mandated for every employee, with a new coffee lounge. I mention the coffee lounge because the newly hired COO insisted that if he was going to join the company he needed a high-priced Espresso machine. The lounge, with its precious coffee maker, was off limits to all but the executive suite and their assistants.
I heard talk about the “princes” of the company, the “CEO and his cronies”, and other unflattering references. Any pride that employees might have had in their leadership dissipated, and management at all levels reflected the apparent executive focus on personal reward.
It is perhaps not surprising that my audit team found a lot of financial statement fraud during this period, as managers tampered with results to make their performance look better.
I left the company. In 2005, my new company also started losing revenue and market share. The board recognized that they faced two problems: (a) the pace of innovation was slowing, due at least in part to (in their opinion) poor leadership by the head of engineering; and (b), the cost of a key component was higher than the cost experienced by competitors. While our main competitors had invested years earlier in plants to manufacture close to 100% of their needs for this component, my company had built a small facility – in a high cost area – that could only supply 35% or so of their needs. This component was at the heart of the company’s products and one of the most expensive components.
As a result, existing products carried a higher cost to manufacture than our competitors’ products. We either had to sell them for little profit, or sell very few; we did a bit of both. In addition, our engineering team was unable to design new products that would be cost-effective – a result of a combination of the slowing innovation and the high component cost.
The board acted. They directed the CEO to fire the head of engineering. When the CEO refused, they fired him as well, and the chairman of the board (an experienced CEO in this industry) took over.
The new CEO made a number of excellent decisions, including hiring a first-class head of engineering and best-in-class CFO.
However, the problems were too great to prevent the company’s revenue and profit slide.
The CEO reluctantly decided that the company had to cut cost, and a few hundred people were laid off.
That was not startling.
What did startle was that the CEO held a global all-employee meeting, where he and his executive team did a number of things. First, the CEO apologized to the employees for the company’s prior failures that had led to the need to cut headcount. He explained with honesty and humility the unfortunate need to let valued employees go. Then, he said that he and his #2 were both going to cut their salaries by (if I recall correctly) 15% for at least the next two years, and would forego any bonuses or stock awards.
While the CEO of the first company gave the impression that his priority was his and his team’s personal rewards, the CEO of the second gave the strong impression that his priority was the company and its employees.
People of all generations, creeds, and nationalities respond when others show they matter, when they are listened to, and when they are given respect. They respond with loyalty, dedication, and performance.
When they experience the opposite, that their leaders are only interested in ‘feathering their own nests’, employee loyalty, dedication, and performance are blown away like feathers in the wind.
I welcome your views and comments.
Deloitte continues to provide interesting information on risk management, the latest being Exploring Strategic Risk (the link is to a summary, which in turn includes links to an infographic with key results and the full report).
Before exploring their report, I find it interesting that people focus on so-called strategic risk – defined by Deloitte as “those that either affect or are created by business strategy decisions”. Both COSO and ISO refer to risk as the potential effect of uncertainty on objectives, so all risk – if it matters – is strategic!
My conclusion is that (a) people are not going through the necessary exercise of taking each of their strategies and objectives and identifying all risks that might affect their achievement, and (b) they are focusing instead on what might go wrong in their operations (including IT), or might create a loss in their financial portfolio.
This is supported by the principal Deloitte finding: “[only] 81% of surveyed companies now explicitly managing strategic risk – rather than limiting their focus to traditional risk areas such as operational, financial and compliance risk”.
I added “only” because while some may see this as encouraging, that 81% have upped their game, a large number, 19%, have not.
Another important finding is that only 67% say that “the CEO, board or board risk committee has oversight when it comes to managing strategic risk”. Either they are blind to risk that might derail the organization or have delegated it to somebody (such as a CRO) at a subordinate level.
This is a recipe for failure.
The third key finding is that only 13% believe their risk management processes support, at a high level, the ability to develop and execute business strategies. Another 48% believe their processes are adequate.
If this was my company, I would be very concerned!
I am encouraged that 43% are improving their ability to continuously monitor risks. I will close with this excerpt:
“It used to be that if certain risks were to happen, a company could have up to a news cycle to respond,” says Phil Maxwell, Director Enterprise Risk Management, The Coca-Cola Company. “The speed of risks is so much greater now, and as a result you have to be more prepared – faster to respond than you were in the past. That’s one of the biggest differences today versus even three or four years ago.”
