Scratching the surface on Facebook and its problems

June 14, 2019 1 comment

Richard Chambers, President and CEO of the IIA, has shared a short piece that scratches the surface (IMHO) when it comes to the issues faced by Facebook and similar organizations. I am talking about organizations that want either to use or sell data.

Facebook Data Exposure Offers Critical Lesson for Internal Auditors makes some good points, including:

  • From an internal audit perspective, Facebook’s woes offer a clear and compelling lesson: Data, once viewed solely as an asset to be leveraged, now must be viewed as a potential liability or risk, as well.
  • Mining and analyzing data is a fundamental step in strategic business decisions. It helps businesses and organizations build models based on historical information to predict future behavior. But poor data management and a failure to understand what it tells us is a risk.
  • Internal auditors must cultivate and maintain a keen understanding of how their organizations collect, manage, protect, use, and share data. They also must have a handle on past and current practices on data usage and storage.
  • CAEs should speak candidly to boards and executive management on the value of assurance.

It is tempting to focus exclusively on the down (or dark) side of the story. But as Richard says, the use and even commercialization of data is a huge opportunity as well.

I suggest that organizations and their internal audit teams seek assurance regarding:

  • Compliance with applicable laws and regulations in every location. Initiatives and resources should be allocated based on an understanding of relative risk to the organization and its objectives.
  • Compliance with the expectations of the community, governments, and (especially) customers. Again, prioritization of effort should be risk-based.
  • The safety of information, not only within the organization’s internal systems but also when it is in the “cloud” or with a vendor/customer/partner.
  • Whether optimal benefit is being obtained from the data. Consider the internal use of available data to inform and drive business decisions as well as the opportunity to market information. With respect to the marketing of the information, consider the whole sales cycle and the need for assurance that buyers will comply not only with the terms of the contract but with applicable laws, regulations, and societal expectations.
  • The integrity of the data: completeness, accuracy, currency, and timeliness.
  • The validity of the strategic model for using and leveraging the model.

While the focus right now is on the dark side, many organizations can leverage their data far more than they do today.

Internal audit can point out opportunities as well as potential problems.

I welcome your thoughts.


CEOs are not idiots when it comes to risk management

June 11, 2019 12 comments

CEOs got to the pinnacle of their organization because they are anything but idiots.

Yet, if you consider the small number of organizations where risk management is considered as providing a strategic advantage (according to the latest study by the ERM Initiative that number is 20% of all organizations), one of these alternatives must be true:

  1. Even mature risk management doesn’t provide a strategic advantage. In fact, it is doubtful (as indicated in the report as the sentiment of most organizations) that the value of risk management exceeds its cost.
  2. People don’t know how to design a risk management program that delivers value in excess of its cost, to the point that it provides strategic advantage.
  3. CEOs are idiots.

I pick the prize behind door number two.

Here’s the problem.

If all you do is manage the downside, you are not helping manage the upside.

I have been saying for at least a decade that management needs to take risks to survive and thrive, and that means balancing the potential harms that may occur against the potential rewards.

Yet, time and again I keep seeing risk management portrayed as understanding, assessing, evaluating, and addressing potential harms.

That is not how you or anybody else that enjoys a modicum of success make decisions.

The ERM Initiative talks about risk management being an effort to build a risk profile or list of “risk exposures”. Even this limited approach to risk management seems to have been achieved by a small percentage of organizations. Just 6% of the largest organizations report robust risk management processes and 28% say they are mature.

There’s a big difference between maintaining a list of potential exposures and an environment where everything of significance is considered when making a decisions.

In other words, if organizations are to optimize results, they need to set aside managing risk (downside) and instead do what it takes to make informed and intelligent decisions.

For ten years, the ERM Institute has been working with IBM to assess whether organizations have mature processes that deliver risk profiles.

Isn’t it time for them to assess how many organizations are able to make, with confidence, intelligent and informed decisions?


I welcome your thoughts.

Understanding the challenges in risk management

June 1, 2019 9 comments

My good friend, Michael Rasmussen, has written what I consider a special blog post on the topic of Challenges in Risk Management.

