1. The assertion that “an effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives” is excellent and I am pleased that it comes before any discussion of principles
2. The assertion that follows, that this (reducing risk to an acceptable level) requires that “each of the five components and relevant principles is present and functioning” creates a serious problem

Let’s examine the problem created by COSO saying that effective internal control requires that all relevant principles are present and functioning. I say ‘principles’ because the Framework asserts that no component can be assessed as present and functioning if there are major issues with any of the related principles.

Rather than taking an approach that requires that risks to the achievement of objectives be identified, and then an assessment made as to whether the combination of controls across all components of the Internal Control Framework reduces the level of risk to acceptable levels (i.e., a top-down, risk-based approach like those recommended in PCAOB, SEC, and IIA guidance), the assessor is directed to assess the principles. This creates a high risk, highlighted by many commentators on the drafts submitted earlier for review, that the assessment will be based on a checklist: a checklist formed by the principles.

Now an argument can be made, requiring some contortions of logic, that the same result as a top-down and risk-based approach is achieved because the principles include the required steps of a risk-based approach (principle 7 refers to the identification of risks, principle 10 identifies control activities that “contribute to the mitigation of risks to the achievement of objectives to acceptable levels”, and principle 11 talks about IT general controls – though they should be included in principle 10). Then, so the logic goes, the assessment is made as to whether there are any major deficiencies (i.e., one that “severely reduces the likelihood that the entity can achieve its objectives”). Does this, in fact, result in the same assessment?

Possible, but unlikely.

1. As we know from PCAOB and SEC guidance and our experience on SOX assessments, indirect entity-level controls do not necessarily result in a higher risk of failure to achieve objectives (in the case of SOX, the objective is a set of financial statements free from material misstatement). Indirect entity-level controls only create a higher risk that direct controls will fail. Then it is up to the assessor to determine whether, especially considering the quality of monitoring controls,  the risk to objectives is greater than acceptable levels
2. The determination of a major deficiency (see above) is not whether the risk to achievement of objectives is greater than acceptable levels. That assessment, requiring judgment, still has to be made but is not referred to as far as I can tell in the updated Framework
3. I believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in (a) assessment of principles that are not relevant to the assessment of risk to achievement of objectives, and (b) a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels

Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?

I suspect that over time we will learn how to use the updated Framework while remaining true to the top-down and risk-based approach. But, in the meantime I fear that many will lose their way.

Until now, the choice has been rules-based or principles-based. I always thought that in the case of internal control, principles-based referred to the principle that internal control is not perfect and only provides reasonable assurance that risks to the achievement of objectives are at acceptable levels. PwC and COSO have blurred, in my opinion, the distinction between rules-based and principles-based. I just wished they had gone for “risk-based”.

I welcome your comments.

It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:

• The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
• In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
• I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
• SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

1. What is GRC?
2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.

GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.

The message behind GRC is that all of the different pieces described and included in that definition of GRC need to work together, in harmony and an orchestrated fashion, if the organization is to optimize performance and reliably achieve objectives. For example:

• If strategy is developed and only then is risk considered (instead of formulating strategy after understanding risks and opportunities both within the organization and in its business environment), you may set the wrong strategies and objectives.
• If performance is evaluated, monitored, and managed without an integrated understanding of risks or compliance considerations, you are unlikely to optimize results.
• If politics and other factors cause the organization to fail to share information and resources, have redundant and siloed operations, you are unlikely to perform.
• If the compliance function is always chasing after initiatives and plans so it can add compliance bandaids, instead of being on the bus from the beginning, failure is likely.

I think organizations need to build out the maturity of the individual pieces of GRC while ensuring that they don’t result in silos, and with a vision of orchestration and harmony across the organization.

Since the failure to harmonize is most often the result of the sickness we call internal politics, this needs to be monitored, diagnosed, and treated aggressively.

I welcome your views and comments.

In a new piece, John uses the scenario of a board chairman addressing the board to explain enterprise risk management. It is an easy read, useful for directors, executives, and practitioners.

