The 2021 State of Enterprise Risk Management – a state of madness

May 7, 2021 8 comments

The ERM Initiative at North Carolina State University’s Poole College of Management has published its 12th annual report on the state of ERM practices. Each year, I have reviewed their report.

I bring it to your attention because it is an important topic and their report usually has some useful data on the level of maturity and effectiveness of risk management practices.

It has consistently confirmed, each year, that traditional risk management practices are not seen as adding value to an organization’s success. It may possibly help them avoid some degree of harm, but it will not add much to the chances of success.

As you will see later, more than half of the larger companies, those with revenues of $1bn or more, believe they have ‘complete’ risk management processes. But only 3% of the CFO respondents say that ERM is giving them much strategic value.


Let’s stop the madness. Continuing what hasn’t worked in the past, traditional risk management based on a periodic review of a list of risks, is not the way to succeed.

Stop the Madness


Change to enabling informed and intelligent decision-making and reaching an acceptable level of certainty that you will achieve enterprise objectives. This requires considering all the things that might happen, both good and bad. Focusing only on avoiding failure will result in failure.

Change to a continuous activity, not one that pops its head up every so often. After all, running the business is a continuous activity!


This year’s report has more detail than I recall in prior years, so I am going to excerpt more than in the past.

However, please note that:

  1. The professors who lead the ERM Initiative and conduct this annual survey are COSO ERM adherents. That is neither necessarily good nor bad, just a fact.
  2. They are academics without, as far as I can tell, practitioner experience. That is, again, neither good nor bad as academics are perfectly capable of conducting a survey – if they can ask the right questions. More on that later.
  3. The survey is of CFOs and similar executives. That will bias the results to a certain degree. There is no assurance that CFOs understand what effective ERM is all about, and they obviously tend to be far more risk averse than operational management and CEOs. However, a survey of CFOs is probably better than a survey of practitioners who will usually not have a clear understanding of how their activity is valued by operating management.


The authors start well (emphasis added by me):

We have recently encountered a new wave of challenging economic, political, social, and technological issues that triggered an unimaginable range of risks that have impacted virtually all organizations. Business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.

Many organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.

Unfortunately, they follow the COSO ERM practice of recognizing that risk can be good, bad, or both (the latter is rarely understood) at the beginning of their paper and then focus exclusively on avoiding harm when it comes to detail and practical guidance. There is nothing in COSO ERM nor here about how to see the big picture and weigh all the things that might happen, both good and bad, to make an informed and intelligent decision.

While they recognize (I think for the first time it is said explicitly in their report) that the intent is to “increase the likelihood the organization will achieve its core objectives” (a principle I have been pushing for several years in my books and this blog), they have nothing more to say.


Their survey (please take note, Mark, Bonnie, and Bruce) does not ask these important questions:

  • Does your ERM program effectively identify, assess, and evaluate together all the things that might happen and effect the business, both good and bad?
  • Does your ERM program help leaders make informed and intelligent decisions?
  • Do you measure the likelihood of achieving core objectives, given all the things that might happen, and act when that likelihood is not acceptable?
  • Is your program continuous, helping decision-makers understand and respond to changing business conditions?

I wonder if anybody will ask these questions in a broad survey of business leaders.


The authors do a decent job of identifying that there are problems when it comes to understanding what might happen before establishing core objectives and related strategies (something missing from COSO ERM):

Organizations continue to struggle to integrate their risk management and strategic planning efforts.

Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.

Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.


They also recognize that too many organizations manage risks for their own sake, rather than with respect to how they might affect (positively or negatively) the achievement of objectives.

There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.


In prior years, I have used the ERM Initiative report to highlight the fact that traditional risk management practices are not seen as effective. That continues to be the case:

Overwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.

This question was asked of the CFOs: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?” The answers were:

  • Extensively – 3%
  • Mostly – 9%
  • Somewhat – 22%
  • Minimally – 31%
  • Not at all – 35%

Yet, many CFOs claim to have complete ERM process and practices, even “mature or robust”:

In 2009, only 9% of organizations claimed to have complete ERM processes in place; however, in 2020 the percentage has increased to 35% for the full sample. [56% of companies with revenues greater than $1bn claim to have a “complete formal enterprise-wide risk management process in place. 35% of the full sample and 38% of larger companies claim a partial process is in place.] So, greater adoption of ERM has occurred.

While we observe an increasing percentage of entities that describe their risk oversight processes as “complete ERM processes,” that does not mean those ERM processes are mature. Interestingly, only 28% of full sample respondents describe their organizations’ approach to risk management as “mature” or “robust.”

This year, the report includes more detail that gives us a clue about what the authors believe makes a program “mature” or “robust”.

Percentage of respondents

Description of the Current Stage of ERM Implementation Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. 42% 65% 75% 62% 33%
Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. 26% 21% 17% 16% 26%
We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. 19% 10% 6% 17% 27%
There is no structured process for identifying and reporting top risk exposures to the board. 13% 4% 1% 5% 14%

As you can see, the survey is focused on whether a list of risks is periodically reviewed.

Let me stress this: the periodic review of a list of risks may be traditionally seen as effective risk management, but it most definitely is insufficient. Effective risk management helps an organization have an acceptable likelihood of achieving its core objectives by making informed and intelligent decisions! (Marks, 2021 and earlier)

Why is risk management in so many cases less than “complete and robust”?

It’s clearly because those holding the purse strings don’t see the value! The authors say:

The most common barrier in the full sample to advancing an organization’s risk management processes is a perception that there are other more important priorities for the organization, with 41% identifying this as a “barrier” or “significant barrier” to the organization’s implementation of ERM processes. Not-for-profits especially perceive that to be a significant barrier to ERM progress.

It’s a “barrier” because management does not see the value and wants to spend its time and money elsewhere. If only risk management focused on helping those same people make informed and intelligent decisions so they can maximize their bonuses!


The report also discusses the frequency of updating a risk inventory (about half only do it annually!), how many organizations have a CRO or equivalent, and the extent of management and board risk committees, and more.


I congratulate the ERM Initiative for their 12 years of running similar surveys. I plead with them to ask better questions to help everybody stop the madness and start a journey to effective risk management.


I welcome your thoughts.

Doing the same thing


An agile audit function needs an agile leader

May 4, 2021 8 comments

My post on agile/Agile internal auditing has attracted a lot of attention, most in support but some have differing opinions.

I want to point you to the thoughts of three individuals.


The first is James Patterson. He is the author of Lean Auditing: Driving Added Value and Efficiency in Internal Audit (I was honored to write the foreword).

James was asked by one of the readers of my post to share his thoughts, which he did at Lean and Agile Auditing. I recommend reading the entire article, but I will excerpt his closing:

In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:

I) Understands how internal audit adds value (e.g. via the kano[1] framework);

II) Is clear who internal audit is adding value to (and it should not just be the person who is being audited);

II) Delivers assignments with less waste (e.g. muda[2], rura[3] and muri[4]), on a timely basis,

IV) Delivers insights (e.g. through root cause analysis and benchmarking good practices)

V) Communicates with impact (e.g. killer facts)

.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA[5]..

And above everything all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves. 


The second individual is Mark Williams. While he has not been an internal auditor himself, he coaches internal auditors on agility. He says:

Being agile is a means to an end. The end goal being a better auditor. As a coach and trainer I love helping people be the best they can, and I’ve seen that being agile-minded will help you be a better auditor (or leader in IA).

Mark leads a class on being an agile auditor (which he says is sold out for the next several months) and I like the diagram he uses to describe it:

Mark Williams Agile Auditor


He shared with me an article (one of several he is writing for Wolters Kluwer), Leading for agility: Key behaviors of an agile-minded internal audit leader. Here are a few excerpts:

  • Being more agile-minded will help you capitalize on the collective skill and capabilities of your department – and help you become a better leader.
  • To deal with unknowns and complexity, we need to be responsive to change and course correct. Agile-minded leaders make this real by building and incorporating rapid feedback loops. It’s more than regular engagement and collaboration; think of it as a repeatable loop.
  • Undertake rapid feedback loops with stakeholders (audit committee, senior management, risk function, etc.) on the department’s audit plan on a real-time or continuous basis (away from a monthly, quarterly, or annual frequency). Note: The frequency of these feedback loops is a healthy debate as we are in such a dynamic and volatile environment with many uncertainties and new risks emerging. Is what you’ve always done rapid enough for an ever-changing environment? Is a monthly or quarterly feedback loop responsive and rapid enough to highlight changes and challenges so they can be fed into your plans and audit delivery?
  • Conduct a rapid feedback loop with first and second-line management on a continuous or rolling monthly frequency (not on an ad hoc, quarterly, or annual basis).
  • Agile-minded leaders actively practice and promote servant and intent-based leadership:
    • Encouragement, support and development of your people
    • Enable, remove blockers, resolves conflict
    • Intellectual authority, foresight
    • Collaborates, shares, coaches
    • Listens, trusting, humble and self-aware
    • Sets intent rather than micro-manages
  • Being more agile-minded requires new behaviors and for people to think differently about what they work on and how they work on it.


While I prefer small, focused, and agile audits to those that are so long you need to sprint from one stage to another, I have a great deal of common ground with Mark.

I would add some additional points:

  • Understand what you want to accomplish before you start. For example, are you intending to do sufficient work to form and then express an opinion? What is the opinion on and how do you intend to share it?
  • What options do you have for accomplishing your goal? Which is the best? For example, is there technology that would help you do it faster and better? Who would be the best person to do the work?
  • Where is the value in the project? Is it in assurance, advice and insight, or both?
  • Can you do the work in a way that will challenge and excite the staff performing it? See this post from 2019: The Wonder and Joy of Internal Auditing.
  • How can you limit your own time on the project, so you are there when needed and not there when you are not?
  • How can you work with management so that they will want the project done and look forward to its results? How will you communicate with them and discuss (not simply report) what you are seeing so management can take prompt action?
  • What steps can be eliminated without harming the result? (In other words, eliminate any wasted motions or muda.)
  • How will you work with the management team and the audit committee so that they anticipate and welcome your agility?
  • Do you have the right people on your team, the best people, to perform agile auditing? Can they think? If not, what are you going to do about it?


The third person I want to refer you to is Hal Garyn, recognized by Richard Chambers as one of the top ten internal audit thought leaders of 2020. In Managing Internal Audit – It’s a Brave New World, he comments on how a CAE has had to adapt to a world shaped by COVID and working from home. But that is not the only driver of change he discusses. He says:

  • Some have gone so far as to hypothesize that the way we work has changed for good and how we deal with managing, motivating, evaluating, and interacting with the people we are responsible to lead altered permanently as a result. And that new way of working may not even be because of fully embracing a WFA (work from anywhere) practice, but certainly a more modified remote working reality into the foreseeable future.
  • If anyone is waiting around for a return to normal, or a new normal, they might have a long wait. What is certain seems to be that the prior state of how we approach our work and how we interact with each other in the workplace has changed forever. And, what we used to consider normal is no longer what will be the case either. Regardless, it will be new, and it will not feel normal. We, as a profession of internal auditors, have adapted to the current state and we will adapt to the new state of things. It will require a level of use of technology, nimbleness, flexibility, and interpersonal interaction that we have never deployed at any time in our careers. But all these changes were always on the horizon. It is just that factors conspired to accelerate those changes. We are ready, willing, and able.


We must not only be willing to change as our environment changes, but our leaders have to be flexible and agile as well.

Unfortunately, many who have been to my presentations tell me that the greatest obstacle to progress in the internal audit function is the CAE.


I welcome your thoughts.

[1] Kano is a prioritization framework.

[2] Anything the customer wouldn’t gladly pay for, including the waste of time (such as auditing areas that are not critical to the enterprise), excessive communication (such as sharing information they don’t need to know), or the waste of an opportunity (such as not demanding every auditor think for themselves).

[3] I think this is a typo and James meant Mura, which is a lack of uniformity or consistency. It relates to uneven supply of materials to a workstation, so I am not sure how it applies to internal auditing.

[4] Overburden, or asking somebody to do more than they can. One example I have seen is a CAE having her staff perform all the SOX testing in Q4, leading them to work 10–12 hour days, 6-7 days a week. None stayed with the firm.

[5] External quality assessment

Is agile auditing the latest fad or a really great practice?

April 30, 2021 13 comments

I started talking about an agile internal audit practice many years ago. In fact, I still have the deck from a presentation I gave to my local IIA (San Jose) chapter in 2002 entitled “The New Age of Internal Audit”.

I said, for example:

    • The greatest risk is typically at the edge

…..where things are happening

…..where there is change

…..where management’s tolerance for risk is highest

    • Put IA resources where the risk is

$ Provide Assurance
$ Add Value by helping Manage the Risk

    • Audit at the speed of the business (and at the speed of risk)
    • Risk is constantly changing
      • Continuous risk assessment
    • Confront the risk
      ….the core of the risk
      ….the politically risky risk
      head on


The idea was that internal auditors need to be prepared to rise to the challenge of turbulent change (driven primarily by technology) and modify our traditional practices. Risk is greatest where there is change and we must be responsive to those changes, providing assurance on what matters most (where the risk to objectives is greatest) when it matters (not taking weeks to complete a full audit and not then taking additional weeks or longer to report the results). Continuous risk assessment and the agility to change our plans at speed are essential.


In 2014, I presented to IIA Malaysia on “The Agile Audit Department”. I quoted Richard Chambers:

“..executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. Just this year, global financial and business markets have been rocked by spectacular cybersecurity breaches, geopolitical instability in the Middle East and Eastern Europe, refugee crises, and more.”