I welcome your views and comments.
If you are, I am worried that you might be relying on so-called research by the analyst firm, Gartner. Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).
The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.
It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.
Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.
But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?
I have so many criticisms, it is difficult to know where to start:
- Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?
- They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.
- Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.
- Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!
- They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.
- Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?
I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.
I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.
But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.
I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.
What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.
If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?
As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).
I welcome your views.
The regulators and others around the world are asking organizations, especially those in financial services, to establish a risk appetite. This is typically in the form of a risk appetite statement or framework.
Let’s look at a couple of definitions of risk appetite.
“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value” (Understanding and Communicating Risk Appetite)
“To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.)”
[You may have seen my review of the COSO publication, which includes links to other thoughts on risk appetite.]
A similar view is expressed by a global financial services authority:
“Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives” - Institute of International Finance (http://www.iif.com/regulatory/article+968.php)
But, there are a number of people who believe that risk appetite is a flawed concept. I recommend a read of a paper by Grant Purdy, Demystifying Risk Appetite. When risk practitioners from around the world convened to develop a global risk management standard, ISO 31000:2009, they preferred to discuss risk criteria – a preference I share.
Is risk appetite a useful concept?
Let’s approach this by asking, as individuals, “What is your risk appetite?”
Perhaps you are saying that you are not a business, agency, or enterprise. But you still have objectives you want to achieve and you are more likely to succeed in achieving or surpassing them if you understand and treat/manage/address the risks and opportunities in your path towards those objectives.
Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.
You will take risks in accomplishing these objectives. There is no “may” about it; you will take risks. With respect to your drive to work, your arrival time might be affected by weather (both good and bad), the volume of traffic (less traffic meaning you will surpass your objective), dangerous drivers, the possibility that you will fail to see another car when you change lanes, a request from your spouse to take the kids to school on your way, and so on. As you decide to leave, these are all uncertain events or situations that might or might not happen.
What is your risk appetite when you are deciding whether to change lanes because the traffic in front of you is too slow?
What is your risk appetite when you are deciding whether to agree to take the kids to school or ask your spouse to do it?
You have to decide whether to take these risks. You will certainly have a number of criteria that will help you decide, such as the potential for reward (arriving earlier or avoiding a delay in arrival) and the potential for loss (an angry spouse or manager, or physical injury in a car hits you). You will consider the magnitude or the potential loss or reward, the likelihood of each happening, and your ability or capacity to sustain any loss.
Can you put a number, a monetary value, on it? Is it a percentage of your net wealth?
When you decide whether to take a risk, you will be influenced by the likelihood and size of reward against the likelihood and size of loss. Will you decide to change lanes when there is an 80% chance of arriving on time if you do vs. 15 minutes late if you don’t, when you assess the risk of a car hitting you at less than 1%? How about if the chances of a crash are 5%, because there’s a lot of traffic, or 15% because visibility is low?
You will try to make an informed, management decision. You will use your judgment, and you will not even think about anything like risk appetite. “Criteria” is a concept that makes sense, but not “appetite”.
Isn’t running a business similar to driving a car, in that you want to make informed management decisions using your best judgment?
Will you decide whether to expand operations into a new country using your judgment about the likelihood of success (at various levels) and the likelihood of failure (also at various levels)? Failure could mean loss of funds as you abandon new offices, lay off newly-hired staff, and write off assets; it could also mean loss of customer confidence, reputation damage, and even loss of life (depending on where you expand).
Can you put a risk appetite value on this and say, as COSO says “how much risk is acceptable”?
I can understand that it may be important to know that management is not putting the survival of the company at risk, or that the company has not put on the casino table of business more than it can afford to lose.
But is that how you make decisions? Is that how you decide whether or not to take a risk?
What is most important is that:
- Managers and executives recognize that when they make decisions they have to consider what might happen, and the effect of that is what we call risk
- If a manager is to be successful, he has to recognize risk, assess it (upside and downside), and if it is at an unacceptable level act to modify it – because that increases his chances of being successful and the level of success he will achieve
- Decisions-makers should use their best and informed judgment to take risks. When the potential effect is outside their authority level, they should escalate the decision to more senior management – in the same way they make purchasing decisions
- The consideration of risk is an integral and essential element of decision-making and management in general. It is not a separate discipline
What is your appetite for risk appetite? Should we limit the concept to situations where it makes sense, like how much money to put at risk in the financial market? Mind you, we used to call those trading or position limits rather than risk appetite.
