Talking about inherent and residual risk

July 13, 2018 1 comment

Dan Roberts recently shared some interesting thoughts on the topic of inherent and residual risk and their relationship with risk appetite.

Please click on the link above and come back here for a discussion.

Dan writes the piece for the internal auditor, but his comments are relevant for all of us.

I am going to quibble with his definitions of inherent and residual risk. I prefer to consider inherent risk as the level of risk should controls fail, and residual risk as the level of risk assuming that controls are working consistently as designed.

In practice, I prefer to talk about the latter as simply the level of risk. (Of course, I prefer not to use the “r” word at all!)

One useful byproduct of assessing both levels of risk is that the delta between the two represents the effect of internal controls. Hopefully, this is more than their cost!

I am not going to argue here about risk appetite and whether it is a practical and useful concept.

Instead, I suggest that we look at Dan’s underlying point.

We should be striving to take the right level of the right risks by making informed and intelligent decisions.

It’s less about the absolute level of risk and more about whether we are taking the level of risk that is right for the business, for the achievement of objectives. Dan refers to this as the “target” risk position[1].

We should not only be asking whether we are taking risk above desired levels, but also whether we are taking enough risk to succeed?

Are we unnecessarily risk averse? That can cripple an organization in many ways, including slowing agility and decision-making as well as failing to take advantage of opportunities.

In an ideal world (to borrow that phrase from Dan), every decision-maker knows:

  • The objectives of the enterprise
  • How his or her decisions and taking of risk will affect the achievement of those objectives
  • Whether he or she can make risk decisions themselves or needs to involve others
  • How to take the desired level of risk to achieve enterprise objectives

I agree with Dan that internal audit should provide assurance that management has the processes and capabilities in place to take the right level of risk – and that simply affirming the assessment of risk is insufficient.

I welcome your thoughts

[1] By the way, internal audit should question whether the target risk position and/or risk appetite statements are right for the business and the achievement of its objectives.


New information about cyber risk is alarming

July 5, 2018 4 comments

As a member of the Institute of Risk Management, I receive a copy of the excellent Enterprise Risk magazine. The Summer 2018 issue includes a summary of the results of the 2018 Sentinel One Global Ransomware Report. Here are some key excerpts:

  • Six in ten (56%) report that their organisation has suffered a ransomware attack in the last 12 months, compared to under half (48%) who said the same in 2016. Of those whose organisation has suffered a ransomware attack in the last 12 months, they have had to defend against five ransomware attacks during this period, on average.
  • Of those whose organisation has suffered a ransomware attack in the last 12 months, 69% say that the ransomware attacker was able to gain access to their organisation’s network by phishing via email or social media network. Around two in five report that access was gained by a drive-by-download caused by clicking on a compromised website (44%) and/or an infection via a computer that was part of a botnet (42%). The type of devices/systems most likely to be impacted by the ransomware attack(s) are desktop PCs (80%), servers (57%) and mobile devices (38%), while the types of data that are most likely to have been affected in the past 12 months were employee (45%), customer (38%) and product (37%) information
  • According to around half of respondents whose organisation has suffered a ransomware attack in the last 12 months, the ransomware attack was successful because an employee was careless (51%) and/or anti-virus was in place but it did not stop the ransomware attack (45%). Almost all (94%) cite that there has been some impact on their organisation because of ransomware attacks in the past 12 months, with the greatest impacts being an increased spending on IT security (67%) and a change of IT security strategy, to focus on mitigation (44%). Furthermore, more than one in ten report that their organisation has received negative press/bad publicity (14%) and/or seen senior IT staff lose their jobs (14%).
  • Of those whose organisation has suffered a ransomware attack in the last 12 months, the average estimated business cost as a result of the ransomware attack(s) is £591,238. Furthermore, only around a third (34%) of respondents report that their organisation’s third party suppliers or partners were not affected by the attack, while 40% suffered downtime as a result.
  • When considering all the ransomware attacks that their organisation has experienced in the last 12 months, less than half (46%) of respondents say that their organisation did not pay a ransom because they decrypted the data themselves/had backups. In contrast, around one in five (19%) admit that their organisation paid the ransom demanded by the attacker every time.
  • According to respondents whose organisation/the organisation’s insurer has paid some or all of the ransom(s) demanded by ransomware attackers for an attack in the last 12 months, the total value of the ransoms paid in this period is £34,845, on average and the largest value that their organisation has ever paid is £34,514, on average.
  • Nearly six in ten (58%) report that even though their organisation paid the ransom, the extortionist tried to extort a second ransom after receiving the first payment and around four in ten (42%) say that the extortionist did not decrypt the affected files despite receiving the payment.
  • Over three in four (76%) respondents whose organisation has suffered a ransomware attack in the last 12 months have been able to determine the identity of the attacker(s) involved, with the most likely attacker being organised cyber-criminals (53%).