Then I shared what Jack Welch, former CEO of GE, said:

“If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

My point was that if we are not prepared to change when everything around us is changing, we are doomed. Just because we have been successful in the past doesn’t mean that the same practices will make us successful today and tomorrow.

I shared a quote from “Creating an Agile Organization” by Peter Cheese, Yaarit Silverstone, and David Y. Smith:

“The new business environment will favor those companies able to execute strategy faster, with more flexibility and adaptability, and move their companies ahead briskly.”

Then I asked if we, internal auditors and CAEs especially, are agile.

  • Are we able to execute faster, with more flexibility and adaptability, and help move our companies ahead briskly?
  • Are we constantly adapting so we can audit what is important now and will be tomorrow, or are we continuing to audit what was the risk when we put the annual audit plan together?
  • Are we helping leaders manage the business at the speed of risk? Are we auditing at the speed of the business – and of risk?

I explained that the agile internal audit department has these attributes:

  1. Focuses on providing assurance that matters, on what matters, when it matters.
  2. Has moved from hindsight to foresight + insight.
  3. Performs nimble, focused audits.


Let’s fast forward to 2021.

AuditBoard reports:

Adopting agile principles into one’s audit practice is a trend sweeping across the internal audit world, yet many auditors are unsure where to get started. A recent AuditBoard poll of over 1,000 internal auditors found that 82% say agile auditing has the potential to add more value to their work compared to the traditional project approach — although 45% reported a lack of knowledge or resources as the most significant obstacle to adopting agile.

They also say, in a different article:

When we talk about how to improve the internal audit function as a value-add function rather than just a cost center in the business, we frequently hear “agile” and “relevant” tossed around as vague cure-all concepts. When you hear these words in connection with audit, what comes to mind?

Did you think of the word “relevant” as being “pertinent, applicable, appropriate, suited, fitting, important”? A relevant audit team is one that audits activities that align with business objectives and is an important department within the business. All valuable things!

Today, “agile” is a buzzword that too often just signifies “fast,” and our present use doesn’t encompass what the word truly means or the potential for improving audit. Agile actually means an action that is “nimble, limber, spirited, sharp, active, clever, acute.” Clearly, an internal audit department that encompasses these qualities will be better able to anticipate and respond effectively to changing business risk profiles than one that is simply “fast.”

This begs the question: Can audit be relevant without being agile? Probably not, and an audit department should try to be both. CAEs need to break out of their historical frame of reference to embrace agility in pursuit of relevance. If the internal audit department functions without both agility and relevance, audit may follow a prescribed routine, potentially missing emerging risks and delivering a suboptimal customer experience.

While those two excerpts are valid, I would not recommend following any of the actions the company goes on to recommend. For example, they have “internal audit as a rotation” as their #1 action – and I would not place that in my top twenty. The closest recommendation I would make is the inverse of theirs: hire people who have line operations experience, whether in finance, marketing, IT, engineering, or other function. The intent is not to make them better auditors when they return to their line position, but to ensure auditors understand and have a business perspective when they perform their work.


PwC UK tells us that agile auditing (their version) can lead to “a 20% time saving on regulatory audits” and “a 10% time saving on less standard audits”.

However, they are talking about audits that require, on average, 5 people. Planning alone, which requires the involvement of everybody on the team, is two weeks.

Many of the audits my team performed were just two or three weeks, from planning to reporting! I bet I could save more than 50% of the time spent on every audit compared to the PwC approach!


I prefer the way that my friend Sandy Pundmann or Deloitte describes agile internal audit in an article published by the Wall Street Journal.

Agile IA is a flexible methodology for adapting Agile to the specific needs of an internal audit function and its stakeholders. Originally a software-development methodology, Agile aims to reduce costs and time to delivery while improving quality. Specific characteristics of the Agile methodology include delivering tested products in short iterations and involving internal customers during each iteration to refine requirements.

Agile IA has many potential benefits, but implementing it calls for shifts in the function’s approach, such as that from rigidly planned activities to fast, iterative activities, and from following a preset plan to responding to emerging needs.


However, the urge to adhere to principles and practices that have proven to work in software development is a distraction.

Discard the idea of scrums, etc. (techniques in Agile) and focus on the goal:

Provide assurance on what matters, when it matters, and help the organization succeed.

I agree with AuditBoard that this requires an internal audit function that is “nimble, limber, spirited, sharp, active, clever, acute.”


How do you get there?

Here are my suggestions, proven in a couple of decades of world-class practice (and described more fully in my highly rated Auditing that Matters):

  1. Make sure that you are auditing the issues (both risks and opportunities) that matter to the success of the organization. What has to happen, or not happen, for enterprise objectives to be achieved? Can you add value by auditing the controls that ensure those things happen or not happen, or by providing related advice and insight?
  2. Leverage the organization’s ERM program (after auditing it for reliance purposes) but don’t be limited by it.
  3. Make sure you are not auditing issues that don’t matter! Eliminate from the scope or each audit any area where, should there be breakdowns, there would be minimal or no real impact on the achievement of the objectives of the enterprise. In other words, make sure you are auditing what matters to the enterprise rather than to local management.
  4. In fact, eliminate from the audit plan projects that don’t meet the criteria in #2.
  5. Only perform sufficient work to reach an opinion. Work doesn’t have to ‘expand to fill the time available’ (contrary to Parkinson’s law – a fine book, by the way). Once you have formed a professional opinion, STOP auditing and move to close!
  6. But if you run across an issue that would be significant but wasn’t in scope, consider adding it to the scope of the audit. Don’t get trapped by the belief that you are limited to what was initially planned.
  7. Similarly, if you find you need more time to address an important area, consider adding time to the audit or scaling back another, lesser issue. This is called ‘Stop and Go” auditing.
  8. Make sure your team has the experience, imagination, flexibility, and confidence to retain focus on what’s important, even when the target might be moving. Hire the best people to do the right work, rather than doing the work your people are capable of.
  9. Don’t be an obstacle to an agile, nimble, focused audit. For example, allow your team to adjust without always having to go to you for permission.
  10. Ensure documentation, working papers and so on, are no more than necessary. We are not judged by the quality of our working papers, but by the assurance, advice, and insight we provide. Challenge yourself to find the value of every hour of documentation and stop documenting where there is no real value. How many times do you ever refer to the working papers from a prior audit?
  11. Target no more than 100 hours for any audit, with exceptions justified carefully. That will keep you focused. Don’t fall into the trap that awaits Agile users of scope creep, where local management and the audit team find other ‘stuff’ that is interesting and even valuable to local management. (Obviously, if you truly have multiple areas of great significance in a single location, and you can only visit once – and I question that – then you will need more than 100 hours. But make sure that you really need all that time to reach an opinion on each area of significance to the enterprise.)
  12. Encourage fast and nimble audits that are completed as soon as possible, as every hour that is saved is one that can be used on another audit. There are always more issues that merit our attention!
  13. Communicate, communicate, and then communicate again. Discuss issues with management as soon as they surface and work with them to effect valuable change, identifying agreed action items rather than trying to look good by writing reports with recommendations. Listen, listen, and then listen again as management has (or at least should have – if not, that’s another issue) a better understanding of the business, risks, and opportunities.
  14. Incent your team to use their professional judgment, always thinking about what they see and what it means. Encourage them to feel empowered. Hire people who can and are able to think.
  15. Remember at all times that our job is not to write reports or identify findings: it is to help the organization succeed at speed.
  16. It is not about us: it is about the company we work for. Enjoy and savor its success, as we are contributing to it.
  17. Be sufficiently agile to change and do so quickly and with no regrets.


By the way, if your audit projects need scrums and sprints, they are giant mammoths rather than agile beings.


Capital A Agile internal auditing is a fad and should be ignored.

But small A agile internal auditing is not just a great practice, it is essential.


I welcome your thoughts.

Should we abandon risk assessment, risk management, and risk appetite?

April 25, 2021 11 comments

Many perform a periodic risk assessment and come up with what they consider to be the ‘level’ of a risk.

The traditional approach is to share that in a list of risks with management and perhaps the board to see whether it is acceptable (within some limit, threshold, or so-called risk appetite) and determine what to do about the risk: accept, manage, or mitigate.

Carol Williams describes this approach in an older article on her website, 4 risk response strategies you will have to consider after assessing risks. (I thank her for referencing one of my books in it.) Perhaps Carol will share with us whether she continues to believe these four risk responses, which are traditional and recommended in most frameworks and guides, remain appropriate. I suspect she has moved on.

The four traditional responses are:

  1. Avoid
  2. Reduce
  3. Transfer
  4. Accept

Her article recognizes the need for continuing monitoring to ensure that responses change should the risks and business conditions change.


More and more people are recognizing that managing or mitigating a list of risks is not effective, nor of much value beyond compliance: doing what is required by the regulators rather than what is needed by the business.


Let’s imagine that I am the new Minister of Defense and Q, the risk manager in the weapons development function, rushes into my office.

He tells me that we have a serious problem!

“We just updated our risk assessment and I found out that Troop A is going to deploy one of our latest night vision devices in the field for an operation 105 miles into hostile territory. We can’t afford the risk that our new technology falls into enemy hands! The risk appetite statement approved by the Defense Risk Committee prohibits it.”

Even though I am new in the position, I am very aware that the device is leading edge and could be used against us by terrorists if it fell into their hands.

I also know that the plan is to attach a gizmo so that the device can be destroyed remotely should be it be lost or captured.

Q tells me that Troop A isn’t waiting for the gizmo, still in final trials, to be attached.

They are recklessly taking it out without that precaution!

I give him a cough drop and get him to calm down, then call in the head of Operations, M.


M tells me that she is very aware of Q’s concerns.

They were considered as part of their robust decision-making process.

Her team used scenario planning (see this article for a discussion of its value) to think through all the things that might happen under every reasonable option.

My response to Q’s risk assessment is to:

  1. Understand the context. I am not interested in ‘managing risk’ for its own sake. I am interested in making the right decision for our national security, considering both short and longer-term interests and goals.
  2. Understand what M is trying to achieve. After all, it is ‘risks to objectives’ that should be taken or managed.

She tells me that there is an opportunity, if a quick strike is made, to capture the top leader of a terrorist organization that has been responsible for the deaths of many of our people. The terrorists are also making it very different for the local government, a strategic ally, to function.

The strike would in addition capture important information about the terrorists’ plans, network, and capabilities.

This is in line with our overall strategic goals in fighting terrorism overseas and limiting their capability to attack us at home.

  1. Confirm that all the risks and opportunities were considered and assessed using a reliable process, enabling the decision-makers to see the big picture and weigh all the pros and cons.
  2. Have M explain what options were considered and why the team believed that the benefits of using the device outweigh the risks.
  3. Challenge her.
    • See if we should wait for the gizmo to be attached; what would we give up, in terms of value to our objectives, by waiting? How would the likelihood of capturing the terrorist be changed?
    • What would happen if we do not use the device? Would it increase other risks, such as the risk of loss of our personnel? Would it reduce the level of opportunity and the likelihood of mission success?
    • Ask whether the value could be further increased to justify, if it is a close decision, taking the risk of losing the device? How could the mission be changed to increase the likelihood of capturing the leader without killing him, so we can interrogate him?
    • See if using more devices (!) and deploying a larger team would improve the equation. Perhaps it would increase some risks, such as loss of the device and/or personnel, but reduce others and perhaps increase the likelihood of achieving the mission goals.
    • Confirm that the decision was made using reliable, current information.
    • Verify that the right people were involved and that they were neither overly risk averse nor embracing. (Was 007 involved?)
    • Question whether the decision was unanimous; if not, who objected and why?
  4. Given that the risk seems to be high, decide whether I need to personally get involved to confirm M’s decisions – or even escalate it to the President, herself.


The potential responses to this or any other risk assessment are not the four traditional ones. To start with, you usually cannot transfer a risk, you can only share it.

Before deciding on ‘risk treatment’:

  1. Understand the context: the nature of the problem and what we are trying to achieve.
  2. Determine how long we have to make the decision – considering the prima facie level of the risk and/or opportunity.
  3. Involve others as needed, perhaps escalating to more senior management, to make the best decision.
  4. Obtain all necessary information (given time constraints).
  5. Determine whether, looking at the big picture, the situation and plans are acceptable.
  6. Understand the options, which may include modifying one or more risks, one or more opportunities.

Then, and only then, decide what to do. That may involve, for each individual or combination of risks and opportunities:

  1. Avoiding one or more risks – but with full knowledge of what you are giving up
  2. Taking one or more risks – with full awareness of the risk
  3. Reduce the range of impacts or one or more risks and/or their likelihoods
  4. Increase the level of risk being taken!
  5. Increase the level of opportunity.
  6. Share one or more risks, such as with insurance.
  7. Change the objective(s)!!
  8. Change the strategy!
  9. Defer the decision and monitor for change.

Rather than ‘assessing’ and ‘managing’ one risk at a time, you are managing for success.

Both risks and opportunities need to be ‘assessed’ in a way that lets the decision-maker see the big picture, weighing all the things that might happen.

Rather than making a decision based on the notion of a risk appetite, make it based on the likelihood of success. Is the likelihood of success acceptable, given both risks and opportunities?


This is what I consider ‘effective risk management’.

I can understand why people like Grant Purdy believe we should stop talking about risk management because the focus should be on decision-making.  (That is my understanding of his position, although he and others talk about the fact that there is no common understanding of what risk and risk management actually mean.)

I believe we should focus on success management – which is possible only if we can make informed and intelligent decisions.

But the regulators insist that we have risk management, so I am not discarding the term.