I congratulate him for this thoughtful piece and highly recommend that you read it carefully, challenging both your and his thinking.

I agree with much of what he says, but differ a little. Here are a few points I like:

  • The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.
  • Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue.
  • Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision- making, and objectives.
  • Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively.
  • Risk management is often misunderstood, misapplied, and misinterpreted.
  • Risk management is about the risk of not achieving objectives, therefore making the ability to link and measure risk to strategic objectives critical; as is monitoring performance against those objectives. The outcome of this is improved decision-making, better return on investment across the business, improved profitability, and a better customer experience.
  • When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk.
  • Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their own view of risk. This can then roll into enterprise and operational risk management and reporting that supports business objectives while being integrated with decision-making processes.

Here is where I differ, although the difference is perhaps subtle:

  • I prefer to talk about what might happen instead of the 4-letter word, risk. The 4-letter word has a negative connotation among executives, and it also (mis)leads people to a blinkered focus on potential harms.
  • Not only do events and situations have a cascading and domino effect, like a butterfly’s wings, but they have to be considered together with other possible events and situations (a.k.a. sources of risk) when making decisions. Don’t consider individual sources of risk in isolation (to paraphrase Michael’s quote) but consider the possibility of both a butterfly and a bat disturbing the air; the total displacement may move a flower while neither does it by itself. For example, this morning I met with a software vendor that is planning to add a sales representative in Texas. The executive needs to consider, as part of his hiring decision, multiple things that might happen. He has to consider the possibility that the executive has a poor (or excellent) reputation with potential customers; an ability to deliver (or fail to deliver) on commitments, both to management and the customer; an inclination to stay with the company for an acceptable number of years (or leave after only a year, taking client relationships with him or her); the ability to make (or fail to make) sound decisions; and so on. Assessing each source of risk in isolation will not help the executive make a quality decision.

Quality decisions need to consider the big picture: all the things (within reason) that might happen and have a significant effect on the achievement of success. BTW, as I explain in Making business sense of technology risk (which is not only about technology risk), aggregating multiple sources of risk is not as simple as many assume.

  • Risk management is not limited to the possibility of failure. It is (in a world-class environment) about ensuring an acceptable likelihood of success (achievement or surpassing of objectives).
  • Rather than talking about effective risk management, we should be talking about effective management. How can you be an effective manager if you do not consider and take appropriate action with regard to what might happen?

I welcome your thoughts and comments.


Time (again and still) for the IIA Standards to be correcte

May 26, 2019 7 comments

This might get me in trouble with IIA leadership (again), but it is important if internal audit is to get promoted from the children’s table of providing assurance on mundane issues that don’t really matter to leaders of the organization to the head table alongside those leaders.

The first part of this piece is on fraud, but it then considers the larger picture.


A read of the latest Position Paper from the Institute of Internal Auditors highlighted a set of problems for me. Fraud and Internal Audit: Assurance over Fraud Controls Fundamental to Success (2019) correctly quotes a couple of IIA Standards (1210.A2 and 2120.A2) but, in my opinion, provides faulty advice.

The paper gets this right:

  • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. [Note: I will come back to the last part of the sentence.]
  • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situation. This should include digital data.
  • Internal auditors should not investigate fraud unless they have the specific experience and expertise required to do so.

But it is wrong, as I will explain in a moment, when it says:

  • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls.
  • The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically.

There is much more content along these lines.

The IIA is currently a strong supporter of the so-called three lines of defense. In the paper, it (correctly) says that:

It is not internal audit’s direct responsibility to prevent fraud happening within the business. This is the responsibility of management as the first line of defense.

Not only is it management’s responsibility to have appropriate controls to deter, prevent, and detect fraud but it should also be responsible for assessing the risk of fraud.

In other words, internal audit should NOT be automatically held responsible for assessing the risk of fraud – just as it is not responsible for assessing the risks of credit default, an economic downturn, the failure of a new product, or the loss of key employees.

Risk assessment when it comes to fraud should, as it is for all sources of risk to the objectives of the enterprise, be the responsibility of management.

Internal audit can assist management by facilitating a fraud risk assessment. Management should make the decision both on the level of risk and whether it is acceptable. Internal audit can provide their opinion and advice on both.