I particularly like and agree with these comments:

• [The Chief Risk Officer (CRO)] will report directly to the chief executive officer (CEO) and will champion and coordinate our approach to ERM. Accountabilities for managing risks will remain with line managers as before. The CRO role will provide ways to help us view risks from across our company and to better allocate our resources. The CRO will be a support function helping the management team with reporting to the board, and in coordinating risk activities across the organization
• [Risk criteria] will help decision makers across the company understand how much risk is tolerable, what is intolerable and where further action is required. These criteria (often referred to as risk appetite, risk attitude or risk tolerance by some) will be updated by management and reviewed by the board at least annually
• ERM will also involve better and more explicit integration of risk considerations into the strategy development, business planning and execution processes. Everything we do as a company should be done to treat and optimize the risks and uncertainties to achieving our long-term strategic plan
• We expect that the use of ERM will make everyone’s job easier by leading to greater transparency and foresight into how we manage risks across the organization and this in turn will lead to us achieving our goals with even greater success in the future

John is a big believer in risk workshops, which he used at all levels of the organization including with the board. I agree that they are essential and very valuable, but also believe that some decisions need to be made at speed – when there is little time to convene a workshop. My philosophy is that risk workshops should supplement but not replace a management that is trained and equipped to manage risk as part of everyday decision-making.

One interesting aspect of the risk management program at Hydro One was the edict by the CEO that capital would be allocated based on risk prioritization. Every request for capital had to identify the risk(s) being addressed. This worked well for them in their environment. I am not sure it would work as well in other business environments, but it remains a though-provoking idea well worth careful consideration.

I welcome your consideration of John’s piece and my comments.

I have worked with audit committees for over 20 years, with many directors for whom I have admiration and great respect, and a few who contributed less than they should.

It is a tough job, and I have some pieces of advice for those willing to take it on:

1. Ensure you make the time the job requires. Unfortunately, some fail to read their briefing packages until (at best) the day of the meeting or (at worst) during the meeting. If you cannot afford the time, it is time to leave.
2. Don’t treat it as something you do only when there are board meetings. Stay on top of issues and talk to members of management as often as it takes.
3. Don’t be afraid of asking questions and demanding answers. If management says “we will get back to you”, make sure they do.
4. Make sure you, as members, own the committee agenda. It’s is your committee and you should not permit management to dictate either the time, duration, or content of meetings.
5. Make sure management understands what you need and expect in terms of information: what, when, how, and in what manner it will be delivered – and also ensure you have sufficient detail to understand the issues and ask the right questions.
6. Make the time to get to know the key players, including not only top management such as the CEO, and CFO, but other critical sources of information such as the Corporate Controller, Treasurer, Head of Taxes, Chief Risk Officer, and the Chief Audit Executive. Spend time with them and their staff as necessary – and listen, listen, listen.
7. While it is important to build a relationship with the external audit partners and make sure you have confidence in their abilities, recognize that their level of insight into daily operations and risk-taking is limited. I had a CFO who told the board that “If you want to know what is really going on, ask the internal auditor”.
8. Ensure you understand the business, its strategies, financial information, risks, key personnel, etc. How can you govern effectively if you don’t?
9. Get to know the other directors and talk, without management present, about the issues and challenges.
10. While it is easy to bond with management, the job of the board and especially of the members of the audit committee is to provide oversight. Clothe yourself with an appropriate level of professional skepticism and ask questions until you are satisfied with the answers.

I welcome your views, especially additional advice for audit committee members.

• Identify and understand the “risks that matter” (an expression I have been using and advocating for some time)
• Invest in the risks that are “mission critical”  to the organization, and
• Effectively assess risks across the business

Three positive and excellent points towards a high review score!

But, then they falter:

• They focus on the weeds of IT audit, instead of making sure that internal audit as a whole is focused on the risks that matter, including those relating to technology. Guidance should not be aimed at the senior IT auditor, but to the chief audit executive (CAE) and the board
• They talk about traditional so-called “IT risks”, such as information security, cloud, social media, and privacy, instead of upgrading their (and our) thinking by reflecting on risks to the business as a whole – the risks that matter and are mission critical to the organization – and how they are affected by failures to use and manage technology well
• They suggest a separate IT risk assessment, rather than a fully integrated business risk assessment

These days, as InformationWeek (March 18 issue) proclaims in its cover page, its “Goodbye IT, Hello Digital Business”. When CEOs are looking to technology as the #1 way to reach customers, deliver new products and services, and grow the organization, internal auditors and the boards they serve should be thinking large: what are the mission critical organizational objectives and how might they be affected (positively or adversely) by the use or misuse of technology. Instead of, as EY suggests, talking about ‘availability’, talk about the potential that new mobile payment applications might be unavailable, resulting in customers moving to competitors.