Instead, we should make risk management work for us – as discussed here and in Risk Management for Success.


How would you tackle the situation with Q, M, and the rest?

How can and should we change risk management?

I welcome your thoughts.


PS: the way for internal audit to assess risk management is to determine whether it meets the current and future needs of the organization. Does it help leaders and those running the organization every day make the informed and intelligent decisions necessary for success? My book includes a maturity model that may help.

Cyber and SOX

April 19, 2021 7 comments

In addition to the training I lead on SOX, I also mentor a few individuals and their organizations. One called to tell me that their external auditor had insisted that they upgrade their SOX scope to include far more on cybersecurity.

He had previously attended my class and knew to push back, requiring the auditor to explain why this was necessary since the company’s assessment (agreed by the auditor in prior years) was that the risk of a material error or omission from a breach was less than reasonably possible.

The auditor said that it was a requirement from the PCAOB!

Now I was 99% certain this was incorrect, so I had the caller tell the auditor to show him where the PCAOB had made this requirement.

The auditor gave him a link to an announcement by the PCAOB that they were going to host a roundtable on cyber!

The company was able to persuade the auditor that nothing had changed. The risk assessment they had performed was adequate and no change in scope was required.


That is the key: you only need to include controls in scope to address the risk of a material error or omission in the filed financial statements.

While cyber is a serious risk to the business, it is unusual for it to be a significant risk to the integrity of the filed financial statements.

In the SOX context, ‘significant’ means that there is at least a reasonable possibility of a material misstatement.

In almost every case, business controls would detect such a misstatement – and hackers don’t usually try to change your financials!


But there is more to the issue of cyber and SOX.

That more is not well understood by a lot of people.

Take an article by Will Cryer of AuditBoard. Will may be a former IT auditor with EY, but his piece, What is SOX Cybersecurity Compliance, reflects an imperfect appreciation of the regulations.

Let’s start with his opening paragraph:

When most people think of the Sarbanes-Oxley (SOX) Act, they think of protecting investors from fraudulent financial reporting with accounting and finance controls. With the increasing role of technology today, the risks to financial reporting posed by cybersecurity threats are greater than ever. According to the latest FBI Internet Crime Report for 2020, $4.2B in losses were reported in 2020 (up from $1.4B in 2017). The latest Gartner Hot Spots report lists cyber vulnerabilities as one of the most critical risk areas for auditors to address.

  1. SOX §404 (the section of the Act dealing with the system of internal control over the integrity of the filed financial statements) is about more than fraud. If it was only about fraud, we could cut back the scope of the SOX program significantly. No, it is about filing financial statements free from material error of any kind.
  2. Even if there has been a massive loss, the financial statements are typically correct. They reflect that loss. Therefore, there is no SOX §404 issue.
  3. Where there is a significant risk of loss, that is an operational business rather than a §404 issue and certainly merits attention – but first you need to perform an objective risk assessment in coordination with business leaders to determine the level of risk and what actions are necessary to reduce it to acceptable levels.

The main point that merits our attention is when the article says:

SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach were to occur.

The “timely disclosures to the public if a breach were to occur” are an issue under a separate section of SOX: §302.

The AuditBoard excerpts from an excellent publication by the staff of the SEC (notably, not PCAOB) that they describe as “interpretive guidance”.

I strongly recommending reading their Commission Statement and Guidance on Public Company Cybersecurity Disclosures and leaving the rest of the AuditBoard piece behind us.

The SEC and its staff are concerned with the timeliness and quality of information provided to investors and others that rely on the reports filed with them. They say:

Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

In this case, ‘material’ means that the information might influence the decisions of the reasonable investor. As the SEC says:

The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

Note that this refers not only to the timely disclosure of breaches and their effects, but also of the presence of the risk of material incidents. The SEC guidance continues, later, with a section on Risk Factors. (By the way, at some point the SEC should explicitly require companies not only to disclose the presence of a risk, but to provide some indication of the potential magnitudes and likelihoods of incidents. This is generally not revealed in the Risk Factors section of a company’s filings.)

The SEC refers to the requirements of §302 of the Sarbanes-Oxley Act when it says:

Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Section 302 requires that the organization’s CEO and CFO certify, as part of the quarterly and annual reports, that they have adequate disclosure controls: the controls relied upon to ensure that all the required disclosures are made. Disclosure controls include but are not limited to the system of internal control over financial reporting (those required by §404).


Notably, the SEC also explains that they are concerned about directors and officers (and others, as explained in guidance) trade in the company’s securities with knowledge of material breaches that have not been disclosed:

Additionally, directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company. Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information.9 In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.


Cybersecurity is top-of-mind for many, but it needs to be understood before racing to fund it:

  1. The pressing issue is the potential business impact. There should be an objective risk assessment of how a breach could affect the business and the likelihood that it could be significant.
  2. The risk assessment should be made by the business and CIO/CISO in partnership, not just by the CISO.
  3. The level of risk should be evaluated and communicated in terms of the business impact, not in terms of the so-called ‘risk to information assets’.
  4. The level of risk is a range and not a point: a range of potential impacts, each with its own likelihood.
  5. There should be controls that provide reasonable assurance that breaches that have, singly or in combination, a material impact on operations are brought to the attention of top management and the board promptly, and then quickly disclosed to investors and other interested parties.
  6. There should also be controls that ensure that when there is at least a reasonable possibility of a material breach, that risk is communicated (in business terms) to top management and the board and then to investors, et al.
  7. Controls are required to ensure that trades are not made by insiders with material non-public information about material breaches or the potential for material breaches.
  8. When if comes to SOX and internal control over financial reporting, include in scope those controls that are relied upon to prevent or detect a material error or omission in the filed financial statements due to a breach or combination of breaches.


I am hopeful that this obsession with cyber by individuals and organizations (consultants and vendors, for the most part) that don’t understand it will fade in time.

What do you think?

Do not fire the risk manager!

April 15, 2021 3 comments

I recently read an interesting piece in by Andrew Isbester. While he is currently the editor-at-large of Finews, he has about six years’ experience as a risk manager with Coutts and HSBC.

The underlying story is amazing; as Bloomberg tells us, Bill Hwang Had $20 Billion, Then Lost It All in Two Days:

Before he lost it all—all $20 billion—Bill Hwang was the greatest trader you’d never heard of.

Starting in 2013, he parlayed more than $200 million left over from his shuttered hedge fund into a mind-boggling fortune by betting on stocks. Had he folded his hand in early March and cashed in, Hwang, 57, would have stood out among the world’s billionaires. There are richer men and women, of course, but their money is mostly tied up in businesses, real estate, complex investments, sports teams, and artwork. Hwang’s $20 billion net worth was almost as liquid as a government stimulus check. And then, in two short days, it was gone.

The sudden implosion of Hwang’s Archegos Capital Management in late March is one of the most spectacular failures in modern financial history: No individual has lost so much money so quickly. At its peak, Hwang’s wealth briefly eclipsed $30 billion. It’s also a peculiar one. Unlike the Wall Street stars and Nobel laureates who ran Long-Term Capital Management, which famously blew up in 1998, Hwang was largely unknown outside a small circle: fellow churchgoers and former hedge fund colleagues, as well as a handful of bankers.

He became the biggest of whales—financial slang for someone with a dominant presence in the market—without ever breaking the surface. By design or by accident, Archegos never showed up in the regulatory filings that disclose major shareholders of public stocks. Hwang used swaps, a type of derivative that gives an investor exposure to the gains or losses in an underlying asset without owning it directly. This concealed both his identity and the size of his positions. Even the firms that financed his investments couldn’t see the big picture.

That’s why on Friday, March 26, when investors around the world learned that a company called Archegos had defaulted on loans used to build a staggering $100 billion portfolio, the first question was, “Who on earth is Bill Hwang?” Because he was using borrowed money and levering up his bets fivefold, Hwang’s collapse left a trail of destruction. Banks dumped his holdings, savaging stock prices. Credit Suisse Group AG, one of Hwang’s lenders, lost $4.7 billion; several top executives, including the head of investment banking, have been forced out. Nomura Holdings Inc. faces a loss of about $2 billion.

The Bloomberg article is an excellent read. Hwang’s operation apparently did nothing illegal. He just made huge, highly leveraged bets on stocks that went south.


Andrew’s latest article has a challenging title: What if Credit Suisse’s Problem Isn’t Risk Management?

But first, read his earlier post, Credit Suisse’s Massive Conflict of Interest. Here are some excerpts:

I am going to go out on a limb here – Credit Suisse’s mess for this week, Archegos Capital Management, does not look much like a failure in risk management at all. At least on the surface.

Although the losses are likely to be borne by the investment bank, I cannot imagine for a minute that its wealth management business did not have some form of individual banking relationship with Bill Hwang. And if it did not, you can be pretty certain that private bankers from that area of the bank were constantly trying to ingratiate themselves to him, his relatives, and others at Archegos – given it was essentially a family office.

You can have the tightest risk management governance and best control systems in the world, but that will not change the massive conflicts of interest inherent when you bank billionaires while performing complex capital market transactions for them.

Look at Credit Suisse’s risk management disclosure in its 2020 annual report. It has all the usual stuff that all the other large international banks have about three lines of defense, oversight and culture, including a neat organizational chart showing the main management bodies and committees.

There is nothing here that separates them from any other bank at first glance. There is one committee that does sound rather unique, however, and that is the Position and Client Risk (PCR) committee, which sits under the Capital Allocation and Risk Management Committee, or CARMC.

And say that the matter of Archegos was discussed at that committee, or another one of the risk committees, over the past few months. Can you imagine what it would be like for your average risk management specialist to be in attendance?

So there sits this rather hapless person, no matter how senior he or she is. Probably fully cognizant of the risks being taken and well-briefed but hesitant to say anything because, typically, under the three lines they are the second. That means they do not own the risk but are just responsible for policies and frameworks. I cannot tell you how many times I have heard risk management people say in the last decade or so that they do not own the risk – the business does. It gets really tiring for everyone, even the people saying it.

So, the meeting starts. You have one person facing up against the business, never more than one, as you want to emphasize how tightly your area manages costs. You always sit opposite more than one banker, at best three, ranging from senior to junior, probably one from the investment bank and another from wealth management or maybe a special function that combines both.

On their side, in their corner, invariably, is senior management, either as a chair or a member of the committee. And if the client is a billionaire, they are likely to have met him or her quite a few times before as well, probably over lunch or drinks. If they have, they usually let some comment slip about that.

Anything a risk management person says is effortlessly batted back by business and management. If you are on a tough committee, they usually do their utmost to make you feel foolish for even being there. And if the quorum is a simple majority, you are guaranteed to be outvoted anyway.

The only thing you can do is make sure that some well-formed comment or question is captured in the minutes accurately afterward, to make sure you can at least talk to the regulator with a shred of dignity at some point down the line.

Now, this is a management risk committee and not a committee of the board. I can certainly understand management ‘outvoting’ the CRO because they are focused on the opportunity and the CRO is seen as someone with a different agenda.

Andrew picks up the argument in his latest post. Here are more excerpts (with important sections highlighted):

After going out on a limb for risk management in the Archegos debacle last week, I am going to split hairs. I know it beggars belief and conventional wisdom, but I do not think the main problem is risk management.

Risk managers can set limits for counterparty credit exposure, the framework, approve the exposures, even comfort the trades, and send out the margin calls. Ultimately though it is up to the business to figure out what to do as they own the risk, and should bear the brunt of the responsibility.

Why was Credit Suisse slower than Goldman Sachs, Morgan Stanley, and Nomura in getting rid of the positions and exposures? That could not have been due to the risk managers as they are not usually shouting prices into phones or sitting on the backs of traders helping them to slam down the return key to execute trades.

Credit Suisse’s risk and compliance framework looks pretty much like all the other banks out there: three lines, the section on culture and governance, and even a position and client risk (PCR) committee that seems made for these situations. The Swiss bank has a framework that defines risk capacity, appetite, and profile, as everyone else does and which is usually agreed with the local regulator.

So why didn’t it protect Credit Suisse from the Archegos hit, and could it happen again? Most observers leapt to the conclusion that this responsibility should lie with risk management. But I would argue instead, after just throwing the business under the bus, that I might go ahead and throw them under the bus again.

Risk management, whether you are in financial crime, counterparty risk or the plainest vanilla credit risk job, depends on the business for regular, periodic detailed risk assessment of their activities. If these are not completed correctly or fully, boundlessly tiresome though they are, nothing will change because – in defense of that downtrodden and overwrought risk manager – they are not, as far as I know, telepathic.

I do not know what the risk assessment for the prime services or hedge fund business looked like, but I think we can safely assume it did not mention the possibility of a full fire-sale of the client’s positions in distressed markets that were also held by the bank on inventory for irrationally low prices, hours and even days after everyone else had sold. They would be too rational for that.

The main point in Andrew’s pieces is here, when he refers to the firing of the CRO:

Credit Suisse’s management changes seem to mean, at the highest executive level, it is more or less directly blaming the risk chief and the head of its investment bank. A cascade of changes at lower levels, including the head of equities trading, of prime service risk, and of credit risk at the investment bank demonstrates Credit Suisse puts the onus on risk management.

The tally of all the departures announced thus far is six in risk versus two in the business, while management – which owns the risk more than anyone else – only miss out on their bonuses (meaning they get out of this with their hair tousled). Anyone in the client relationship teams simply need to keep their heads down and let it all pass.


Andrew is asserting that the bank was quick to fire the CRO and others on her team, and slow to fire the people who actually took the risk.

There is a great deal of merit to his argument.