I welcome your comments.
An article by a former CEO and board veteran (William George), published in McKinsey Quarterly earlier this year, makes interesting reading.
I agree with the author’s perspective that improvements in organizational governance should focus on the performance of the board rather than “ministerial details”. In other words, make sure the board’s discussions are informed, timely, constructive, and fruitful.
One of the first points that George makes is an obvious one: that members of the board have less insight and experience with the business and its environment, and less time to spend considering it, than the executive leadership. He calls this “information asymmetry”. The lack of timely information is a frequent complaint and I wish the author had included suggestions for how it could be improved. My view is that the board should recognize this as a problem and set expectations with management on what they will receive, when it will be provided, and the level of detail that will be included. Management should be held to that expectation. In addition, board members should meet at different business locations and receive regular educational updates from leaders of the various business areas.
The author makes an interesting point, without calling it out as such: independent board members who are not afraid of “information symmetry” have an ability to challenge established thinking and the views held by those with far more experience in the business. Fresh perspectives can bring fresh thinking and the breaking down of long-held bias. However, this means that the know-it-all executive has to change and be prepared to at least listen to new ideas.
I am encouraged by George’s observation that board performance has improved, “with a new generation of CEOs sharing with boards more openly, listening to them more closely, and working to achieve a healthier balance of power with independent directors”.
The article mentions the need for “good chemistry”, but doesn’t call an acid an acid (or a spade a spade). George recalls how an independent director challenged the CEO in the board meeting while the other directors sat silent. But when they moved to executive session, they suddenly were able to speak and voice their agreement. This is poor performance, whatever your views are on chemistry. A board member who is silent in front of the CEO and only able to speak when he is not present is a poor performer. It is essential that every director be prepared and willing to speak out, even when alone in his views. Directors who don’t are only qualified to carry the CEO’s rubber stamp.
The author does call a spade a spade when he talks about the need for real succession planning. The board simply cannot afford to defer to a CEO that does not support or even obstructs such a process. I suspect that when a CEO is unwilling to consider succession planning he is probably a poor developer of executive talent; I would worry about what would happen if he were to leave.
George shares his views on whether combining the role of CEO and board chair is a good or a bad thing. He seems to come down on the side of combining and I will let you decide whether he is convincing.
In his concluding Reflections section, George makes some useful suggestions. I like this, from the middle of the second bullet.
[Everybody that works with or on the board should demonstrate] “high-level listening skills, the ability to see situations from the other person’s perspective, and the wisdom to understand the basis for the different points of view”.
I welcome your views and perspectives.
The information security software firm, Tripwire, released the interesting results of a “state of risk-based security management” study performed in conjunction with the Ponemon Institute. (The link above is to the press release and summary. The complete study is downloadable in parts – not a good idea, Tripwire – from this location.)
The study has some disturbing comments:
- According to the study, not only do two thirds of IT professionals fail to communicate security risks, but 59% filter negative facts before they are disclosed!
- About half said that communication between security risk management and business personnel is “poor, nonexistent, or adversarial”.
Tripwire’s CTO is quoted as saying:
“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives. However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”
In my opinion, Dwayne (the CTO) has this backwards.
These IT professionals need to communicate business risks – the potential effect on the business and its objectives from a potential information security exposure.
Talking about security risks is using a language that the business executives don’t speak naturally, one that does not communicate how their and the organization’s success might be affected.
As my good friend Jay Taylor says, and ISACA in its guidance reiterates, there is no such thing as IT risk – only the business risk created from an IT-related issue. For example, the loss of a server farm is not the risk; the risk is the effect of that loss on the business, such as the inability to support normal business operations such as accounting, sales, etc. which leads to loss of revenue.
Yes, IT professionals need to (as Dwayne says) “develop new communication skills”. They need to learn how to communicate in the language of the business. They need to talk about IT-related business risk, and cut out the techno-babble of “information security risk”.
Let’s not put all the blame for poor communications on IT. The business and especially any risk management personnel need to translate any techno-babble into business risk. They must not accept talk of “IT risk”. In the process, they can help the IT staff learn to speak the language of the business.