I find the frequency of attacks to be surprisingly high and the extent of damage surprisingly low. Since it looks like the hackers are encrypting the organization’s files and demanding a ransom for decryption, having a reliable back-up is critical. But, even so, the cost to recover and restore is expensive and the process is disruptive.

Every organization should plan for a ransom attack and assess whether it is adequately prepared.


The second useful piece of information comes from Black Hat. In their 2018 report, Where Cybersecurity Stands, they say:

  • Now more than ever cybersecurity professionals are questioning the future of privacy and the safety of personal identity as a result of the recent Facebook investigation, development of GDPR and various data breach reports. Influenced by these factors, only 26%of respondents said they believe it will be possible for individuals to protect their online identity and privacy in the future – a frightening opinion as it comes from experts in the field, who in many cases are professionally tasked with protecting such data. They’ve also reconsidered their Facebook usage – with 55% advising internal users and customers to rethink the data they are sharing on the platform, and 75% confessing they are limiting their own use or avoiding it entirely.
  • IT security professionals have very little confidence in the federal government’s ability to understand and respond to critical cybersecurity issues. Only 13%of respondents said they believe that Congress and the White House understand cyber threats and will take steps for future defenses. Respondents also cite foreign affairs as an issue – 71% said that recent activity emanating from Russia, China, and North Korea has made U.S. enterprise data less secure.
  • 60%of security professionals expected a successful attack on U.S. critical infrastructure – that data point has risen almost 10% in 2018. Who do they think will likely be behind such an attack? More than 40% of those surveyed believe that the greatest threat is by a large nation-state such as Russia or China. The thought that such an attack will be successful, again, stems from the industry’s lack of confidence in the current administration – only 15% of respondents said they believe that U.S. government and private industry are adequately prepared to respond to a major breach of critical infrastructure.
  • Staying consistent over the past five years and across the U.S., Europe and Asia – nearly 60% believe they will have to respond to a major security breach in their own organization in the coming year; most still do not believe they have the staffing or budget to defend adequately against current and emerging threats.


I keep coming back to the same points in my writing and speaking:

  • Do you understand how a cyber breach would affect the achievement of your enterprise objectives? Assessing the ‘risk’ to an information asset simply is not enough IMHO to help those holding the budget strings know how much to invest in cyber security.
  • Is it realistic to expect your in-house staff to provide sufficient prevention and detection?
  • How long would it take you to detect a breach and know what damage is being done?

I welcome your thoughts.


The most important question is WHY

June 30, 2018 7 comments

My parents took my brother and me to a resort on the Adriatic Coast of Italy for our summer vacations several years in a row.

The young son of the hotel owner followed us around all the time.

While my father spoke Italian at an acceptable level, young Mario knew only a few words in English.

But he knew a very important one: “Why?”

If my mother said to go inside to change our clothes, he would ask “Why?”

If my father told us to get ready to leave in 15 minutes, Mario would ask why.

If I said I had played enough table tennis and wanted to go for a swim…….





All of us should use that word much more often that we do, and then pay close attention to the answer.


The board member should ask, “Why is this the best strategy?” The director should listen carefully to the answer and not accept “Because that was my judgment” or “It was recommended by the consultants”.

The director should also ask, “Why have you set performance targets here?” Sometimes, it’s not the answer itself that is the questioner’s goal: it’s assurance that the individual has a rational reason that reflects careful study, stands up to examination, and can be explained clearly.

Questions like these, when answered well, provide the board with confidence in management.

The board should ask several people, including the CEO (first), CRO (next), and the CAE, “Why do you believe management is addressing the risks that matter to our success, the things that might happen to affect the achievement of objectives?”