First, I should state that neither Andrew (to my knowledge) nor I know what happened at Credit Suisse beyond what has been in the news (as excerpted above).


From what I can tell, the CRO was a high-flyer and the only reported connection is that she approved at least one sizeable loan to Hwang.

But that would have been in response to a request for her approval from operating management – the people taking the risk; the people closest to Hwang; the people who would have had a far better understanding of the level of risk.


I would agree with firing or at least disciplining the risk officers if:

  • They failed to perform or enable (using appropriate methods and tools) a reasonable assessment of the level of risk based on the available information when required by company policy. They should be trained if they didn’t recognize that the level of risk is a range, not a point.
  • They failed to properly inform the appropriate levels of operating management of the level of risk, especially if it was beyond defined acceptable levels.
  • They failed to escalate to more senior management, even the board, after operating management decided to take a risk beyond what was approved.
  • They were responsible for the firm’s inability to move quickly once the positions started going south.

In other words, I would fire or discipline them if a reasonable person would find them responsible for the losses.


But, even if they were inept, the major culprits remain the operating management team that took the risk of funding Hwang and then failed to see how the situation was changing so they could take prompt action.


The question then is whether all or any of this was a ‘failure of risk management’.

There is a huge difference between a failure to perform of the risk management function and a failure of the management of risk by the bank.


Once we know whether and how the CRO and her team failed, we can know the answer to one of those.


When the bank decided to fund Hwang, they knew there was a risk as well as an opportunity.

If everybody involved had done their job, they would have recognized that the level of risk was a range, including the low likelihood that they would lose the entire value of the loan.

The fact that Hwang cratered does not mean that the risk assessment was wrong – unless that possibility was entirely overlooked or was assessed as a far lower likelihood than it truly was.


There was a loss. But was there a failure to reasonably manage the risk? We don’t know.

The fact of a loss does not mean that there was a failure of risk management.

It certainly doesn’t mean that the risk function was at fault – in fact, nobody might have been at fault.

Losses happen when you take risks.


Who failed to perform? We don’t know.

But I would blame operating management before the risk function!

As Andrew says, operating management has better insights into the facts and the possibilities. The CRO relies on the information they share with her.  If that information is incomplete, out-of-date, or otherwise unreliable, blame should first be placed at the feet of management. Only blame the CRO if she should have known.


Should the CRO of Credit Suisse have been fired? Maybe, and maybe not. But I join Andrew in questioning why she and five others on her team were fired and only two fired from management.


Your thoughts?

How long is an audit report?

April 11, 2021 10 comments

For many consumers of audit reports in the executive suite and boardroom, the answer is probably “too long!”

Audit reports may run to extraordinary lengths; recently, I talked to one organization where they could easily be over a hundred pages.

100 pages is clearly too long for anybody to rationally expect our stakeholders in top management and on the board to want to read them.

When is there 100 pages of value, actionable information, in an audit report?

So, is the answer ten or twenty pages? Is it two or three?

Let’s tackle the question a different way.


Audit reports are a communication vehicle.

The IIA Standards do not require that we write an audit report. Instead, they require that we communicate the results of our work to our stakeholders.


What should we communicate?


When you visit the dentist because you have a toothache, do you want even a three-page report?

You want to know:

(a) can he or she stop the pain?

(b) when will that be done?

(c) is there a serious problem? and

(d) what is this going to cost me?

You don’t want to be asked to read:

  • a recap of your dental history
  • the status of recommendations from your last visit
  • a report on the depth of your gums
  • and so on.


If you take your car for a routine service, you want to know:

(a) is everything all right?

(b) is there something that needs to be done today? and

(c) what is this going to cost me?

You don’t want to know the car’s history or the dates of the last service.


In both cases, you want to receive the information you need, concisely and clearly written, without wasting a minute of your time.


What about your executives and board members?

What information do they want to get from you?

They want to know:

  • Is there a problem that is serious enough to potentially affect the organization and the achievement of its objectives in a material way? Is there a problem I need to worry about at my level?
  • Are the right actions being taken?
  • Is there anything I need to do personally?
  • Is there anything I need to make sure others are doing?


So why do we include more?

Is it because we feel a need to justify our existence? I know of CAEs who insist that every audit report has at least one finding and recommendation.

Why or why? If you have this need, this irrational compulsion, stop!

Is it because the report is a form of documentation, or because it is really being written for a regulator rather than the executive readers?

That is equally wrong.


Imagine this.

You enter the elevator at your company’s head office and are greeted by your CEO. She asks you about the audit your team recently performed of the Treasury function, saying that she is interested in the results.

Do you tell her about the background to the audit?

How about your scope and objectives?

Do you list all the medium and low issues?

Or do you just tell her whether there were major issues that merit her attention, whether management is taking the right corrective actions, and any other insights that would be of value to her?


So why do we put more than these essentials in a written audit report?

Why hide valuable, actionable information in a haystack of unnecessary detail?


The length of the audit report, if one is even needed (see my other posts and books), should be just enough to tell the consumers of the report what they need to know – and no more.


Ah, I can hear you saying that the report has to include all the findings so you can make sure management owns the issues and will take necessary corrective actions.

But do the executives and board members need to see that level of detail in the report?

Weren’t these all discussed and agreed upon at your closing meeting (and if not, why not)?

Send a note to those present at the meeting, confirming the discussion and the corrective action details (who will do what by when, etc.)


Keep what you send to the executives and the board limited to what they need to read and no more.

Make it easy for them to pick up your reports promptly, digest the actionable information, and take whatever actions are needed – now, when they are needed.


Make it easy and not hard for them to read, understand, and take any necessary actions.


If you don’t waste their time with trivia, when you have something to say they are far more likely to listen.


What say you?

Can we cut most audit reports back to half a page?

What is the state of ERM today?

April 6, 2021 5 comments

Is enterprise risk management effective and is it adding the value to the organization that it can and should?

I wish more people were working to address these questions.

Several organizations survey practitioners and share the results in an effort to inform us of the ‘state of enterprise risk management’. Some, like the people at the ERM Initiative at North Carolina State (see their 2020 report) are independent organizations (although they are linked to the AICPA and COSO). Others, such as software company AuditBoard, have an interest in promoting their products and this may affect how they ask questions and consider the results.

The AuditBoard report (available at has a bit of a bias, evident in its title: The State of Risk Management: A Tipping Point for Digitization.

This is how they start Part I of their report:

Today’s risk leaders are confronted with obstacles ranging from a volatile risk environment to the operational and technical challenges found in their own risk functions and organizations.

My view is different. I would say this:

Today’s risk leaders are confronted with a disconnect between what they are doing and what business leaders need to make the intelligent decisions, both strategic and tactical, necessary for success. These ‘risk leaders’ are given what they perceive as a lack of support and budget – because executives fail to see how risk functions are helping them achieve the objectives of the organization.

AuditBoard asked risk practitioners what they considered the greatest challenge in 2021. 67.48% said there was a “lack of awareness of the relationship between ERM program maturity and business success”. Now, I am sure that they see ERM program maturity differently than I (as described in my books, especially the maturity model in Risk Management for Success), but even so this illustrates my point: ERM as practiced at most organizations is not considered by leaders as helping them run the company for success. Therefore, they don’t give it all the support practitioners feel is necessary.

The authors continue with:

Though the risk landscape is constantly evolving, organizations are facing an exceptionally volatile risk environment this decade. Risks are more interconnected than ever due to concurrent global developments, including the pandemic, the rapid speed of disruptive innovation, cybersecurity threats, and the energy/climate crisis. Protiviti and NC State’s Top Risks for 2021 and 2030 Report, which included interviews with over 1,000 board members and executives across various industries, found an increase in risk leaders’ overall impression of the magnitude and severity of risks for 2021, relative to 2020 and 2019.

Clearly, they believe that effective organizations need to build and maintain a list of risks, which they then strive to manage or mitigate.

They fail to see the need to take the right risks.

They fail to see that leaders need to weigh both risks and opportunities and make the best business decision given both.

They fail to see that focusing on your feet and making sure you don’t trip on an open manhole will not get you to your destination on time. In fact, you will likely be rooted in place so that you don’t fall on your face or worse.

They fail to see that a focus on avoiding risk comes at the expense of seizing opportunities with full appreciation of the risks you are taking; in other words, making sensible business decisions.


AuditBoard sees a lack of investment in technology for risk management as a serious issue. While I understand their perspective, technology won’t help if you are doing the wrong thing. You might be able to do it more efficiently, but where’s the value in that?


Having said that I don’t find great value in these surveys, except to confirm that ERM programs are not seen as helping organizations succeed. I want to suggest to academics, consultants, and software vendors that they ask about the state of risk management – and whether it is really adding value – in a different way:

First, as I pointed out in my last post, on internal audit, you need to ask the customer if you want to know the value of anything. Instead of asking the seller about quality, ask the buyer.

Board members, business managers, and executives should be asked these questions, with answers ranging from ‘a great deal’ to ‘not at all’:

  1. Is the risk management activity helping you with the information and insight you need to make the best business decisions?
  2. Are they helping you weigh the upsides and downsides so you can see the big picture and make informed and intelligent decisions, both tactical and strategic?
  3. Are they helping you set the best objectives and strategies for the organization?
  4. Are they helping you achieve your objectives and those of the enterprise?
  5. Are they delivering the value they can and should?
  6. Are they helping the organization stay in compliance with laws and regulations with minimal cost and disruption of the business?


A survey of the customers of risk management that gave us insight into these questions would be of far more value than any survey of practitioners assessing their own condition.

What do you think?

How do you measure the value of internal audit?

April 3, 2021 12 comments

This is the title of a recent article in the IIA’s Internal Auditor (Ia) magazine. (Membership is required to unlock the article.)

The authors are two lauded members of the profession that I have known for many years: Patricia Miller and Larry Rittenberg. Patti was a partner with Deloitte in my part of California and is a former chair of the IIA. Larry, a professor of accounting at the University of Wisconsin, has also been very active with the IIA; he is a former chair of COSO and chairs the audit committee of Woodward, Inc.

Any article by these individuals merits our attention, and they have a number of things to say with which I totally agree:

Internal audit is not the only profession that struggles with the value question. For example, in the medical field, value — or quality of care rendered — is certainly a goal. But quality of care is hard to objectively measure, so doctors often are evaluated by process measures, such as the number of patients treated in a day. Unfortunately, this may reduce the ability to achieve the value goal, as doctors motivated to see more patients may spend less time with each one, resulting in less ability to understand and deliver the quality of care required.

Similarly, CAEs who focus on process metrics such as completion of the approved audit plan may undermine their value delivery goal by focusing on finishing audits, rather than considering extending an audit to deliver better assurance or more focused recommendations. Or consider the risk of perfectly executing the wrong plan that delivers zero value, but results in a high metric. Clearly, completion of the audit plan does not measure value delivered.

They then ask, “what metric does or could [measure value delivered]?”

Patti and Larry are on the right track when they say (with my emphasis added):

  • Internal auditors must first understand what their stakeholders want and how they view value, and then measure against those wants and expectations. But the reality is that some stakeholders may not understand the breadth of capabilities a modern internal audit function has, or may even want a less aggressive function that doesn’t challenge the status quo. In such a situation, stakeholder expectations may be significantly lower than the role described in the Mission and Definition of internal auditing. The opposite is also possible, with stakeholder expectations far exceeding a reasonable performance level. And to make it even more challenging, expectations might vary for the board versus senior management. Audit research has shown that boards focus more on assurance while management primarily seeks new insights from internal audit.
  • Value is often in the eye of the beholder and not easily quantified.
  • Many CAEs presume they can measure value by asking clients if they have received value from audit work performed. The challenge is that client responses may be skewed by their emotional reaction to a recent audit. Or they may not have a reasonable or best-in-class expectation so their feedback may be based on flawed criteria. Finally, surveys may be asking the wrong questions by inquiring about audit processes rather than value received.
  • Organizations are changing at warp speed. To keep up, internal audit needs to be agile, responsive, and focused on value delivery — and the right metrics can reinforce the desired value-based behaviors. 


However, having said all of this they don’t (IMHO) provide the answers that will work well in practice.


They start the article with:

Today, value can only be delivered when internal audit innovates in who it hires, what it assesses, and how it executes and communicates; understands and aligns with organizational strategies; and has a laser focus on critical and emerging risk areas.

Innovation is not required to deliver value – unless you are talking about upgrading an ineffective and inefficient activity.

However, they are correct when they imply that internal audit needs to:

The key is in the second bullet item above (removing the qualifier, ‘often’):


While there are ways to measure your capability to deliver value (such as some of the metrics discussed in the article – and I prefer the maturity model in my book), our customers are the ‘beholders’ we have to satisfy.

They assume (and we know what that word means) that it is vital to measure the value of internal audit. They talk about quantifying it.

But why is that necessary?


I prefer a business-oriented perspective: does the value provided by internal audit exceed its cost and is it the greatest value that can and should be delivered?


Ehab Saif has an interesting background: CAE, board member, and former external auditor (with Grant Thornton, EY, and Deloitte). He recently shared an interesting article on Internal Audit 360, whose editor is Joe McCafferty). Ehab’s article is To Move Ahead, Internal Audit Should Get Back to Basics.