Just my opinion. What is yours?
A new report from Deloitte looks at companies with annual revenues between $100 million and $1 billion. They share the fact that the use of new technology to grow the business is not limited to larger companies. Deloitte indicates that:
“New solutions tied to the cloud and mobile are allowing middle market businesses to boost back-office productivity, reach new customers, and reinforce their culture”.
Their full report has three conclusions:
1. Technology is seen as a catalyst for growth.
“Once predominantly seen as an expense, technology is now viewed by more business leaders as a worthwhile investment and a source of strategic advantage. Additionally, the advent of cloudbased technology offers more affordable alternatives for mid-market companies as they work to drive growth in their organizations.”
2. New technology forays are focused on the customer.
This is consistent with other surveys and reports I have shared, such as the IBM survey of CEOs. As you go deeper into the report, you will see that about 2/3 of mid-market companies have or are in the process of developing their own mobile apps, as they look to mobile as an opportunity to engage customers more directly. In fact, “more than half of the executives — 55 percent — agree that mobile computing will be a differentiator for their company”.
A slight disappointment is that mid-market companies have not yet deployed analytics to full advantage. As Deloitte says:
“Only one in five reveals that their company is focused on leveraging analytics to facilitate predictive decision-making.
“When it comes to strategic decision making, leading businesses are beginning to see the value of applying advanced analytics to areas such as risk management, product development, reputation management and supply chain operations in a bid to remove the “unknowns” and detect early signals of change. To stay competitive, midmarket companies should continue to evolve in their use of analytics by turning to customer data not just to support their marketing decisions, but to manage processes and deliver new insights between and across functional areas throughout their organization.”
3. Security concerns are hampering IT adoption
While it is clearly prudent to consider the need to protect information and comply with privacy and other laws and regulations, this should not unnecessarily hamper adoption of new technology that will transform a business. Deloitte makes two excellent points, which I not only endorse but have been making myself:
- “As emerging technologies begin to take firmer root in the middle market, forward-thinking leaders should work to proactively mitigate potential business risks by building the requisite due diligence and security strategies into their technology plans. Adopting a different mindset, one in which security and technology are incorporated into the business planning cycle, can empower mid-market companies to stay ahead of the adoption curve.”
- “It’s a good bet that if your company isn’t marshaling these technologies, your competitors are.”
Is your company taking the right risk when it comes to new technology? Which is greater: the risk of investing, or the risk that your competitor is ahead of you?
I welcome your thoughts.
Note: my work is partially supported by SAP, whose BusinessObjects solutions lead the business analytics market.
Oversight by the board of this critical area is an essential element of effective governance. With this in mind, many organizations have provided guidance – but while some is good, others are likely to lead boards astray; they may even lead to errors in the implementation of risk management such as a failure to recognize that risk management is a dynamic process that needs to be integrated across the organization and made part of strategy-setting, performance management, and daily decision-making. It is not a periodic exercise.
Just as the management of risk is a dynamic, iterative process, the board needs continued assurance that management has an effective process in place.
Let’s take some of the guidance and see what is good and not so good.
COSO, in its Enterprise Risk Management – Integrated Framework, says that “through the risk oversight process, the board should:
- Understand the entity’s risk philosophy and concur with the entity’s risk appetite
- Know the extent to which management has established effective risk management of the organization
- Review the entity’s portfolio of risk and consider it against the entity’s risk appetite
- Be appraised of the most significant risks and whether management is responding appropriately
This tells some but not all the story:
- The board should have an active role in understanding and approving the entity’s taking of risk. Yes
- It should know whether management has established an effective risk management framework and process. Yes – a critical point
- But it should also know what actions are being taken to upgrade the management of risk where it is not sufficient, and understand the level of risk that deficient risk management represents to the success of the organization
- It should understand the more significant risks to the organization as a whole, and whether management has taken appropriate steps in response
- But, it is unrealistic to expect the board to “review the entity’s portfolio of risk”. Risk is dynamic and is present in every decision, every day. The board needs to be aware of the more significant risks, be involved where it can add value, and then be able to rely on the ongoing and continuous management of risk by executives and managers across the organization. If the organization feels it is able to provide a report that shows the entire “portfolio of risk”, I have to question whether they are addressing every risk that matters.