If the CEO or CFO presents a forecast for the next quarter and year, they should be asked “Why are these the numbers?” and “What confidence do you have in them?”


Similarly, the CRO should ask the executive “Why have you assessed this risk at this level?”


The CAE should ask “Why are you performing this control?” and “Why did you select this vendor?”


Too often, people do things without asking themselves why they are doing them. It may be because that is what they have always done, what somebody told them to do, or because they read about it in a book or standard.

If they don’t understand the “why”:

  • It may be the wrong thing to do
  • It may be unnecessary
  • They may be doing it wrong (including too often or not often or not)
  • They may be missing an opportunity to improve their practices


Just as we should ask others “Why”, we should ask ourselves “Why are we doing this?”

For example:

  • Why am I giving this report to the board?
  • Why am I including this in my report to management?
  • Why am I reviewing this work?
  • Why am I spending so much time documenting the work I am doing?
  • Why am I attending this meeting? Why is the meeting necessary at all?
  • Why am I accepting management’s proposal?
  • Why am I here?
  • Why am I doing this?





Do you ask this question often enough?

I welcome your comments.




Is there an ROI for investing in cyber or information security?

June 23, 2018 3 comments

Let’s start with a definition of ROI from Investopedia:

Return on Investment (ROI) is a performance measure, used to evaluate the efficiency of an investment or compare the efficiency of a number of different investments. ROI measures the amount of return on an investment, relative to the investment’s cost. To calculate ROI, the benefit (or return) of an investment is divided by the cost of the investment. The result is expressed as a percentage or a ratio.

The return on investment formula:

ROI = (Gain from Investment – Cost of Investment) / Cost of Investment

In the above formula, “Gain from Investment” refers to the proceeds obtained from the sale of the investment of interest. Because ROI is measured as a percentage, it can be easily compared with returns from other investments, allowing one to measure a variety of types of investments against one another.

Why should this apply to investments in cyber? (I will use ‘cyber’ to refer to all information security risks and measures.)

Any organization has limited resources (money, people, and executive/board time). One way to allocate those scarce resources is by calculating the ROI for each option. There are limitations, which I will discuss later.

How do we calculate the ROI of an investment in cyber (including risk assessment and the measures taken to address the risk)?

We could (and probably should) look at the investment in cyber overall, but for purposes of this post I prefer to discuss the cost of additional tools, services, and personnel to address a recently identified risk. (I’m going to use common language rather than get hung up on semantic discussions about which words to use per ISO.)

The cyber risk created by the acquisition of robots in the organization’s warehouse has been identified and assessed by the experts (CISO and CRO with the concurrence of the CIO) as high, more than they believe the organization should take. (I prefer “take risk” rather than “accept risk” as it is more true to real life and the decisions that we have to make.)

Because you have influenced how they assess risk, they have worked with business managers and based the risk assessment on how a breach would affect enterprise objectives. The business managers value the negative consequences of a breach at $10 million and the CISO says that the likelihood of that significant a breach due to vulnerabilities in the robot automation is currently 5%.

They have requested an investment of $250,000 per annum, saying that amount is necessary to bring the risk to acceptable levels. The CISO believes that would bring the likelihood of a significant breach ($10 million) down to 2%.

We would modify the ROI calculation so that it is based on the reduction in risk rather than the gain from the investment.

If we accept that the current risk should be valued at $10 million * 5% and the risk after the investment is in place is $10 million * 2%, then the reduction is $10 million * 3% or $300,000.

This calculates as an ROI of 20%.

That sounds like a great investment.

But, would spending an additional quarter of a million dollars be a good business decision?

A couple of questions:

  1. While the CRO and CISO say that the risk is outside acceptable levels, is it really?
  2. Would the risk really be reduced to 3%? Or, is that simply the risk from this particular vulnerability?

Taking each in turn, $10 million is a lot and would look bad in the newspapers. But if the organization has annual revenue of $4 billion and net earnings of $350 million, is a $10 million dollar number realistic? I suggest that the enterprise could shrug off such a loss fairly easily. On the other hand, there might be serious follow-on consequences to an incident.

Top management and the board should have serious conversations that focus not only on acceptable losses, but also on what investors and regulators might consider a reasonable level of cyber defense, detection, and response. Any definition of ‘risk appetite’ should probably be based on the likelihood of a serious breach, rather than on the amount of loss.