In an ideal world, management (perhaps through its risk function) will assess the risk of fraud. In that case, the CAE and team should obtain assurance that management’s risk assessment is adequate.

  • If it is adequate, and contrary to this guidance from the IIA, the CAE should place reliance on management’s assessment rather than duplicating it unnecessarily.
  • If it is not adequate, the CAE reports that to top management and the board and provides advice and insight to help management upgrade its risk assessment processes. Internal audit can then (as it does for all enterprise risks) perform its own assessment for the purpose of developing the audit plan.

I have yet to live in an ideal world. Except for when I was both CRO and CAE, there was no risk function and no enterprise risk assessment other than that my team performed. We completed a fraud risk assessment, but it was on behalf of management – consistent with the three lines of defense.

Once the fraud risk assessment has been completed, internal audit has to determine how to consider the risk of fraud in its audit planning.

Contrary to the IIA guidance, attention to fraud risk should not be automatic. Fraud does not have to be included in the audit plan or included in the scope of one or more audits. It should only be addressed when the level of risk justifies it.

If you prioritized all enterprise risks and fraud came in at #20 but you could only perform 15 audits, I would not expect you to include the risk of fraud in an audit. The exception would be when the board requests that you perform such an audit despite the relatively low level of risk (relative to other sources of risk.

I would also not expect you (except when directed by the audit committee) to automatically evaluate the anti-fraud controls in every business unit, as dictated by the IIA guidance. That leads you to auditing what might be a risk to the business unit but is not a risk to the enterprise as a whole.

Audit what happens at a business unit that is a source of risk to the enterprise as a whole.


That brings us to the continuing failure of the IIA Standards to promote an enterprise-level risk-based audit plan.

The Standards are right here, the Interpretation of Standard 2010 – Planning:

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

But wrong here (note the highlighted words), in Standard 2201 – Planning Considerations:

In planning the engagement, internal auditors must consider:

  • The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance.
  • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
  • The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model.
  • The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

This is also wrong, in Standard 2210 – Engagement Objectives:

2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Internal audit’s job is to provide the board and top management with assurance, advice, and insight on the achievement of enterprise objectives through the provision of controls over the more significant risks to those objectives.

Have a second look at Standard 2010. It talks, as it should, about the organization, not individual activities (i.e., business units and such) within the organization.

Standards 2201 and 2210 need to be changed.

Otherwise, auditors will continue to follow the traditional processes of:

  • Risk prioritize the audit universe, a list of auditable entities and processes.
  • Build the audit plan to include activities within the entities that rise to the top.
  • Assess the risks to each activity as you define the scope of each audit of an entity.

This leads to providing assurance on what matters to middle management, the people running each individual entity.

It does not provide assurance on enterprise-level risks, what matters to the board and top management.

The better approach is to:

  • Prioritize a risk universe (and discard the audit universe as obsolete).
  • Identify which activities at which entities and in which processes are sources of enterprise-level risks. (For example, if the theft of intellectual property is an enterprise risk of significance, where are the activities and related controls that need to be audited to provide assurance on the enterprise risk?)
  • Build the audit plan with an appropriate combination of entity-level (e.g., corporate) and business unit/process level to provide the assurance, advice, and insight management needs.

I talk about this extensively in Auditing that matters, my seminal book on internal auditing. For example, I discuss the enterprise-level risks of significance to each of my former companies and how they were different from the traditional areas of internal audit attention – but led to internal audit being even more than the trusted advisor suggested by Richard Chambers. I also talk about how to staff the internal audit function to provide advice and insight that matters and how to communicate what matters when it matters to leaders.

I welcome your comments.

Decision-making and the practitioner

May 15, 2019 12 comments

McKinsey has shared three articles with insights into effective decision-making.

It is not surprising that McKinsey’s surveys of executives found widespread dissatisfaction with both the quality and speed of decision-making. Yet, in today’s world it is essential to make informed and intelligent decisions without unnecessary delay.

The articles are:

What may surprise you is that McKinsey doesn’t talk about either risk or the quality of information!

There’s a great opportunity for risk and audit practitioners.