I like what he says (emphasis added):

  • With the increased focus on adding value and using more technology in internal audits, the lines have been blurred somewhat on the role internal audit should play in the organization.
  • …we can all agree that the primary responsibility of internal audit is to provide assurance on the effectiveness of the internal control system to the board of directors, audit committee, and executive management. It must also evaluate and suggest improvements to the risk management and governance systems in the organization. Furthermore, internal audit should provide advisory services that are targeted to enhance value creating activities.
  • There is a big gap between what internal auditors believe they are achieving and what they are actually achieving or how the governing body perceives that work.
  • According to the results of a Deloitte survey of audit committee chairs and members conducted last year, more than one-third of respondents said internal audit is not as impactful as it could be. 
  • providing comprehensive assurance requires telling a complete story to the stakeholders and not only one side. It is not acceptable or reasonable to communicate the exceptions or the negative side and ignore the internal control environment’s healthy or positive aspects. The same should happen in internal audit reports, where internal auditors need to tell a full story that describes the internal control environment, highlights the positive side in the implemented controls, and highlights the gaps or improvement areas in the internal control system. Internal auditors tend to highlight the negative side only and usually avoid any comments on the internal controls system using unacceptable justifications, such as we are not qualified to evaluate the positive side. In my opinion, the person who is tasked to highlight the negative side should be qualified by default to highlight the positive side as well.
  • Internal auditors should listen more often to their clients and understand their concerns. There is no harm in giving credit to the best performers and the process owners who consistently implement strong internal control measures and comply with them. Furthermore, internal audit reports should always focus on the key organizational objectives and provide explicit positive assurance on the internal control system’s effectiveness under review. 
  • …we can start talking about the role of the internal audit function in providing a “macro opinion” on the overall adequacy of governance, risk management, and control within the organization on an annual basis which is being increasingly required by the board, management, and other stakeholders.

I prefer what Ehab is saying to Patti and Larry’s comments.


Returning to my earlier point: does the value provided by internal audit exceed its cost and is it the greatest value that can and should be delivered?

How do we find out?

Value is in the eyes of the beholder, so what do they behold?

Ask questions like these:

  • Does internal audit provide you with the assurance, advice, and insight that you need?
  • Do you trust internal audit’s assessments?
  • Is internal audit focusing on what matters to you and to the success of the organization?
  • Has internal audit done work you didn’t think was valuable? What was that?
  • Has internal audit done work you wouldn’t pay for?
  • When internal audit makes suggestions, are they constructive, practical, and of value? Do they help you and the organization succeed?
  • Is it easy to understand internal audit’s communications? Do they work constructively with you, listening effectively, to achieve your shared goals for the organization?
  • Does internal audit have the people they need to deliver the greatest value to you and the organization that is possible?
  • Do you trust the leader and staff of internal audit?
  • Would you consider hiring them?
  • Would you prefer to cut, increase, or maintain internal audit’s budget at current levels?
  • How can internal audit help you and the organization more?


Is it necessary to quantify the value delivered by internal audit? I don’t think so. I think these questions are far more revealing (and trusted) than any number.


I welcome your thoughts.

Internal audit and discrimination or harassment risk

March 29, 2021 3 comments

An article in the New York State Society of CPA’s CPA Journal raises a very important and tough topic for internal auditors.

ICYMI | The Effect of Sexual Harassment on Internal Audit Risk Assessments: Are You Part of the Solution or Part of the Problem? is written by a couple of academics, one of whom has worked as an internal auditor.  (BTW, ICMI stands for ‘in case you missed it’.)

Sexual and other forms of harassment is a serious problem, especially when the great majority of cases go unreported and those that are reporting often do not end well for the person reporting harassment.

There can also be huge penalties for corporations. Just this week, NPR reported that:

The University of Southern California has agreed to pay more than $850 million to hundreds of women who were treated by a former campus gynecologist accused of sexual abuse.

The article covers only part of the ground, but it is still valuable reading. For example, it says:

  • According to a 2016 U.S. Equal Employment Opportunity Commission (EEOC) report… surveys of those who experienced sex-based harassment in the workplace tend to respond by avoiding the harasser (survey findings ranged from 33% to 75%); denying or downplaying the gravity of the situation (54%–73%); or attempting to ignore, forget, or endure the behavior (44%–70%). It appears that filing a formal complaint is a last resort.
  • Harassment can take the form of: sexual, gender identity–based, race or ethnicity, disability, age or national origin or religion, and intersectional. Examples of sexual harassment could include offensive jokes, slurs, name calling, physical assaults or threats, intimidation, ridicule or mockery, insults, offensive objects or pictures, and interference with work performance. According to the EEOC, prevention is the best tool to eliminate harassment in the workplace; this includes establishing an effective complaint or grievance system, providing anti-harassment training to managers and employees, and taking immediate and appropriate action when an employee complains.
  • …the nature of internal auditing typically brings an auditor into contact with staff throughout the company (at all levels, both management and nonmanagement). Therefore, the internal auditor is a familiar face who can provide a trusted independent objective voice in the review and evaluation of company governance, including compliance with laws and regulations.
  • Ideally, internal auditors should be prepared to identify and report suspicious behavior while working on every assignment. The nature of internal auditing brings an auditor into contact with a wide range of employees and their role places them in a unique position to spot the potential for sexual harassment and raise a red flag for human resources and the general counsel to follow up.

Unfortunately, the authors do not provide the advice (beyond that above) I believe is appropriate. The identification of the risks, how to identify and assess them, and the work internal auditors should perform is (IMHO) off target.

Before I share my advice, let me tell you about some of the experiences I had as a CAE.


Perhaps the first was when one of my auditors informed me that the office used by some of the factory staff had walls covered by calendars and pin-ups of scantily dressed ladies. She was not offended herself, she told me, and none of the female workers had complained: it was something they accepted in a male-dominated workplace. However, the auditor knew that it was a violation of company policy.

I advised her to have a quiet word with Human Resources and then the supervisor, make sure he realized that this was a violation, and ask him to have everything taken down. The (male) supervisor consented after a brief argument and he explained the company policy to the workers. I had my auditor return a few weeks later to check, and since everything was now ok we considered the issue closed. It was not mentioned in the audit report.

I didn’t see any need to escalate the issue to senior management since the response was prompt, appropriate, and lasting. There was no indication that this was a more pervasive situation.


A far more troubling incident happened a few years later. The company’s contingency planning coordinator, LeRoy, reported up to me (at the request of top management and with the approval of the audit committee) and we had a scheduled one-on-one.

LeRoy was late to the meeting. He explained that he had been listening to a complaint from a friend he had made at the refinery. She worked in operations and had come to him for a friendly ear. I was able to extract from him what his friend was complaining about: sexual harassment by her manager.

LeRoy listened sympathetically but did nothing more.

I told LeRoy that he needed to speak to his friend and ask her to contact Human Resources. He said she was reluctant to do so, fearing retaliation. But I insisted that he not only advise her to make an official complaint, but also tell her that he was also going to have to report the discussion to Human Resources himself. He was very reluctant indeed! He felt that the lady had come to him as a friend, in confidence, and had no idea that he would be obliged to report it. I explained that he was part of management and, especially as he was within the internal audit department, there was a clear obligation to report this formally to Human Resources.

LeRoy advised me later that day that he had told his friend to report the matter, which she said she would do, and had also met with Human Resources.

Some time later, I was in a meeting with the vice president for Human Resources. I asked him about the alleged harassment, and he got quite angry. He said that it was a fiction, cooked up by the employee because she was about to be counseled for poor performance. That counseling had now occurred, and he expected that she would be dismissed shortly.

I asked about the investigation into her complaint and who had performed it, given that he had himself been working with her manager on the performance review and counseling.

He replied that there would be no investigation; it was clear that this was retaliation by the employee.

I expressed my concern and that I believed every complaint should be objectively investigated. He repeated his position.

I decided that the best action was to discuss all of this with the head of the legal department. He got involved to make sure appropriate action was taken, including meeting with the employee himself and determining whether her complaint was justified.

The employee ended up resigning, but I believe she received a measure of compensation rather than a termination notice.


Obviously, as CAE I have had to determine which were the more significant risks to the organization that merited the attention of my team. Fortunately, there was only one time where I identified a signal that indicated a potential problem, the possibility of a serious level of risk related to discrimination of harassment.

That occurred at one of my companies that had offices in Singapore and China.

I was working to fill open positions in the team, with one in Penang, Malaysia and the other in Singapore. The Human Resources recruiter came to the office I was using and told me that I had too many female candidates on the interview schedule. Couldn’t I find any suitable males?

I was shocked and told her that I would hire the best candidate, regardless of gender. I had mostly females on the schedule because those were the qualified (based solely on experience) candidates that had been found by the recruiters. She huffed and left.

My next stop was to talk to the vice president of Human Resources for Asia. When I relayed to him what his employee had said, he told me that she had said that at his direction! He was very much opposed to filling key positions with ladies who would at some point have children and leave the company. I told him that his position was contrary to the policies and values of the (US-based) corporation; while it may be, as he said, totally legal and common practice in Singapore and other parts of Asia, it was not acceptable for an American corporation. He held to his position and I told him I would ask the corporate senior vice president for human resources to get involved.

The corporate officer would not direct the Singapore guy to change his position and practices. He said that he didn’t want to hold Singapore to American values, especially as preferring male employees was perfectly acceptable in ‘that part of the world’.

I was disappointed and later discussed it with the audit committee, but no action was taken. Fortunately for the company, this never leaked to the US press. Of course, I continued to hire the best individuals, regardless of gender, race, religion, and so on.


As I said, in all my years as CAE I rarely saw indicators of either widespread discrimination or harassment. Of course, there were several instances where allegations were made, investigated, and appropriate actions taken.

But I was only that one time “on notice” of a pervasive cultural issue. It never, in my assessment, rose to the level of a high ‘risk’ that merited an audit.

But if it had, I would definitely have taken a different approach than is suggested in the academics’ article.


For a start, it is important to recognize that this is a dangerous minefield. Harassment can occur at any level, but discrimination is quite likely to involve more senior management. In my experience, even senior officers often don’t realize where the line is between acceptable and unacceptable behavior.

I strongly believe that any audit activity relating to either discrimination or harassment should be guided by the organization’s legal function. This is because the results of any audit work could create a legal risk for the organization – if the results were made public or obtained by attorneys seeking to sue the business. Just imagine the reaction if it came to light that an audit had identified poor controls or even actual violation of societal norms and laws in these areas. Even if there is no written audit report, notes and working papers may be discoverable.

The legal function can provide instructions on how to perform the work in a way that will provide some measure of protection. In general, performing audit work at the direction of counsel such that it becomes attorney work product may be protected from ‘discovery’ (where the organization is required to disclose the report and even the working papers – and oblige the auditor to answer related questions). However, that protection is not 100% guaranteed and the CAE should listen carefully to the legal expert.

There are going to be some that will say that any investigation or audit should be performed by an independent third party, possibly a law firm. However, strong consideration should be given to using internal auditors who understand the company and its people and, hopefully, are both trusted and respected. The auditors can either perform the work or partner with an outside firm.


The next issue is what the end product should look like.

The General Counsel will probably direct the CAE to address any report, whether written or oral, to him or her. Then, as legal counsel to the organization, the GC will share the results with his or her client: senior management and the board.

When it comes to any form of compliance audit, I always prefer to assess the adequacy of the controls and whether they provide a reasonable level of assurance that the risk of a violation is at an acceptable (very low) level. That requires judgment, for sure, but enables the identification of areas that need work.

There is danger in performing work that expresses any form of opinion as to whether there have been violations. Not only is there a risk of that opinion becoming public, but the determination of whether there has been a violation is a legal one that should be left to the attorneys.

The end product should be discussed carefully with the GC and he or she should, with input from the CAE, make the determination.


There are many ways to conduct the work, including working with Human Resources to survey all or a select group of employees. The potential outcomes of each approach should be considered very carefully indeed. For example, before sending a survey, can you assure respondents that their responses will be 100% confidential and protected? If not, you will get fewer responses and they will be suspect due to fear of retaliation for telling the truth. You also need to be prepared to act if the survey identifies problems – and you have to decide, early and not after the fact – whether you will inform the employee population of the results and how the organization is responding: what actions are being taken and why.

I think I would start by interviewing the members of the legal function. After all, they should be involved in every employee complaint and investigation. (If not, there may be a problem immediately.) Those interviews should tell me whether this is perceived by them as a problem, its scale and frequency, the level of allegation against senior management, and even whether there is a bias among the legal team.

That might, in itself, set the direction of additional work. Its possible, although unlikely, that it might be sufficient to reach a conclusion and discuss it with the GC.

My next step would be to interview the various members of the Human Resources team. Interviewing the head of HR is clearly insufficient – unless that discloses a problem and suggests enough work has been done. But, interviewing every member of HR that has contact with employees, not just those receiving complaints, can be eye-opening.

HR may themselves be the problem, as in my Singapore case.

You may be asking why I didn’t start by assessing the organization’s policies, such as the Ethics Policy and annual certification and testing. My answer is that as an employee myself I am already familiar with them. I

know from personal experience whether they are sufficient. I would have already talked to management if they were not, at least prima facie, sufficient.


My interviews with HR would be similar to those with Legal. I want to see if they are biased, whether they are part of any discrimination, and whether they at least appear to be objective when receiving, analyzing, and investigating any complaints. They should know how often and how significant the complaints are, whether they are concentrated in any one area (or under any one manager), and how many are found to be supported by evidence and how many are dismissed.

How any allegations are investigated is important, so my audit would move on to that activity, considering:

  • Who performs the investigations?
  • Are they properly trained and experienced?
  • Are they objective?
  • Are their objective assessments overruled by more senior management?
  • How are the results reviewed and acted upon?