Let me start the discussion of the second question with a story.

Some years ago, a partner and manager from PwC visited me. They suggested that my company acquire software from them that would address an information security exposure we had. I pointed out to them that the software would indeed be of value. It would close a small open window in our infrastructure. But, I informed them that it was not a good investment because not only did we have other windows open, but the lock on the front door was broken.

When you have multiple vulnerabilities, the possibility of a breach remains high until all (or close to all) of them have been closed down.

Recently, I was a speaker at TBI’s Big Event in Chicago. Bob Bigman, former CISO for the CIA, spoke and had an interesting spin on cyber.

He said:

  • Computers are not secure
  • IoT is even less secure
  • We should call it the internet of unsecure devices

Bob alarmed us all, explaining how easy it is to hack almost any organization. (The best counter-measure is to isolate your systems – but that is not always practical.)

So, would the $250,000 investment really reduce the risk of a breach with a significant effect on the achievement of enterprise objectives?

Is it just closing a small window?

I think we should stand back and consider the likelihood of a breach as a result of an incident taking advantage of any of our vulnerabilities with an impact valued at, say, $10 million (if that is the most you could sustain).

Is that likelihood acceptable? If not, what likelihood is acceptable? How much risk are you willing to take?

Given that, how can you get to an acceptable level?

How many windows would you have to close? Which ones, and at what cost?

Is there a better solution? In fact, what are all your options – including actions that have nothing to do with cyber such as removing your IP and putting it under your bed, or changing business strategies?

I remain unconvinced that the ROI on cyber is really as high as it may seem at first glance.

I am starting to think that at some point it is better to consider cyber risk as a “cost of doing business”.

If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

Can you get to where a prudent individual would say you have a reasonable level of investment in cyber?

What do you think?

The role of internal audit in risk management

June 16, 2018 3 comments

The IIA has a paper on this subject that is important for all of us. While they have considered updating it from time to time, I think it’s still pretty good. I especially like the guidance on what is acceptable and what is not. For example, it stresses that IA can facilitate a risk assessment, but it is management’s responsibility to identify, assess, evaluate, and respond to risk.

There’s another paper that merits our attention.

Written by thought leaders in risk management (friends of mine), The Future Role of Internal Audit in (Enterprise) Risk Management is a few years old now (published in 2012). But that doesn’t mean that much if not most of what is says remains valid.

But, thought leadership has moved on and it’s a good idea to revisit the thinking of even the best.

Here are their ten conclusions, with my comments on each:

1. Risk management concerns reducing the magnitude and likelihood of detrimental consequences while enhancing and making more likely the beneficial consequences that might arise from decisions.

Comment: I think risk management thought leadership has progressed further. It is now considered as enabling informed and intelligent decisions that help the organization to set and then execute on strategies. In other words, it enables decisions that lead to the achievement of enterprise objectives. It’s less about managing the risks (the consequences) and more about achieving objectives.

2. The focus of internal audit and other monitoring and review functions should be to provide assurance on the effectiveness of risk management and not just on the effectiveness of controls.

Comment: This is an important distinction. It is insufficient simply to say that internal controls are inadequate (or adequate), or even to say that there are high risk deficiencies. Internal audit needs to communicate their assessment of whether management is appropriately addressing the more significant risks to the achievement of (specific) objectives. But, see additional comments later.

3. Processes for the management of risk must be integrated into an organisation’s system of management to be effective.

Comment: Consideration of ‘what might happen’ should be integral to decision-making. See additional comments.

4. Internal Audit should no longer assess risks on behalf of the organisation. Their role is to assist decision-makers in arriving at the most appropriate treatment of risks and then the monitoring and review of risks and controls.

Comment: I have never believed that internal audit should be relied on to assess enterprise risks. I cannot understand why some say that internal audit should be expected to identify emerging risks. NO!! Those are management responsibilities. Internal audit’s role is assessing how management does them. Internal audit can assess whether management is ‘treating’ risks with adequate and effective controls.

5. Internal audit will obtain planning information for an audit (and for their annual audit plans) from the risk management process done by decision-makers who own and are accountable for the risks.