If the success of your organization hinges on the quality of decision-making (and it does), then what are you doing to ensure it is as good as it can be?

Surely, effective decisions at the speed of the business (and of risk) require:

  • Insight that is reliable and timely on what might happen and how it might affect the achievement of objectives
  • Quality information on the current state
  • An understanding of the enterprise goals and objectives
  • Guidance on which risks should be taken and by whom (for example, desired rate of return; delegation of authorities; risk criteria; how to assess the net effect of what might happen, considering both the upside and downside; processes to include everybody who needs to be involved in the decision; and, how to overcome cognitive and other bias)

The risk practitioner should:

  • Help provide quality and timely information on what might happen, addressing all significant potential effects on objectives (both good and bad)
  • Make sure decision-makers know when there are issues with the quality of the information
  • Use their tools to help decision-makers evaluate and select from available options

The audit practitioner should:

  • Provide assurance on all of the above
  • Share their advice and insight on how to improve decision-making, both its quality and speed

What do you think?

New reports on the cost and incidence of cyber breaches

May 12, 2019 6 comments

We have two new reports to review and discuss today:

Here are a few highlights from the Verizon report:

  • 69% of the breaches were perpetrated by outsiders. To that you need to add 2% by partners and 5% by multiple partners. 34% involved internal actors.
  • 43% of the breaches involved small business victims, while 16% were of public sector entities, 15% in Healthcare, and 10% of financial industry organizations.
  • 23% involved nation-state or affiliated actors.
  • Only 71% were financially motivated while 25% were espionage.
  • 56% took months to discover.

Ponemon told us:

  • Information theft is the most expensive and fastest rising consequence of cybercrime—but data is not the only target. Core systems, such as industrial control systems, are being hacked in a powerful move to disrupt and destroy.
  • Cybercriminals are adapting their attack methods. They are using the human layer—the weakest link—as a path to attacks, through increased phishing and malicious insiders. Other techniques, such as those employed by nation-state attacks to target commercial businesses, are changing the nature of recovery, with insurance companies trying to classify cyberattacks as an “act of war” issue.
  • Cyberattackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systems—including industries with mature cybersecurity standards, frameworks, and regulations.
  • Almost 80 percent of organizations are introducing digitally fueled innovation faster than their ability to secure it against cyberattackers.
  • Organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 this year.
  • The total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 million—a rise of 12 percent. In the US, the average cost was $27.4 million.
  • Banking and Utilities industries continue to have the highest cost of cybercrime across our sample with an increase of 11 percent and 16 percent respectively. The Energy sector remained fairly flat over the year with a small increase of four percent, but the Health industry experienced a slight drop in cybercrime costs of eight percent.
  • Our clients tell us that one of the most difficult questions when assessing their investments in cybersecurity is: How much is enough?

But what does this mean for your business? How does it affect either strategic or tactical decisions?

Let’s consider that last point. How much is enough?

Unfortunately, neither report tells us how much organizations are currently spending on the cyber and information security budget, nor how they assess the likelihood of a significant breach that threatens the achievement of their objectives. So we cannot (even if we wanted to) rely on a benchmark of what others are doing.

I can’t find it now, but I recall a survey that said that the average cyber budget was around $12 million.  That seems a little low to me and Forbes reports that Bank of America and Chase each spend about $500 million.

But if organizations are experiencing damages from breaches of $13 million, on average, are they spending enough, the right amount, or too much?

How much would they suffer if they had not spent the $12 million (assuming that is correct)? How much could they reduce the level of risk should they spend another $12 million?

Again, how much is enough?

That is a business decision that needs to take into account the risk posed by cyber to business objectives, as well as the fact that any funds invested in cyber cannot be invested in other initiatives.

In Making Business Sense of Technology Risk, I point out that assessing cyber risk based on the potential out-of-pocket cost is hardly the best measure. Most organizations can accept the risk if the potential for out-of-pocket cost is $10 million or less.

But, as the surveys tell us, very often the hackers are trying to disrupt or even destroy the organization and the services or products it provides. If a cyber breach prevents an organization from achieving its goals, the damage is generally seen by leaders as greater than pure out-of-pocket costs. They would be willing to spend substantial sums to prevent such a result.