EY missed some major issues as well:

• With technology being the #1 enabler for growth and strategy, the CIO needs to step up. He needs to change from being the janitor, responsible for maintaining the IT infrastructure, to the strategic visionary that helps guide the organization to new heights built on some of the latest technology. The CAE and the IT audit team need to be concerned with whether the full potential value is being obtained from technology – a major aspect of IT governance
• With more code being written for mobile than any other platform, and more and more mission-critical functionality being delivered on (not just through) mobile devices, mobile app change management moves to be one of the greatest technology process risks

This week, I will be speaking at the ISACA North America CACS Conference. My main message is that when 80% of business risks relate to technology (a situation which is not far away), the IT audit function will have to be mainstream – and resourced to address 80% of the audit plan.

It is time to rethink the whole idea of IT audit as a specialization. Maybe it should be mainstream and finance becomes the specialization!

I welcome your thoughts and comments.

While the author’s early message is that boards need to tone down their oversight and “not adopt an adversarial, ‘show me’ posture toward management and its plans”, I think the real lesson to be learned from hearing what CEOs have to say is that careful, skeptical, oversight by the board is an absolute necessity more often than not!

But, before going further I should pay homage to some of the fine CEO’s I have worked with, including Tom O’Malley (Tosco), C.S. Park (Maxtor), and John Schwarz (Business Objects). Each was a fine balance of vision, leadership, entrepreneurship, and integrity.

Boards should tune their skepticism to each situation. When an executive has built and earned their trust, they will dial it down. Yet, when a proven executive floats an ambitious idea, they should exercise their oversight responsibilities with care and diligence.

What was it that rang some alarm bells for me? First, let’s consider that the great majority of board members are former or active CEOs themselves, followed by CFOs and others highly experienced in executive leadership. Any criticism of these people for being overly cautious, when their backgrounds and experiences are similar to the CEOs delivering the criticism, does not ring true. In fact, when natural risk-takers become cautious, I have to believe they have good reason.

Some quotes:

• In theory, a board should serve as a check on a “cowboy CEO,” as one executive puts it. In reality, it can rein in boldness too tightly.
• CEOs complain that boards often lack the intestinal fortitude for the level of risk taking that healthy growth requires. “Board members are supposed to bring long-term prudence to a company,” as one CEO says, but this often translates to protecting the status quo and suppressing the bold thinking about reinvention that enterprises need when strategic contexts shift.
• CEOs are especially frustrated when directors’ risk aversion is driven by fears of bad press. They note that the rise in stakeholder and proxy-analyst pressures has made directors sensitive to any decision that might provoke a negative reaction from the media, proxy-advisory firms, institutional analysts, or activist investors.

Later in the paper, the author covers some important, but well-known, points about feeding the board with relevant and timely information, diversity, constructive and open dialogue, and the need for mutual respect. On balance, this is an interesting and useful read.

I welcome your views and comments.

• Operating in default mode. By this, the author refers to the board deferring to the CEO, who in turn defers to the CRO (chief risk officer). While the author seems more concerned that the board is not actively involved, I am more concerned that risk management is left to the CRO rather than being seen as the responsibility of every manager at every level of the organization. The responsibility for managing performance should not be separated from the responsibility for managing risk, and this is exactly what is likely to happen when the CRO is seen as responsible for risk management
• Ambiguous mandates and limited resources. Budgets are allocated for operational activities, with no time left for holistic risk management. Again, my point is that operational activities must include risk management
• Risk is siloed in functional and business verticals. The article expresses this well: “Below the level of CRO, risk officers oversee tightly defined areas of an organization’s risk — and lack the authority and credibility to influence the wider organization. In fact, the risk function itself is often a silo, largely devoted to setting and monitoring quantitative risk parameters and leaving holistic risks, such as reputational risk, to others”
• There is no mechanism for addressing risk holistically. This is a continuation of the prior point: nobody is considering the interrelationship and potential aggregation of risk across the organization

As a result, says the author, risk management “remains fragmented and provides poor visibility of risks”.

I like the point that appointing a CRO is just consolidating the risk silo into one organization, still separated from operating management’s responsibility.