I could go on, but so much will depend on what I am finding out in these early interviews. I would want to stop as soon as I have sufficient information to form an opinion and report to the GC. I also want to focus on those, hopefully limited, areas where there appears to be the greatest risk.


The bottom line is:

  • This is an important area that should at least be considered for action by the CAE.
  • The CAE and his or her team need to act should they become aware of a possible violation.
  • The CAE should consider an audit if there are red flags indicating a more pervasive problem.
  • But the focus has to be on getting management to do the right thing. Inform them as soon as you can so they can act.
  • Beware of audits that result in an opinion that could create or exacerbate a legal problem for the organization.
  • Work carefully with the GC and make sure your audit committee knows what you are doing.
  • Don’t turn a blind eye and be part of the problem.

XTurn a blind eyeX

I welcome your thoughts.

Hype and top risks

March 23, 2021 13 comments

My good friend, Alexei Sidorenko, challenged me on my last post. He said:

Norman Marks, too much cyber lately, too much jumping on the hype train, cyber is not even top 10 important risk in today’s business. Write about something that is important and was important 10 years ago and still is.

Now, just as it is wrong to jump on the hype train and believe that cyber is always a top risk, it is also wrong to believe that it is not. What is needed is a disciplined assessment of the likelihood of a breach that would have a material adverse effect on the likelihood of achieving enterprise objectives at your organization. In other words, is it a “top risk” for you?

But if (as Alex says – and as borne out by many studies of the effect of breaches) cyber is not a top risk, what is?

There are quite a few surveys. For example, Protiviti says these are the top risks for 2021[1]:

  1. Pandemic-related policies and regulation impact business performance
  2. Economic conditions constrain growth opportunities
  3. Pandemic-related market conditions reduce customer demand
  4. Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees
  5. Privacy/identity management and information security
  6. Cyber threats
  7. Impact of regulatory change and scrutiny on operational resilience, products, and services
  8. Succession challenges, ability to attract and retain top talent
  9. Resistance to change operations and business model
  10. Ability to compete with “born digital” and other competitors

The World Economic Forum sees things a little differently. Note that they don’t indicate the likelihood of the more serious impacts in their report, excerpted below.

WEF top risks 2021 has a list as well:

  1. IT disruption
  2. Data compromise
  3. Resilience risk
  4. Theft and fraud
  5. Third party risk
  6. Conduct risk
  7. Regulatory risk
  8. Organizational change
  9. Geopolitical risk
  10. Employee wellbeing


All of these may be risks worth considering – if you want to develop a list of risks.

But are they the top things that could go wrong and cause your organization to fail, or at least suffer such significant harm that it would not achieve its objectives?


Why not take each of the organization’s objectives (including any not formalized, such as being in compliance with applicable laws and regulations) and identify:

  • What could go wrong such that the objective is not achieved? What is the likelihood of that happening?
  • What needs to go right if the objective is to be achieved? What is the likelihood that not happening?
  • What could happen that would allow the objective to be exceeded? What is that likelihood?
  • Overall, is the likelihood of achieving the objective acceptable?


In Auditing that Matters, I opened with a discussion of the more significant risks facing each of my various companies. They ranged from cash flow to cost control, to obsolete technology, to a poor executive management team and culture.

The point is that each organization is likely to have a unique set of things that could go wrong, as well as what could go well.


In this time of COVID and geopolitical uncertainty, there are a number of risks that typically don’t make it into the disclosures to the SEC but should be top-of-mind to the board. For example:

  • The company must be able to adapt to the new environment, including changes to the economy, customer needs, working conditions – and the need to continue to adapt as things continue to change. While decisions may be made requiring change, can the organization (including its processes and systems) make that change with agility?
  • Quality decisions that may have a lasting impact have to be made at speed. Are they made by the right people and are they based on reliable, complete, and timely information? Are all who should be involved part of the decision? Are decisions made at an appropriate speed – neither too fast nor too slow?
  • When the environment and business conditions change, the organization needs to be willing to change its objectives. What was a solid and practical goal in 2020 (let alone 2019) may be impractical in 2021. In addition, as the world changes new opportunities are opening up; is the organization able to recognize them and change direction, change its goals and strategies?


‘Effective risk management[2]’ is essential if an organization is going to see not only where it is but what lies ahead and then make the decisions necessary for success.

That requires considering all the things that are at least reasonably likely to happen, both good and bad, for your specific organization.

Set aside consultants’ and regulators’ hype (not only about cyber but also about issues such as third-party risk management[3]) and make that determination for your organization’s specific and unique circumstances.


I welcome your thoughts.

[1] The North Carolina State University’s ERM Initiative has the same list.

[2] Explained in Risk Management for Success

[3] Third party risks are even more specific and different for each organization

Don’t leave cyber security to the CISO

March 19, 2021 2 comments

In the last month, I have shared four posts about cyber security, with special attention to the board:


I was planning to move to a different topic, but then two more pieces hit my screen (and came close to damaging it):

These are both pieces that rely on and share the perspective of practitioners. They also demonstrate an unhealthy failure to understand what directors need (recognizing that most don’t know what they need – they are poorly advised by consultants, etc.) – actionable business-focused information.


Sadly, I find little of value to quote from the first piece. While it seems to recognize that cyber should not be left to the CISO to handle by him or herself, it doesn’t reflect any understanding that, as I explained in my earlier posts, money and time spent on cyber is at the cost of spending those limited resources on something else: another source of risk or an opportunity.

Executives and the board need to be able to decide where to spend time and money based on risk and reward and how to best achieve objectives.


The second piece has at least one useful sentence:

As fiduciaries of all their company’s assets, Board members must increasingly look to their business judgements in making tactical and longer-term decisions regarding cybersecurity.

However, the author goes astray when he resorts to the ‘best practices’ idea for determining what the right level of cyber security is for the organization.


No, the level of investment in cyber security should be a business decision, based on:

  • How a breach might affect the organization, its potential effect on the achievement of enterprise objectives
  • Whether that is acceptable or not, for example whether the cost is more than the reduction in risk
  • Where else the resources could be deployed
  • What is best for the organization as a whole


Fortunately, there are practitioners and thought leaders that have the right idea.

One of those is Hans Læssøe. I recommend his books and his latest post, Effective Risk Reporting. He says:

An important element of risk management is related to risk reporting i.e., how do you convey the results of the risk management process to management.

Starting with the end of the sentence “to management” means the reporting must be defined in such a way and with such content that management finds this relevant and valuable. Now here is the first hurdle. Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

Hans is very much aligned with me and my risk management books on this.

He covers, for example, the need to recognize that the level of ‘risk’ is not a point but a range. He also suggests a graphic for reporting the likelihood of achieving enterprise objectives (which he refers to as targets).


In order to assess the potential effect of a breach or other source of risk and then make the informed and intelligent business decision that is necessary for success, requires a constructive partnership between the CISO (and his or her technical insights) and the business.

Leaving this to the CISO is gambling.

Allowing the discussion to be in the language of technobabble (such as the “risk to information assets”) will not lead to the right business decision.

The discussion should be business-oriented, performance-oriented, and (if possible) mutually agreed on by the CISO and business leaders. On occasion, that will mean taking more cyber risk than the CISO believes is right – because it is right for the business to take the risk.

Once the business risk is known, then the technical frameworks, perhaps including FAIR, might be used to determine where within cyber to invest.

I leave you with this thought of Hans on his LinkedIn profile:

Risk management can do more than make you safe when the boat is rocking. Intelligent risk taking makes you able and ready to be the one rocking the boat.


I welcome your thoughts.

Two great pieces on cybersecurity and business risk

March 15, 2021 4 comments

I want to start with a review of Security & Risk: How to Talk Digital Risk with The Board. It was written and published by the security software firm, RSA, based on research by Gartner.

The article starts well with this:

The conversation around risk … should not be a negative experience. Understanding uncertainty – both possible positive outcomes and potential negative events – provides clarity in decision making. While there may be major trepidation entering a board meeting to discuss risk, the dialogue is fundamental to survival in today’s market. Fear of obstacles and challenges cannot stop organizations from growing. As strategies are built from top down, risk information presented to boards and executive teams will have a direct impact on a company’s success in seizing opportunities in the market and driving future investment.

It is encouraging to see statements like this from a software vendor. Rather than the normal view that risk exists to be managed or mitigated, this paragraph recognizes the need to take risk if you are to succeed. The difficulty lies in making informed and intelligent decisions about how much to invest in cyber rather than in other risk management activities or opportunities. Cyber defense has the potential to cripple a business if overdone!

The Gartner research has three findings. The first is obvious (that directors have a high level of interest and concern), and the others are:

  • Board confidence in the organization’s ability to prevent and respond to incidents is low, with only a minority of boards expressing confidence in such abilities — a key deficiency that results in limited support.
  • Security and risk management leaders often struggle to respond to board questions that are shaped by media reports and compliance concerns, leading to a cultural disconnect and breakdown of trust between business leaders and technology leaders.

These points are clarified further:

Although interest in risk management has grown, only 37% of board respondents feel confident or very confident that their company is properly secured against a cyberattack, compared to 42% last year. A slightly higher percentage (49%) is confident or very confident in the ability of management to address cyber risk. But more than one-fifth of directors (22%) expressed dissatisfaction with the quality of cyber-risk information provided to the board by management.

Do we have too little, too much, or is it just right? (It is also important to ask whether it is it right for today, but not tomorrow since needs change at the speed of the business.)


The piece has some other good points. For example, it says:

SRM leaders need to be able to give the board something that they care about and that is meaningful to them. But the confusion that results from the wider discourse around technology — including exaggerated, incomplete or contradictory public information — leads to asking the wrong questions, which the board nevertheless asks, over and over. These include: How secure are we? Why do we need more money for security, when we just approved X last year? What do you mean we got hacked a hundred times?

These questions distract from the most relevant aspects of the risk management discussion. Security and risk management leaders should orient their interactions with the board to ensure that the organization’s leadership has the right understanding to support the overall security practice.

Comment: that “right understanding” is not just to “support the overall security practice”, but to make the informed and intelligent business decisions necessary for success of the enterprise. Sometimes, that means taking more cyber risk than the CISO is comfortable with. Let me emphasize that: sometimes, the right business decision is to take more cyber risk than the CISO is comfortable with.


The problem is, in my opinion, that information security practitioners think and therefore report to management and the board as techies and not as business people.

They are sharing what they want to say, rather than what executives and directors need to know so they can make intelligent and informed business decisions.

As the paper says:

Communicating to the board should begin with an awareness of the audience: Who are the individuals on the board? What is their background? What role do they serve on the board — including any responsibility or background in cybersecurity?

Beyond individual passions and concerns, boards collectively usually care about three things:

  • Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives
  • Cost: Future cost avoidance and immediate decrease in operating expenses
  • Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation

Board members expect their leaders to interpret topic-specific information into its broader business impact. Security and risk management is one of these topics.

As with many publications, the authors now leave the real world of informed risk-taking and re-enter the doomsday world of trying to manage and mitigate risk – managing risk as if there were no upside. So while I encourage you to read the full paper, I leave it here.


The second piece is from CSO magazine: How to make your security team more business savvy. The article is built around an interview with Myrna Soto, the former CISO at Comcast and now the chief strategy and trust officer at cybersecurity software firm, Forcepoint.

Her approach is somewhat similar to what I and others adopted as CAE: place the team among the business folk, close to their operations, so they can not only understand the business but make sure they are adding value to it.

The article says:

Myrna Soto has witnessed throughout her career the significant impact that business-minded security professionals can have on security success, so much so that she created a new position — the business information security officer (BISO) — during her tenure as global CISO with Comcast.

These BISOs cultivated relationships with business unit leaders to better understand the processes, transactions, initiatives and objectives that made their departments — and the company as a whole — tick.

The BISOs had to be more than technically astute and security minded to do well in their roles, and they had to be more than good communicators and fast learners. They had to understand business terms and principles, too.

To make sure they did, Soto embedded them within the business units for tours of duty and found other ways to sharpen their business acumen.

“If we did nothing other than that, we still would have gotten a tremendous value because that really opened those security professionals’ eyes to business needs and perspectives,” Soto says.


If the CISO doesn’t have a deep understanding of the business:

  1. The CISO almost certainly doesn’t understand how a breach would affect the business. The tendency will be to exaggerate it.
  2. The CISO also won’t be able to justify any additional spending on cyber because while he or she is talking techno, the people he or she wants to persuade are talking business.
  3. The organization is unlikely to choose the best bed, the right balance of cyber and risk-taking for success.

Some will say that the business executives and the board members should learn cyber and risk. To that I respond that while they may have a high-level understanding, they should be able (with sensible questioning) to rely on their technical experts in running the business in partnership (and lots of dialogue) with business leaders.

What do you think? I welcome your comments.

Advice for boards (and practitioners) on cyber

March 7, 2021 3 comments

Brian Barnier recently reminded me of a paper that he helped develop for the International Corporate Governance Network (ICGN) in 2016. Cyber Risk: ICGN Viewpoint is a good read.

I like these points:

  • Companies and their investors are increasingly concerned about risks associated with misuse of information and communication technology, whether as a result of poor implementation of data systems, missed opportunities to adopt key innovations or failure to protect a business from malicious acts (which are often labelled “hacking” and “cyber” attacks).

Notwithstanding their technical complexities the broad scope and potential gravity of cyber risks are such that these risks must be understood and proactively overseen by company directors as a matter of good corporate governance…. Cyber related risks are defined as the range of risks related to information and communication technology that can impede the achievement of company objectives and investor returns.