Comment: That should be both the current and future state. Management should have effective processes for identifying, assessing, and evaluating what might happen as an integral part of decision-making. Once internal audit has assessed those processes as reasonably effective, it should use them as input to its continuously updated (they should not be annual) audit planning activity.

6. ERM and the ISO 31000 risk management standard have evolved cooperatively and will be the basis for risk management in organizations.

Comment: ISO 31000:2017 is useful but not complete (in my opinion) as it barely touches decision-making. ERM needs to evolve into effective decision-making, aka effective management.

7. Effective risk management requires clear expressions of intent and mandate by the Board and top management.

Comment: Risk management is not a siloed activity. The board and top management should insist on informed and intelligent decision-making. That will drive everybody to quality consideration of ‘what might happen’.

8. Evolutionary modifications to the role and practice of internal audit will occur as part of continuous improvement of the framework for the management of risk.

Comment: Both need to continuously improve. Certainly, as risk management is transformed into informed and intelligent decision-making, internal audit needs to rethink its approach. See additional comments.

9. The maturity of risk management should be evaluated and reported on at least an annual basis.

Comment:  Internal audit needs to provide its assessment to the board and top management of whether practices meet the needs of the organization, enabling informed and intelligent decisions. I cover this and the use of a maturity model in World-Class Risk Management. But, top management should first provide their formal assessment to the board.

10. Internal Audit has to update its roles and responsibilities to support continuous improvement of and implementation of more effective risk management.

Comment: Internal audit should provide assurance, advice, and insight to improve decision-making. It should remember not to penalize those working diligently to upgrade management’s processes, but instead encourage and be an evangelist for world-class practices.


Now for some additional comments.

Think about this.

If we are stressing that risk management is really all about effective, informed and intelligent decision-making, shouldn’t internal audit start focusing on the quality of decision-making processes?

I am not saying that internal audit should second-guess management’s decisions. I am saying that decisions are what lead to success or failure. So, shouldn’t internal audit assess whether management has reasonable processes to inform those decisions?

Internal audit can identify significant decisions, such as the setting of strategy, the pricing of products, or the hiring of key personnel. Understand how those decisions are made and by whom before assessing whether there is reasonable assurance that they will be informed and intelligent.

Controls come into this as we need them over the information used in decisions, and so on.

Risks come in as we should consider what might happen to prevent a successful decision, as well as what might happen under each option considered.

But the conclusion, what is being assessed, is at the heart of effective management and what provides reasonable assurance of the success of the enterprise: is there reasonable assurance that these critical decisions will be informed and intelligent?


Another thought: should internal audit address whether the board and top management have reasonable insights into what might happen in the next year or so (what risk frameworks refer to as changes in the internal and external contexts)? It is only by understanding what might happen can you start to consider how that might affect the organization (what some refer to as risk identification).


So what is the future for internal audit and risk management – or effective management, for that matter?

I think IA should be thinking about how they can provide the board and top management with the assurance, advice, and insight necessary for success.

That goes beyond the static processes for risk management and controls.

It includes the dynamic activity of management, and the core of management is decision-making.


What do you think?

So what if the risk is high?

June 15, 2018 8 comments

Imagine you are the senior executive of a major organization.

You hold a meeting that includes the Chief Risk Officer (CRO), Chief Audit Executive (CAE), head of information security (CISO), CFO, Senior Vice President of Marketing (CMO), COO, CIO, and others.

You start the meeting with a question: “What should our priorities be in the coming year?”

Everybody starts talking at once. In fact, the decibels increase as they try to should over each other. Eventually, you restore order and ask them to speak once at a time.

You point to each of them, in turn. This is how they answer.

The CISO is literally bouncing in his seat. Perhaps it’s because he doesn’t get to be heard by you very often.

CISO: “We need to put cyber risk at the top of our priority list. Our security is porous because we haven’t had the budget to hire the people I need to patch our vulnerabilities; we don’t have the tools to detect breaches; and, I can’t get the executive team to participate in our breach response planning and drills.”

You point to the CIO. He should understand what the CISO is saying. Will he agree?

CIO: “Well, cyber risk is a concern. That’s true. But I would not put it in the top ten when we have to replace our financial systems and upgrade our servers. The business is really suffering from very slow response time and our inability to deploy the latest data analytics. We need those analytics to keep up with our competitors.”