Although I differ from the author’s opinion that risk management should be driven from a board perspective down, I wholeheartedly support the article’s ideal:

Everyone comes to own enterprise risk individually. Over time, the institution creates — and continually refreshes — a culture in which it becomes second nature to strive for the ultimate goal of ERM: an enhanced capacity to increase stakeholder value by more effectively dealing with the risks and opportunities offered by uncertainty”

My opinion is that while the article has detailed some important obstacles, the most important is that those who direct and manage the organization, including the risk officers, have not fully appreciated the true value of risk management. It lies in these two statements:

1. Risk management informs and enables better decisions, not only at the board and executive levels but every day by operating management
2. Risk management helps you take the right risks

I welcome your views.

Today, I was sent a link to the Law and Public Policy blog at Wharton and a piece Re-thinking Risk Management: Why the Mindset Matters More Than the Model. The authors try to extend the thinking about risk management in financial services organizations and make a few good points, including:

• Experts at Wharton and elsewhere argue that too much blame is being placed on the risk management model and other tools of the trade, in banking and beyond. The models are not necessarily broken, but instead are only as good as the decisions that get made based on them, they say. As a result, the current crisis may represent an opportunity for companies to re-visit and re-think historical approaches to risk management. When it comes to planning for the future, the new thinking goes, it is not just the model that matters, it is the mindset.
• Risk taking remains what managing is all about, and not just in financial services but in every industry. Indeed, from an economic perspective, all firms fundamentally are in the business of taking risks based on their core capabilities.
• Whatever industry you consider, it is always the same pattern. Things are getting faster, and therefore we need to make decisions faster, but based on information that we often don’t have.
• The definition of “business intelligence” is expanding from a focus on operating performance to increasingly include monitoring risks, both inside and outside the organization.
• “Strategy is making choices under conditions of uncertainty. And you cannot make the right strategic choices without understanding your industry and how much risk you need to take on.”
• Risk management promises to become an even more central part of managing any business. In Danone’s case, for instance, risk considerations are now embedded at multiple stages during the course of business — at the strategic planning stage, the budgeting stage, etc. — and should be discussed more often during quarterly reviews and whenever there are major changes or new projects.

The authors are on the right track, in my opinion, but still have a long way to go. They have recognized two major issues with ‘traditional’ risk management at financial institutions: (a) an over-reliance on models without adding a layer of common sense, and (b) risk management is about far more than just the potential for loss on financial instruments and positions. It’s about all the uncertainties in the path of the organization, both internal and external, and their potential effect on the ability of the organization to achieve its objectives.

Think of a driver traveling along the freeway. While navigating heavy traffic, he is on his iPad: reading the news, monitoring the market, and trading puts and calls. He is the ‘traditional’ risk manager, managing risk to his portfolio but blind to the risks around and inside his vehicle.

Where the Wharton piece fails, in my opinion, is implying that it is adequate to manage the non-financial risks once or twice a year. Consider this quote from an executive at Danone: “Top managers are convinced of the necessity to use enterprise risk management. We now have an effective working session with part of the executive committee twice a year. And we continue to rely on yearly updates of the risk maps of all major business units worldwide.”

Executives and boards of financial institutions should, in my opinion, understand that risk management is about making more intelligent decisions every day – not only with respect to the trades the driver should make on his iPad, but to avoid braking cars and navigate icy conditions on the freeway of business.

I particularly like these quotes:

• “Your risk assessment process should incorporate monitoring activities as dynamic as your business and the threats and opportunities it faces”
• “Some organizations are developing near real-time monitoring capabilities for internal and external conditions using big data mining, text analytics, and data visualization techniques. These mission control centers can feed actionable information to decision makers and form the basis for a dynamic risk assessment process”
• “An effective risk assessment may equip leaders with the information they need to take advantage of value-creating risks”
• “Technology can make it easier to micro-target particular audiences and risk challenges, analyze large amounts of data from different parts of the business, and develop actionable intelligence. But technology is only as good as the underlying processes you have in place, and the people running them”
• “Trying to define a single risk appetite for an organization is usually not practical. In reality, different organizations have different appetites for achieving certain types of objectives — or not achieving them at all”

The piece is fine as far as it goes. I only wish it would ask and answer questions that would help ensure the risk assessment process is capable of addressing all significant risks to the achievement of objectives. For example, few consider the uncertainty inherent in operating assumptions and the actions necessary to optimize potential outcomes. This is discussed in an earlier post of mine, Why I worry first about Uncertainty and then about Risk.

I welcome your comments.