  • It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets. Oversight of cyber risks should not be seen in isolation from the technology and business strategy and objectives to which they are related. On the contrary cyber risks should be addressed in an integrated approach across all risks to achieving business objectives.
  • Strategic decisions regarding technology should be integrated with broader business strategy and methods of managing risk in the strategy development process (such as overcoming bias) and the plan itself.


ICGN has questions board members can ask executives and investors can ask the company.

I have some that I suggest should be asked in addition to those in this and other papers.


The first are to the CEO:

  1. How do you consider cyber-related risks when you set and then make decisions related to strategy?
  2. How are these risks any different from other risks to our objectives?
  3. Do you agree with the risk assessment(s) developed by your team (whether the CISO or CRO)?
  4. Why do you believe you are taking the right risks? Are you sure (and why) that company resources are properly allocated between addressing risks such as cyber and opportunities such as new products and marketing campaigns?


Then I would turn to each of the executives in the room and ask them pretty much the same questions.

If the executives don’t understand and have ready and compelling answers to one or more of these questions, we have a problem!


These are questions that the board members should consider asking of the CEO and other top executives. (The CEO should not defer to the CISO as these are questions about the business and his or her ability to lead it intelligently.)

But practitioners should know the answers, help the CEO understand how cyber can affect the business, and be in a position to engage with the board as they discuss the questions.


What do you think?

Wonder Woman — “Reasonable Assurance” and Cybersecurity

March 3, 2021 3 comments

One of my good friends, Brian Barnier[1], has written an interesting piece on cybersecurity targeted at internal auditors but also relevant for other practitioners. Brian is one of the smartest people I know (I am lucky to know and learn from so many) and an expert on technology and financial management. He is also the author of a couple of risk management books.

His article, which I show in its entirety below, suggests that we need to use “design thinking” to assess whether an organization’s cybersecurity meets its needs.

Brian doesn’t tackle the question of whether you assess cyber based on risk to information assets (NIST. ISO, and FAIR) or risk to the achievement of business objectives (Marks, et al).

But I recommend reading and considering his point of view.

I welcome your comments. You can also contact Brian directly (click here for his LinkedIn profile).



Wonder Woman — “Reasonable Assurance” and Cybersecurity

Brian Barnier & Prachee Kale

An award-winning film director and her CISO sister are enjoying dinner al fresco. Savoring wine under glowing fairy lights, they compare professional notes …

“Paula, every conversation about your cyber stuff grows my world beyond the art, logistics and risk management of films. Yet, controls, lines of defense, insider threats call to mind Oceans 11 or Wonder Woman, Diana’s quest to vanquish Ares, the God of War.”

“Sasha, how can you say Wonder Woman?”

“Paula, films comprise two typical discoveries. A character’s self-discovery and that of its world. Diana, despite her intelligence and strength, was wrong but quickly adapted. In cybersecurity, how is creative thinking developed? How are problems framed? How quickly do people change?”

Stepping away from the sisters…

What – exactly – is a “control?”

Pause your reading of this article. Write down your definition of “control.” Now ask five colleagues to do the same and compare notes.


If you walk through the woods with specialists — ecologist, entomologist and businessman –each will have different observations. Cognitive biases cause people to force-fit their mental models on experiences and concepts.

Investigating “controls,” we discover two origin stories.

  • Financial reporting controls trace back to ancient Egyptian grain accounting[i].
  • Automated controls trace to ancient Greek fishing and hunting gear[ii]. They developed into Leonardo da Vinci’s machines, like the cam hammer.

Historically, accountants were cautious about applying financial reporting-style controls to business operations. In 1980, in a seminal study funded by the Financial Executives Institute (FEI), the authors “…found it very difficult, if not impossible, to develop a list of significant procedures that a company must perform or be judged lacking in internal control.[iii]

Michael Cangemi, former CEO of FEI and COSO Board Member recalls, “I explored auditing internal control for Foreign Corrupt Practices Act compliance when I joined Phelps Dodge as Chief Audit Executive in 1980. Companies have always developed processes for ensuring the protection of assets and internal control. I found that internal control is different in every company, does not easily lend itself to frameworks or checklists and requires much more subjective auditing.”

What is NOT a “cybersecurity control?”

As detailed in “Cybersecurity: The Endgame – Part One,” an unintended consequence of the Sarbanes-Oxley Act was the application of financial reporting-style controls to cybersecurity.

Dan Goelzer is the author of an insightful newsletter on PCAOB activities, Retired Partner, Baker McKenzie, and former Acting Chair, PCAOB.

He observes, “Operational controls are only secondary to financial reporting controls in the sense that, if they fail, you ‘only’ might go out of business – potentially devastating to you, your investors and your employees.  If you don’t have good ICFR you might, at least in theory, go to jail. People should not, but sometimes do, confuse ICFR with cybersecurity controls.  Preventing and repelling cyber-attacks is far beyond ICFR.”

The two types of controls are entirely different in design for entirely different purposes.

  • ICFR – manage risk of accurate recording of financial consequences of tangible transactions that occurred in the past in a relatively stable system
  • Automated – manage risk of cascading situations in the future in a dynamic system

Applying ICFR-style controls to cybersecurity is a definition error. Would you fly in a plane with ICFR-style controls?

Paul Sobel, former IIA Chair and current COSO Chair, summarizes based on the specific definitions of each type of control…

“When facing cyber risks, ‘reasonable assurance’ is not sufficient. ICFR with reasonable assurance was not designed to provide ‘as close to absolute assurance as possible.’ Lessons learned from designing industrial control systems can provide that assurance. Also, dynamic methods of managing risk are needed to survive in the fierce world of cyber-attacks.”

Wonder Woman embraced the unassuming Sir Patrick. His demeanor gave her reasonable assurance that he couldn’t be Ares. Diana was wrong.

For auditors, chasing the wrong types of controls is life on a gerbil wheel – high risk, little business impact, monster spend and unfulfilling.

Another false sense of security and blind spot was Diana’s “god killer” sword. It slew Ludendorff, but Ares casually destroyed it.

The misapplication of ICFR-style controls contributes to breaches, waste and pain. It warrants fixing with safer solutions.

  • Cyber is a system so apply systems thinking
  • Power-up cybersecurity and drive better business outcomes. Apply design thinking the vanguard of cybersecurity.

Beginning steps:

  • Eliminate futile ICFR-style controls for cybersecurity
  • Fix ICFR-style controls that are helpful, such as IT systems hygiene. But realize 1) they lack reliability of automated controls, 2) cost is excessive and 3) they can distract from safer actions.
  • Focus on automated-style controls that work like IT systems reliability and engineering
  • Outthink cyberwarfare enemies — embrace robust scenario analysis. Ask, “Would the scenarios make a good film?[iv]

Here is a key challenge… the struggle to change has been researched since Aristotle, Plato and Thucydides, even in life-threatening situations. Organizational mass and inertia resist change. Overcoming requires a catalyst.

Surprise — the catalyst for improvement is you!

Let’s finish our walk in the woods. As an auditor, compare your view to the ecologist who sees the wood’s ecosystem and the businessperson who sees its financial value. Individually, each specialist is limited to one’s discipline and biases. You miss the 3-D view. You expand your influence and impact by seeing what others miss.

Making change easier

  • Reframe to clarify the real problem. Symptoms often mislead – discover alternative diagnoses, think differently. View Cybersecurity as a system – the whole is greater than the sum of its parts.
  • Address “hardwired” resistance. Have powerful but safe conversations and factor different perspectives to find root causes. Offer choices and reasons for change.
  • Design the shortest path to an ideal future

Find accelerants — a transformation leader, an innovation/design lab or a professional coaching program. Why aren’t auditors coached and invited to such labs? Primarily because audit isn’t viewed as value-creating.

It’s worth its weight in palladium to partner with coaches and innovators to generate the gift of value.

Design thinking, including envisioning alternative futures, is powerful. Facing cyberwarfare, consider five futures:

  • Same cybersecurity methods, no change — worst future
  • Same methods, more money and run faster — degraded future
  • Minor improvements, more money and run faster — static future
  • Cutting and/or fixing ICFR-style controls, onetime spend, improved operations — better future
  • Fully fixing ICFR-style controls, applying automated controls, and shifting to a systems and psychology approach — best future

Which one would you pick?

In summary:

  • ICFR wasn’t designed for cybersecurity
  • The opportunity cost of inaction is very high
  • Valuable change is based on systems thinking and psychology, applied with design thinking
  • Your personal opportunity — generate the gift of value

Back to the sisters…

“Sasha, creativity and design seem to have much to offer cyber!”

“Yes Paula, so, how fast will you fix it? I know you’ll be my hero!”

Note: This article was adapted from Brian Barnier & Prachee Kale (2020) CYBERSECURITY: THE ENDGAME – PART ONE, EDPACS, Taylor & Francis[v]

Disclaimer: Views expressed by the authors are their own and not necessarily those of their employers.

[1] Brian, Michael Rasmussen, and I were the first three honored as Fellows of the Open Compliance and Ethics Group (OCEG).




[iv] Two chapters of The Operational Risk Handbook are devoted to scenario workshops



The business risk that is cyber

February 28, 2021 8 comments

Today, I am returning to this topic and highlighting three different perspectives.

I see them as a progression, each with a marked improvement over the previous piece.


The first is in TechRepublic: Can your organization obtain reasonable cybersecurity? Yes, and here’s how. The author is Michael Kassner, a freelance writer who specializes in business and technology. He has been referred to as a cybersecurity expert; as best I can tell, he has never been a practitioner.

Kassner’s thoughts are based on his review of Cybersecurity Risk: What does a ‘reasonable’ posture entail and who says so? He refers to that work when he says (in these excerpts):

…lawmakers and regulators are responding to the escalating number of cyberattacks by requiring businesses to meet certain cybersecurity standards to achieve reasonable security. However, “Without a defined, coherent standard to use as a reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.”

Since cybersecurity and its regulation are moving targets, companies tend to copy what other organizations are doing to secure digital assets, hoping it will be seen as good enough…. “With data-breach litigation increasing, this practice is nothing short of risky as businesses are allowing a judge or jury to determine the reasonableness of its cybersecurity risk posture after an incident has occurred.”

…a good place to start is determining what would be considered a lack of reasonable security. “This approach makes it easier for an organization to map data-security protection efforts (including privacy and resources) to a known framework.”

A good first step… is to use the Center for Internet Security’s Critical Security Controls as the authoritative source. “One just needs to map the definition of ‘reasonable’ to any of 20 specifications to attest to its validity and utility.”

The Center for Internet Security’s Critical Security Controls is a recommended set of actions for cyber defense that provide specific ways to stop attacks.

Using the Center for Internet Security’s Critical Security Controls also helps simplify the selection of a risk framework needed to assess the company’s IT environment, determine gaps, and propose solutions.

“Implementing the CIS CSC will show due care in any conflict venue by demonstrating the organization is practicing cyber due diligence, even without a fully minimized risk posture.”


In pre-pandemic days, McKinsey shared The risk-based approach to cybersecurity. The authors all work for McKinsey in their cyber practice.

They start with this telling difference from the TechRepublic perspective.

The most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk.

McKinsey is absolutely right to dismiss the idea that following so-called ‘best practices’ and adopting somebody’s set of recommended controls constitutes adequate protection. It also doesn’t protect you from litigation!

Consider the Heartland Payment Systems breach, described in several articles such as this one from ObserveIT.

As the article explains, the breach was massive and was not detected by the company. It was brought to their attention by Visa and, contrary to what the authors say, the CEO did not believe it at first. He famously said it couldn’t have happened because they had just passed their PCI audit!

McKinsey explains:

This article is advancing a “risk based” approach to cybersecurity, which means that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to target. More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.

To understand the approach, a few definitions are in order. First, our perspective is that cyberrisk is “only” another kind of operational risk. That is, cyberrisk refers to the potential for business losses of all kinds—financial, reputational, operational, productivity related, and regulatory related—in the digital domain. Cyberrisk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyberrisk is a form of business risk.

They continue (see the highlighted portion):

Even today, “maturity based” approaches to managing cyberrisk are still the norm. These approaches focus on achieving a particular level of maturity by building certain capabilities. To achieve the desired level, for example, an organization might build a security operations center (SOC) to improve the maturity of assessing, monitoring, and responding to potential threats to enterprise information systems and applications. Or it might implement multifactor authentication (MFA) across the estate to improve maturity of access control. A maturity-based approach can still be helpful in some situations: for example, to get a program up and running from scratch at an enterprise that is so far behind it has to “build everything.” For institutions that have progressed even a step beyond that, however, a maturity-based approach is inadequate. It can never be more than a proxy for actually measuring, managing, and reducing enterprise risk.


Unfortunately, while McKinsey talks about cyber as just another operational risk and how it needs to be fully integrated into the enterprise risk management program, they don’t join the dots. They are not seeing how it is all about taking the right risks for success.

They continue to manage doom rather than the achievement of enterprise objectives.


The third piece is by Carol Williams. She is a risk management consultant with 9 years’ previous experience as a risk practitioner and 5 years as a regulator.

Carol’s Is technology risk bigger than “cyber” risk? Is an excellent read. Rather than excerpt it here, I suggest you read the entire article. (You will quickly see why I like her post.)


The bottom line is that managing “cyber risk” should not be done in a silo, but within the context of making informed and intelligent business decisions every day.

Sometimes, you need to take that cyber risk!

Will you avoid purchasing an Amazon Alexa or an Apple iPhone simply because of the unmanageable cyber risks, or will you weigh the pros and cons and make a sensible decision?

Will you allow competitors to leap ahead while you remove that last risk, or will you take the risk and the market?