Certainly, saying that the risk is “high” is meaningless. How does that inform the decision of how much to spend?

Leaders need to know how much to invest of their scarce resources into cyber. Should they spend more, what is the return on any additional investment, and even if there is a positive return, is it better that they would obtain on other investments?

They need to know whether to invest $5 million in cyber or that same amount into new product development, a marketing initiative, the deployment of new technology, etc. They rarely have the funds to spend on every source of risk – so they have to make intelligent and informed decisions.

A breach can affect the organization in many ways, from trivial to devastating. There is a range of potential effects, each with its own likelihood.

I prefer to assess cyber-related risk based on how the likelihood of achieving enterprise objectives is affected. Cost is one factor and not necessarily the most significant one.

Answering the question of how much to invest requires considering the likelihood of achieving objectives given all sources of risk, not just cyber. For example, if a cyber breach might affect customer satisfaction and thereby revenue goals, so might product quality issues and other factors. Assessing cyber risk to objectives in isolation is missing the big picture.

Aggregating disparate sources of risk to a single objective is a challenge, as is comparing the risk from cyber to the risk from changes in the economy, or deciding whether it makes more business sense to invest in cyber than in marketing. That’s why I wrote the book – it’s too much to cover in a blog.

Other matters to consider include:

  • The range of possible adverse effects of a breach and their likelihoods (based on how it might affect the likelihood of achieving enterprise objectives not just the cost).
  • Is the level of risk, given the above, acceptable? Is there an acceptable likelihood of achieving objectives? Consider both the potential effects of cyber and how other sources of risk might affect the same objectives.
  • How will an investment in cyber change the level of risk (the range)?
  • What it would take to reduce the level of risk to acceptable levels? Is an investment in cyber the best way to reduce the overall level of risk?
  • Is the reduction in risk worth spending the money?
  • Are there better ways to spend the money?

This is not a technical issue. It’s a business one. Those responsible for IT and cyber need to work collaboratively with operating management to assess the potential harm to the business (not to information assets) and how the likelihood of achieving enterprise objectives might be affected.

Those making both strategic and tactical decisions regarding cyber need useful, actionable information. They need help figuring out how much to spend. I hope my book helps.

I welcome your comments.

How often should you assess risk?

May 3, 2019 25 comments

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

  • Our environment is volatile and performing risk workshops that take days and result in a risk assessment on an annual basis is not very useful.
  • Even risk assessments that are more frequent, from quarterly to monthly or weekly, can also be out of date when risk is changing every day.
  • The consideration of risk should be integrated into every business process, and performed at the speed of those processes.
  • The consideration of risk should be part of every decision made every day across (my words) the extended enterprise.
  • The risk practitioner needs the tools to help decision-makers consider risk at speed, within minutes if possible.

The comment I left on his related LinkedIn post was that risk should be assessed at the combined speed of risk and of the business. Let me explain:

  • If your organization operates in a very stable environment, then changes may be few and slow to appear. Therefore, the need for considering and assessing what might happen (a far better term than the 4-letter ‘r’ word, risk) arises less frequently.
  • But if either the external or internal environment (context, in ISO language) changes frequently, or if significant decisions are made pretty much daily, then that look forward needs to happen at least as often and as fast as the decisions are being made.

Consider this.

You are running a booth, showcasing your products and services, at a trade show. If the traffic is slow, you can relax to a degree and watch for potential visitors or trade show staff as you drink your coffee. But, if there is a lot of traffic, you have to be on high alert, both for potential customers that you can engage and for trade show staff who might want to curtail your operations because your signage is not in compliance with their rules.

If there is a lot of traffic, you need not only to be watching continuously but you might need to bring in additional resources so you can either seize opportunities or respond to threats.


Unfortunately, Alex’s video doesn’t tell the entire story. (Sorry, Alex).

I encourage everybody to subscribe to and watch his videos because he has an aptitude for challenging traditional practices and making you think. This time, he has good points but there is much more to say on this topic.