The COO chimes in. “I agree that we need do something urgently about our IT systems. They won’t support the initiatives approved by the board, such as investments in the latest technology to support growth of our business and expansion into new markets.”

CMO: “Absolutely right. Our competitors have the tools and we don’t have the market insights they do. We need to catch up and quickly if we are not going to lose market share.”

COO: “Don’t forget we also need to allocate a major portion of our capital budget and operating expense for a new factory in Vietnam. We need to move manufacturing there quickly so we can remain price competitive. I understand the concern about cyber, but that is a possibility – and I think we can survive it – while failing to invest in the business is certain to cause us to fail.”

CFO: “Well, we can’t do everything. I am sensitive to the concerns raised by the board and some investors groups about cyber. But that may be a risk we have to take. We can’t spend as much as the CISO has asked for and still fund Vietnam, upgrade our business systems, and so on.”

You look to the CAE and CRO.

The CRO supports the CISO, distributing his latest risk heat map. Cyber is in the Red quadrant, marked as a High risk. “Cyber is a high risk, well above the risk appetite for IT assets that the board approved. But then so are other risks, such as customer satisfaction and market share.”

The CAE informs you that his team has audited the risk management activity and the heat map fairly presents the assessment of the management group of the more significant risks.


What would you do?

Can you afford to spend your entire capital budget and any increase in operating expenses on cyber? In fact, can you afford to treat all the “high” risks so that they drop below acceptable levels? How do you weigh addressing the defined risks against the opportunities from the Vietnam and analytics investments?

As you are considering the problem, the CFO speaks up again.

“Let’s analyze this to see whether there are any ‘stay-in-business’ needs. Then the rest can be judged based on ROI. As I see it, we need the Vietnam factory; without it, we will lose market share and that’s the end of our story. We can probably increase spending on IT infrastructure and analytics more slowly, but I want to see options from Marketing, IT, and the COO’s office first. As for cyber and the other so-called high risks, I want answers to these questions:

  1. If we do nothing, what is the worst that might happen? How likely is that?
  2. Is it likely (and how likely) that we will have problems that are less severe?
  3. How will those problems affect our key metrics of EPS, market share, customer satisfaction, and grow margin?
  4. What can be done about each of the high risks? How much will we need to spend and how much will that reduce the likelihood and magnitude of the risk?
  5. In fact, will we still face the same potential impact on our key metrics? What I mean is that will we be able to keep the risk down when threats continue to increase?
  6. Are there options for spending less?”


Protiviti just published a new piece on cyber.

As with almost every piece of guidance on risks and risk management, it tells us what we already know. Cyber is a risk that we need to understand and do something about.

But does it help us know what makes business sense to do?

Why does nobody (with few exceptions) tell you to assess risks in a way that helps leaders not only make decisions about risks but also decide whether it makes sense to take the risks because money is needed elsewhere?

In fact, most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable.

So how do we make the right business decisions?

I think it starts with providing actionable information about all the things that might happen, not in terms like High, Medium, or Low, but in business terms like ‘must do to survive’, ‘this will prevent our achieving our EPS targets’, and so on.


I welcome your thoughts.

New COSO ERM Guidance for ESG

June 9, 2018 2 comments

In February, COSO released a draft for comments: Applying enterprise risk management ro environmental, social and governance-related risks (ESG). This time, PwC was not involved. Rather, COSO partnered with the World Business Council for Sustainable Development (WBCSD).

Here are the high-level comments I provided. The initial response to them was positive and constructive.

I would like to share a few generalized comments. But first let me commend you on tackling this topic. There is a lot of good material for consideration.

Please consider these points and questions:

  1. Risk management is not and should not be perceived as an annual activity. It’s an integral part of effective management, a continuous activity.
  2. It should be about enabling leaders and others across the organization make informed and intelligent decisions, considering what might happen (aka risk).
  3. ESG is a group of various sources of risk to the organization. They should be evaluated, not in a silo based on a risk appetite for each source of risk, but together with other sources of risk to an enterprise objective. In other words, leaders should consider the aggregate level of risk, taking ESG and other sources of risk that could affect the achievement of an objective, when making decisions.
  4. Risk management is not about managing a list of risks (inventory, profile, or other term). Risks are changing all the time and you shouldn’t be limited to managing a list of risks.
  5. People need guidance on daily decision-making. Anybody can make a decision that has a potential ESG effect of significance. Do you think this guide helps with that?
  6. The potential effect or consequences of an event or situation are not a likelihood:effect point. They are a range of potential effects, each with a different likelihood.
  7. The board and top management need to know how ESG related issues might affect the targets and metrics with which they measure success and the achievement of their objectives. Is this addressed, or are they asked to manage ESG risks separate from other governance activities?
  8. How does a board or top management decide how much scarce resource to allocate to address potential ESG issues rather than cyber or other issues, or profit opportunities? If this is not addressed in guidance, will it lead to appropriate actions by leaders?