[A 2010 COSO report, Board Risk Oversight: A Progress Report from Protiviti, makes interesting reading, together with a 2009 report: Effective Enterprise Risk Oversight, The Role of the Board of Directors].
The problem with many guides from so-called thought leaders and experts on risk oversight is that they talk about the board reviewing a list of top risks from management, seeing if they agree that they are the top risks, validating management’s assessment of each risk, and discussing the actions management is taking in response.
This constitutes a periodic review of a list of risks. It may provide some level of comfort but it is limited to that list of risks and is only at that point in time.
One influential internal audit thought leader believes that internal audit should provide assurance that the board receives an accurate report of [residual] risk levels. I don’t believe that is sufficient because (a) it remains a point in time activity while risk is managed continuously, and (b) it involves internal audit second-guessing management’s assessment of risk levels. Internal audit should ensure management has effective processes for managing risk every day, which includes but is certainly not limited to periodic reporting to executives and the board.
The Canadian Institute of Chartered Accountants produced a thoughtful guide: A Framework for Board Oversight of Enterprise Risk. In the Introduction, you will find this excellent section:
“What is the appropriate role of the board in corporate risk management? Traditional governance models support the notion that boards cannot and should not be involved in day-to-day risk management. Rather, through their risk oversight role, directors should be able to satisfy themselves that effective risk management processes are in place and functioning effectively. The risk management system should allow management to bring to the board’s attention the company’s material risks and assist the board to understand and evaluate how these risks interrelate, how they may affect the company, and how these risks are being managed. To meaningfully assess those risks, directors require experience, training and knowledge of the business.”
I recommend a read of this interesting document.
I also recommend listening to my friend Jim DeLoach talk about risk oversight in this video. Note how he discusses the need for the board to satisfy itself that management has an effective risk management program in place.
The board relies on the system of internal control, with assurance from external and internal audit on its effectiveness, to produce periodic financial reports. It then reviews and asks appropriate questions of the financial statements before they are filed.
In the same way, it should seek to rely on an effective set of processes for managing risks to the achievement of objectives and creation of value. Board members should similarly review periodic risk reports and ask appropriate questions of management.
When the board knows that it can rely on management’s processes for managing risk, will be informed on a timely basis on changes in risk that merit its attention, and reviews and questions reports produced by the risk management process (not only at scheduled meetings but when the board is notified of significant changes), it is providing full-time oversight.
This is my advice for directors in discharging their responsibilities for oversight of risk management (see my prior blog):
1. The responsibility of the board is to ensure that management has appropriate processes for risk management. It is not the directors who identify and assess risk (with the exception of the point below), but management.
2. Some risks should be the remit of directors, such as:
- CEO performance
- Executive succession planning
- The effectiveness of the board and its committees
- The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers
3. Directors should understand that risk management is not just about protecting value but creating it. When risk information is provided to decision-makers and considered in the making of business decisions, better decisions are likely and this will drive better performance. When we are talking about risk, we are talking about uncertainties (potential events or situations) that lie in the path to the organization’s objectives. The effect of those uncertainties can be positive, creating value (often referred to as opportunities), as well as negative, impeding progress. Risk management is, at its core, about understanding those uncertainties (both those with positive and negative effects on objectives) and taking actions to optimize outcomes.
4. Directors should also understand that it is essential that the risk management process be dynamic, iterative, and responsive to change because (a) business conditions, including risks, are changing at an accelerating pace, (b) the volatility of risk seems to be increasing, (c) the time to respond to those changes is diminishing, and (d) business decisions have to be made at speed. Assessing and responding to risk at periodic intervals is unlikely to be sufficient; the understanding and consideration of risk has to be embedded into how the business is run – every day.
5. Risk management should not be a separate activity; it should be embedded in the processes for establishing objectives and setting strategies; managing major projects; monitoring and optimizing performance; reporting of results, both financial and operational; reviewing executive compensation; and daily decision-making.
6. As business conditions change, not only external to the business but also internal – such as organization changes – management should consider updating its risk framework (including approved risk appetite or criteria) and processes
7. Reviewing the effectiveness of risk management and internal control is an essential part of the board’s responsibilities and should be performed at least annually. The board will need to form its own view on effectiveness based on the information and assurances provided to it (see #10, below), and in doing so it must exercise the standard of care generally applicable to directors in carrying out their duties. Management is accountable to the board for implementing and monitoring the system of risk management and internal control and for providing assurance to the board that it has done so.