  1. His video only focuses on potential harms. If a decision is to be informed and intelligent, it needs to be based on reliable information on both the opportunities and threats. Decision-makers need to be able to balance the ‘risk and reward’ scenarios under each option.
  2. There is value in a periodic assessment of all the potential events and situations that may happen and their potential effect on the achievement of objectives. Changes in one source of risk may mean that the total picture has changed. The change has moved the potential threat (or opportunity) past a tipping point such that the overall situation has become unacceptable.

Let me clarify the second point.

In Making Business Sense of Technology Risk (which I recommend for all practitioners, not just those involved with technology-related risk), I have extended my discussions in earlier books to address the point that you can’t afford to assess individual sources of risk separately.

Here’s an excerpt:

Malcolm Gladwell made the term ‘tipping point’ famous with his 2000 book, The Tipping Point: How Little Things Can Make a Big Difference, although the term has been in use for much longer.

The Merriam-Webster dictionary defines it as:

The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place

It has a significant meaning, although rarely discussed, when it comes to risk management, specifically when there are multiple sources of risk. Adding one more source of risk, even if it is considered low and acceptable, can change a decision,


Imagine the board is considering the acquisition of CZY Inc. The discussion with the CEO and her team is drawing to a close.

They have reviewed the projected benefits of the acquisition, including the likelihood of each.

They have also reviewed all the risks identified by the executive management team, assisted by the CRO.

The lead independent director comments:

“It looks like a close call. There is a good chance that this will be a success and help us achieve our long term strategies. But, there is no certainty.

“What have we not considered?

“I don’t see anything in here about information security. Would the acquisition increase the risk to our intellectual property or our customer information?”

The CEO turns to the CRO, who replies:

“We looked at cyber risk and how well information security is managed by CZY. While I don’t think it’s up to our standards, they are doing an acceptable job. We should be able to upgrade the combined network’s security to our standards within six months.”

The lead independent director is not pleased.

“I can appreciate that CZY’s cyber security risk may be low and generally acceptable; but when you consider our own cyber situation (which we decided earlier needs improvement), this may be ‘one risk too far’.”

The CEO looks around the table at the directors and summarizes what he sees them thinking.

“Before we considered the additional cyber risk from the acquisition, I was inclined to move forward with it. It was a close call. But, even though the additional risk is small, I am starting to think we should wait. Hopefully, we can address the risks and have another look at the acquisition in six months.”

The cyber risk has taken the total level of risk to and over the tipping point.


Now let’s consider an example in a more dynamic environment.

A customer has just called to say that they would like to delay their $500,000 order for your products by three months. The executive in charge of Sales is considering whether to try to hold the customer to their contract or allow the delay. He determines that if he allows the delay, then the results for the quarter will be affected, but that will be made up in the next quarter and the full year’s revenue and profits will remain as forecast. But, if he holds the customer to the contract, that might impact customer retention and the possibility of further large sales next year. An option is to offer a discount to the customer for proceeding on schedule, but he knows that senior management will be unwilling to accept the reduction in profits.

He decides to allow the customer to delay, but gains their agreement that they will open negotiations for a second major purchase next year.

The trouble is that the executive is not seeing the big picture.

The delay in executing the contract will also impact cash flow. The company has a major construction project that consuming a large amount of funds. The $500,000 delay could create a major problem when considered together with other issues, such as an unexpected increase in payments for vital materials.

The Sales executive doesn’t know that cash flow is tight and a major source of risk to the completion of the construction project – and that project is essential to the achievement of the company’s longer-range plan.

If decision-makers like the Sales executive were able to ‘add’ changes in specific sources of risk to the big picture (one that takes each objective and assesses, after considering what might happen, the likelihood of their success), a different decision might have been made. Even if the same decision was made, additional actions would have been taken to address the increased cash flow risk.


What I am saying is that a change in one source of risk can take the aggregate so-called ‘level of risk’ over the tipping point.


A periodic review that provides leadership with a perspective on whether objectives are likely to be achieved has great value.

  • It can identify the need for strategic and, often, tactical decisions to address the situation – including changing strategies and plans.
  • It enables tactical decisions to be made with a understanding of the big picture and how a change in a single source of risk can affect the aggregate acceptability of the situation.


I welcome your views and comments.