I am open to discussing these points and any other questions you may have.

As I said at the beginning of my comments, there is good content in the draft. For example, I am encouraged that they talk about bias (specifically confirmation bias and a bias against allocating resources for ESG).

So I encourage everybody to read the draft and submit your own comments.


Moving on for a moment:  I am concerned at the tendency of specialist groups to publish guidance that is focused on their area of interest and ends with an assessment of the risk as “high” or $250,000.

While each may say that their guidance can be part of an integrated, enterprise risk management approach, I am not sure that is true.

For example, when potential harms are assessed against “risk criteria” or “risk appetite” for harm to that specific area or asset, how do you determine where management and the board should allocate scarce capital and other resources?


I am in the process of writing a new book on technology-related risk. It involves reviewing guidance from NIST (SP 800-37) and ISO (27005). Both suggest that you identify “information assets”, value them based on several criteria, and then assess and evaluate risks to each asset based on their established risk acceptance criteria.

As you can imagine, I believe any and all ‘risks’ should be assessed based on how they (perhaps in conjunction with other ‘risks’) might affect the likelihood and extent of achieving enterprise objectives.


In my draft, I am including this hypothetical story:

The CEO and CFO are meeting with other business leaders to discuss the capital budget for the next year. They have decided that they can afford $50 million but the requests for capital amount to $100 million. They include:

  • The acquisition of a small company that will expand their product offerings, an expansion eagerly sought by their customers. It is expected to cost $20 million with projected annual increases (existing and acquired products) of $40 million in revenue and $8 million in profits. The ROI is attractive and confidence in the success of the venture is high. It is expected to be welcomed by analysts and lead to a healthy boost of the company’s stock price.
  • An investment in new technology that will reduce operating costs significantly and improve management’s ability to respond swiftly to market changes. The cost is estimated at $10 million with annual savings of $5 million.
  • The replacement of critical manufacturing equipment that is near the end of its useful life. Continuing without replacement increases not only maintenance costs but the likelihood of equipment failures that will disrupt manufacturing and delivery of products to customers. The cost of the equipment is $20 million. The cost of delaying the investment (including revenue and customer satisfaction risk) is estimated at $5-8 million per annum, increasing by 10% each year.
  • Continuing investments in new products. The next generation of products is eagerly anticipated by customers and stock analysts. While the investment will require $20 million in the next year, the overall return on the investment is very high (projected to be about 30%) and any delay could allow competitors to seize market share.
  • Information security technology that the CISO and CIO both assert is needed to reduce cyber risk from its current high to acceptable levels. However, the cost is significant (about $15 million) and all the CISO says is that the risk to critical information assets will be reduced by at least $10 million per annum. The CISO is unable to offer any assurance that the investment will prevent a breach of the company’s systems that results in a major loss to the organization.
  • Various smaller capital requests amounting to $15 million with an average projected ROI of 15%.

The CEO and CFO feel obliged to at least consider the cyber risk reduction investment, but the benefit is unclear and uncertain compared to the much more certain and significant benefit obtained from the other options.

They decide to make a modest, more of a token investment in cyber. At the same time, they ask the CISO and CIO to find a way to help them weigh the benefit of investment in addressing technology-related risk (including cyber) against other opportunities.


The above illustrates why it is essential to provide leaders with actionable information. They need to be able to make decisions between addressing one risk vs another, going forward with a project given all the uncertainties related to its success, and so on.

Rating a ‘risk’ as High or valuing it at $250,000 is meaningless as far as I am concerned.

Explaining how it affects the achievement of objectives, in a way that the potential effect of multiple sources of risk can be considered together and compared to potential rewards, is starting to help.


I welcome your comments.