8. Neither risk management nor internal control processes provide perfect assurance. Rather, the board should assess whether management’s processes provide reasonable assurance that the more significant risks to the company’s objectives and strategies are within levels appropriate to the company’s business and approved by the board.
9. When assessing the adequacy of risk management, the board should consider:
- CEO performance
- Executive succession planning
- The effectiveness of the board and its committees
- The adequate performance of those that report to the board, such as the internal and external audit functions and, in some organizations, the chief risk and chief compliance officers
- The processes for establishing the company’s longer and shorter-term objectives and strategies, and whether they give appropriate consideration to risk;
- The processes for determining the company’s risk appetite or criteria, and communicating them to managers and other employees as appropriate. While it can be valuable (and is required by law or regulation in some cases) to establish the organization’s overall risk appetite (the level of risk the organization is willing to accept), unless that appetite is translated into practical guidance that each manager can apply in decision-making to take the right risks, an appetite statement will be form without substance;
- The adequacy of the company’s risk policies and standards;
- The adequacy of management’s processes for identifying, analyzing, evaluating, and treating new or modified risks;
- Whether there is sufficient effective communication of risk and control information across the business;
- The processes for monitoring and optimizing performance, and whether they give sufficient consideration to risk levels;
- Whether management’s processes for monitoring the adequacy of internal control and risk management processes provide reasonable assurance that they continue to operate as intended and are modified as business conditions or risks change; and
- Management’s reporting of risk and whether it provides both senior management and the board sufficient timely visibility of risk levels across the organization and whether they are at acceptable levels.
10. The board should solicit a formal opinion on the adequacy of risk management and internal control from the head of the internal audit function at least annually, which should be considered in the board’s own assessment. The board should also solicit the observations of the independent auditor, recognizing that such observations will generally be limited to risks and controls related to the preparation of the external financial statements. If the organization has a chief risk officer, their opinion should be obtained of the adequacy of risk management processes and practices, including the organization’s risk culture, the adequacy of resources for the management of risk, and the integration of risk into strategy-setting, major project management, performance management, etc.
11. The board should ensure that its members have sufficient collective understanding of risk management practices and techniques to effectively question and assess management’s risk management framework and processes.
12. The board should ensure it receives sufficient useful, reliable, complete, timely, and current information to provide effective oversight of the organization’s performance, including risk management.
Earlier this year, I suggested 5 questions board members should ask management:
- Are you, board and management separately and together, satisfied that the organization has an effective process for identifying, assessing, and responding to risks to the achievement of the organization’s objectives? If so, please explain why you believe it is effective now and how you know it will continue to be effective as we go through the year.
- Does that process provide sufficient timely information so that you are not surprised by changes in risk conditions, including changes in risk levels as well as by emerging risks?
- Is the consideration of risk sufficiently integrated into management processes and operations, so that it impacts strategy-setting and decision-making across the organization, or is risk management performed in a silo that is separate from performance reporting and management and how the organization is run every day?
- What are the plans for improving the maturity and effectiveness of risk management in the next 12 months?
- Where is the risk management program weakest (such as incomplete, unreliable, or untimely information) and what does this mean to the management of the organization? How are you compensating for the risk that this represents?
I welcome your comments.
I use the word ‘technology, but McKinsey prefers ‘digital’. No matter, the consulting firm’s Global Survey indicates that not only can new technology enable increased revenue, customer satisfaction, and improved processes, but CEOs are stepping up to lead such efforts.
Why? McKinsey found that 65 percent of the C-level executives they surveyed expect new technology will increase their companies’ operating income over the next three years, and are among their top ten priorities.
Here are some key points:
- Companies are using digital technology more and more to engage with customers and reach them through new channels. What’s more, growing shares [i.e., a growing number of respondents – ndm] report that their companies are making digital marketing and customer engagement a high strategic priority. Nevertheless, there is more work to do: most executives estimate that at best, their companies are one-quarter of the way toward realizing the end-state vision for their digital programs.
- Executives say each of the five digital trends we asked about [big data and advanced analytics, digital engagement of customers, digital engagement of employees and external partners, automation, and digital innovation - ndm] is a strategic priority for their companies. Of these, the trend that ranks highest is customer engagement: 56 percent say digital engagement of customers is at least a top-ten company priority, and on the whole respondents report notable progress since 2012 in deploying practices related to this trend. Companies have made particularly big gains in their use of digital to position material consistently across channels and to make personalized or targeted offers available online.
- By comparison, companies have been slower to adopt digital approaches to engaging their own employees, suppliers, and external partners. Here, executives say their companies most often use online tools for employee evaluations and feedback or knowledge management; smaller shares report more advanced uses, such as collaborative product design or knowledge sharing across the supply chain.
- Responses also indicate growth in the company-wide use of big data and advanced analytics, matching our experience with companies of all stripes, where we are seeing executives consider analytics a critical priority and dedicate increasing attention to the deployment of new analytic tools. Notably, respondents report increased use of data to improve decision making, R&D processes, and budgeting and forecasting. What’s more, executives say their companies are using analytics to grow: the largest shares report focusing their analytics efforts on either increasing revenue or improving process quality; reducing costs tends to rank as a lower-level priority.
- When asked about the next wave of business-process automation, respondents say their companies are automating a wide range of functions to improve the overall quality of processes.
- When asked about innovation practices, more than 40 percent of respondents say their companies are either incorporating digital technology into existing products or improving their technology operating models (for instance, using cloud computing). Just 23 percent say they are creating digital-only products.
- Across most of the C-suite, larger shares of respondents report that their companies’ senior executives are now supporting and getting involved in digital initiatives. This year, 31 percent say their CEOs personally sponsor these initiatives, up from 23 percent who said so in 2012. This growth illustrates the importance of these new digital programs to corporate performance, as well as the conundrum that many organizations face: often, the CEO is the only executive who has the mandate and ability to drive such a cross-cutting program.
- Despite the host of technical challenges in implementing digital, respondents say the success (or failure) of these programs ultimately relies on organization and leadership, rather than technology considerations.
McKinsey identifies three key factors in organization’s success using technology effectively:
- Finding the right digital leaders. They point to C-level involvement and the appointment of a chief digital officer
- Managing expectations
- Prioritizing talent
I would add to that:
- A willingness to take intelligent risks with technology. While it can be dangerous to be on the bleeding edge, it can be equally dangerous to be left behind by the competition
- Agility. There is no point trying to layer new technology on the top of a legacy infrastructure that is old and immobile, or on an organization that has equally stale and stubborn attitudes towards change
- Reliable processes for identifying and adopting new technologies
I welcome your views
This is going to be an unusual post.
I want to start a debate about what internal auditors should know and understand about risk and the management of risk within an organization – but don’t.
Please contribute by sharing your views and debating with those I express and others post.
My list is fairly short:
- Too few internal auditors understand the purpose of risk management, as expressed in both the COSO risk management framework and the global ISO 31000:2009 standard, is to help executives, managers, and decision-makers make better quality decisions – and thereby increase the likelihood that the organization will achieve its objectives and create value
- In fact, too few are truly familiar with both COSO ERM and ISO 31000:2009. The latter is easier to understand and use, which is why I prefer it
- Too few internal auditors understand that controls only require improvement if the level of risk is outside desired levels. Some risk is essential for efficiency and success
- Too many CAEs believe they cannot assess risk management because there is no formal risk management program. That in and of itself may be a serious risk that should be discussed with the audit committee and top management. But, what needs to be assessed is not the program per se but whether the organization is able to manage risks to the achievement of objectives
I will leave it there.
My ask is that all comments be constructive and point to solutions rather than using this as an opportunity to slam either the IIA or those that write about internal audit and risk management.
Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.
Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.
There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.
Auditing Standard Number 5 (AS5) says:
“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…….. The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment……………….. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”
AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:
“While exercising due professional care, the auditor must plan and perform the audit to obtain sufﬁcient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the ﬁnancial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the ﬁnancial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”
The guidance continues:
“The independent auditor’s objective is to obtain sufﬁcient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of ﬁeld work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”
OK, what does this all mean? There are some key phrases:
- “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
- “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”
It all comes down to the judgment of a prudent person or official.
AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.
What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.
“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”
So, let’s see if we can come up with something that makes practical sense.
Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.
How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.
If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.
But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.
Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.
OK, so what does this all mean?
As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.
Where am I going with this?
I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.
I welcome your comments and perspectives.
PS. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.