I welcome your thoughts.

The concept of resilience: a new buzzword

February 22, 2021 7 comments

There seems to be a lot of talk and articles these days about resilience.

I have somewhat ignored the term, but recently read an interesting piece in Forbes: What Is True Resilience? (Hint: It’s Not About Managing Risk).

Before I cover that piece, it is interesting to see what people have said about the difference between ‘risk’ and ‘resilience’.

One academic has written (key sentence highlighted):

Resilience is essential to living in a world filled with risk. Resilience has historically been defined as the ability to return to the status quo after a disturbing event. However, in the face of a changing climate and growing population, resilience cannot be based on the capacity to recover from the sorts of disasters we have faced in the past, but requires that we build capacity to avoid damage and/or recover from to the sorts of disasters we can expect to face in the future. If our goal is a sustainable future, we must understand the risks we will face and prepare for those risks through adaptation and mitigation measures. Resilience is crucial in this endeavor, as it is our capacity to cope with both expected events and surprises. To this end, it is critical that we identify, assess, communicate about, and plan for risks that the future will bring.

The OECD has shared:

The ability of households, communities and nations to absorb and recover from shocks, whilst positively adapting and transforming their structures and means for living in the face of long-term stresses, change and uncertainty. Resilience is about addressing the root causes of crises while strengthening the capacities and resources of a system in order to cope with risks, stresses and shocks.

Professor Linkov of the University of Connecticut tells us:

Traditional risk management focuses on planning and reducing vulnerabilities. Resilience management puts additional emphasis on speeding recovery and facilitating adaptation.


The Forbes article is written by a practitioner rather than an academic or consultant. That makes it more interesting as it based on experience borne out of responsibility.

Will Grannis is the leader of Google Cloud’s Office of the CTO and says his customers are asking how his organization’s services “stay resilient in the face of many unexpected, unpredictable events”.

This experience is of interest:

Just this week, unprecedented weather patterns across the U.S. pushed many IT and business leaders to virtual “war rooms” in order to ensure capacity, networking, and applications were instantly and persistently available. But those rooms were in the moment, rapidly assembled and then rapidly disassembled—just like the technology that underpins the real-time applications and services we all depend on. This is the new normal, and it calls for a new model of operations. Rather than setting a fixed reliability as the calculation for contracts and practices, the focus must be on resiliency under any number of conditions.

Building on that, he says (key sentence and words highlighted):

True resilience isn’t about managing a particular instance of risk, but being ready for anything through the way you operate. Today’s disasters may come from wild, unanticipated success (leading to traffic spikes) as much as devastating unforeseen failure (be that a natural disaster, a political event, or a system configuration error that cascades into a global outage).

The rest of the article explains what happened at Google Cloud and some of their philosophy around architecting their services for the general (not specific) customer. There is a continuing article about their approach to resilient IT.


This reminds me of my own experience when I was a vice president in IT at a large financial institution. One of my responsibilities was to develop a disaster recovery plan for our two data centers. I was able to hire a wonderful lady, Ann Tritsch, as my DRP Coordinator (a direct report at manager level). She led the initial effort[1] and we soon faced an important question: did we need to build separate sections of the plan covering the various causes of a disaster?

Operations already had sound processes in place to address and recover promptly from a short outage and our task was to determine how data center operations would recover from an event or situation that would shut down one or both data centers for a longer period. This could be the result of:

  • A fire
  • An earthquake (we were in Southern California)
  • A flood (we were in an area that could possibly flood if a dam broke or there was an extended period of torrential rain), or
  • Some other reason

At that time, emerging thinking was that the planning should address how you recovered, regardless of the cause. That is how we built our plan (with the help of a software solution, I should add).


But the DRP was not enough.

We still had to concern ourselves with making sure the likelihood of a disaster and the effect on the business were minimized – given cost and other constraints.

For example, our senior vice president (Ron Reed) led an effort to determine whether it would be viable to establish what would amount to mirroring the data center. He was looking at the possibility of sending copies of every transaction processed at one data center to the other by satellite (which we did not yet have – and this was before the age of the internet). But the cost was prohibitive. In addition, the two data centers were less than 20 miles apart, so a regional disaster could well affect both.

Ann performed, with the assistance of the operations staff, a review that we would today call a risk assessment. It considered each of the causes we might anticipate and confirmed that we had an acceptable set of measures in place. For example, we considered loss of power and examined the power system and the ability to either switch to a different power station or rely on our battery back-ups. We also recognized that there was a single point of failure in the network where all traffic from outside Southern California passed through a single station; but, there was little we could do to minimize the possibility of an outage.


This still was not enough. While there were some causes of a prolonged outage that we could identify, there was always the possibility of an ‘unknown unknown’: something happening that we could not seriously identify as a likely event, such as being hit by a meteor, a pandemic (worse than today’s), or a terrorist attack.

With this in mind, we developed another plan that we called a Disaster Preparedness Plan. The DPP was designed to help us recover from any event (including unknown unknowns) that would cause more than a short disruption of our data center’s operations.

The DPP included a detailed Communications Plan. While we didn’t know with certainty who in management might be required to respond to the event or situation, we developed the necessary structure and processes.


Between these initiatives and plans, we did what we could to make ourselves what would today be called ‘resilient’.


What I like about the idea of resilience is that rather than designing response around specific foreseeable events and situations, it preplans and prepares you (as best you can) for what you cannot predict.

To quote the Google executive again:

True resilience isn’t about managing a particular instance of risk, but being ready for anything through the way you operate.


Personally, I believe in monitoring and considering what might happen so you can both include it in decision-making and be prepared to respond to foreseeable events and situations.

But I also believe in being as prepared as possible to respond to (and mitigate if you can) unforeseeable events and situations.


So, resilience merits our attention in addition to or as an integral part of any ‘risk management’ activity. (As usual, please note that I much prefer managing for success.)


There is one more and very important aspect to this discussion.

In the same way that you should be prepared and resilient for unforeseen adverse events and situations, you need to be agile and sufficiently aware and responsive to unforeseen opportunities!

People pay far more attention to the first and far too little to the second.


I welcome your thoughts.

[1] Unfortunately, we lost her before the plans were completed.

Are you too risk-averse?

February 15, 2021 4 comments

In a recent article, my good friend Jim Deloach asks a very interesting question:

How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse?


The title of the article is an odd one, which I will discuss before venturing into the body of his thinking. It is Is Your Risk Culture Aligned With the Realities of the Digital Age?

“Risk culture” is a term that has crept into use over the last few years, but it is unclear to me what its purpose and value is.

Jim doesn’t (wisely) define it in this article, but others have:

  • “The norms of behavior for individuals and groups within an organization that. determine the collective ability to identify and understand, openly discuss and act on the. organization’s current and future risks” (McKinsey)
  • ‘Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees.” (North Carolina State’s ERM Initiative)
  • “The values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” (Institute of Risk Management).

Dr. David Hillson (a.k.a., the Risk Doctor) has in interesting discussion of risk culture on the PMI website: The A-B-C of risk culture: how to be risk-mature.

I have written several posts on culture generally and risk culture in particular. You can use the search box at the top right to find them.

The general point in my various blog posts is that there are many, often competing dimensions to an organization’s culture. While you want decision-makers to exercise caution when needed, they also need to be entrepreneurial when that is appropriate as well. You desire imagination and creativity, not simply awareness and trepidation about what bad stuff might happen.

In addition, you don’t want everybody in the organization to have the same attitude towards taking risk. You want sales, marketing, and product design to think one way, and accountants and treasury staff to think another.

So, I hesitate to talk about “risk culture”; instead, we can either talk about organizational culture (with all its complexities) or whether the key decision-makers are making informed and intelligent decisions that involve (as they all do) taking risk to seize opportunities.


Jim gets it totally right when he says:

The ground rules for risk and reward are well known. These rules hold that one must take risks to grow, and typically, the more risk one takes, the higher the potential return. They also suggest that a risk-averse mindset often leads to a lower return. These canonical laws have been embedded in business and finance since before any of us were born.

He also makes a point that I have been making for a few years:

Given the pace of change in the digital economy, the realities are such that it’s not just a matter of taking risk to grow or generate greater returns, it’s also a matter of survival. Bottom line: Organizations must undertake more risk than they may be accustomed to taking if they are going to survive. Refusal to take risk means accepting the risk of growing stale and becoming irrelevant. This is no time to be comfortable with the status quo.

Jim has a very interesting couple of tables that contrast a “traditional view” of risk-taking to one that is “fit for the digital age”. He explains that we need to move “from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical enterprise risks and integrated with strategy setting and performance management”.

There are a number of excellent points in the tables, which I encourage everybody to not only read but also reflect on the depth of meaning behind each of them. For example, he suggests that today we need to:

  • Move from avoiding or mitigating risks to taking them within limits – something I have written about in these pages
  • Maximize the upside while managing the downside. In other words, taking the right level of the right risks; don’t just try to manage and mitigate them out of context of what you are trying to achieve
  • Be proactive and agile
  • Do all of this continuously, not periodically
  • Move away from managing a list of risks and towards managing outcomes
  • While he still (sadly) mentions risk appetite, it is essential to ensure an acceptable likelihood of success
  • Leave heat maps behind in favor of Monte Carlo, scenario (what-if) analysis, and other techniques
  • Integrate all our thinking and actions around achieving our objectives as an organization
  • Ensure decision-making is high velocity and high quality

Another point he makes refers to cyber and why it should not be assessed in isolation:

…an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities that offer significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept.

In the digital age, risk management must help leaders make the best bets from a risk/reward standpoint that have the greatest potential for creating enterprise value. This means that the creation and protection of enterprise value in the digital age depend on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level. A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy setting, planning and business execution; and customized, reflecting organizational business needs, expectations and cultural attributes.

His final points echo much of what I have been saying here and in my books. (That is not to say that he is simply following my thinking; he is a highly intelligent individual and independent thought leader, recognized as such by boards and professional associations for his many contributions – see his profile at the end of the piece. I am pleased to see us aligned on many fronts today.)

He says this very well indeed – note especially the highlighted portions:

In the digital economy, risk management must contribute to reshaping strategy in advance of disruptive change. Integrating more sophisticated quantification and monitoring capabilities into the day-to-day activities of the business in executing the strategy and focusing on the risks and opportunities that matter can help management frame a composite risk profile fit for the digital age and provide more granular information on key aspects of the strategy as well as costs and benefits expected from alternative scenarios.

In the digital age, it is all about maximizing the upside while managing the downside, thus fitting the profile of companies best positioned to compete, thrive and win with an obsessive focus on growth and improving the customer experience. If the organization does not advance its digital maturity, another risk arises. We call it “digital risk,” or the risk of choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend share against new entrants.

In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the impact on the achievement of strategic objectives and desired corporate risk profile of alternative scenarios. This analysis contributes to a more robust strategic decision-making process.


Wrapping this up:

  • The traditional ERM practice of a periodic list of risks has little value beyond compliance.
  • It is far better to ensure your decision-makers are able to weigh all the things that might happen, both the pros and the cons, and make an informed and intelligent business decision.
  • These times require agility in the support of fast decision-making, recognizing that fear can easily prevent success.
  • Move from doom to success management.
  • Don’t be afraid to tell decision-makers and management in general when they are being too risk averse. That is part of your job.

I welcome your thoughts.

SOX and the COSO Principles

February 11, 2021 3 comments

One of the requirements for the SOX compliance program is that the assessment is based on a recognized internal control framework. In practice, this is (almost) always the 2013 COSO Internal Control Framework.

COSO says that a system of internal control is effective if it “provides reasonable assurance regarding the achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.”

However, it goes on to say that for a system of internal control to be considered effective, all relevant principles must be “present and functioning”.

COSO says that they can be considered “present and functioning” if there are no related “major deficiencies” that would prevent there being reasonable assurance of achieving the objective(s); for SOX, this equates to having no related material weaknesses.

When the 2013 update was released, I said that this meant three things:

  1. It is necessary to confirm which of the COSO principles are relevant to the assessment.
  2. The way to confirm that they are present and functioning is by indicating which key controls are relied upon for that purpose and confirming that they are adequately designed and operating effectively.
  3. If there was a failure in a control relied upon for the presence and functioning of a principle, that failure could not be a material weakness. In other words, a principle can be considered present and functioning even if there are failures of related controls as long as those failures do not mean there is at least a reasonable possibility of a material error or omission in the filed financial statements.


It is nearly eight years since that update when I suggested that one of more of the COSO principles might not be relevant for SOX – meaning that even their total absence would not amount to a material weakness (as defined).

For example, the second principle is:

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. of objectives.

I contend that while it may be relevant for some control objectives, it is not relevant for SOX. A private company that does not have independent directors can still have effective internal control over financial reporting.


I have questions for you that I would appreciate your answering in the comments below for everybody to consider. (In other words, please do not post your answers only on LinkedIn.)

  1. Have you considered whether any of the COSO principles are not relevant for your SOX program?
  2. Which ones were considered not relevant?
  3. Have you discussed this with your external auditor?
  4. Did they agree, and if not why not?


Thanks – and I look forward to your thoughts on the post and the answers to my questions.



PS – If you are interested in attending one of my SOX Masters classes, please contact Emily Jones at

Optimizing board decision-making

February 9, 2021 5 comments

There’s an interesting article on the London Stock Exchange page: Optimizing board decision-making in the eye of a storm. It is written by an individual that advises boards and directors in the UK.


Risk and audit professionals need to think about what their customers need and how that is changing in these dynamic and turbulent times. They should consider whether there is a need to change one or more of:

  • What they are addressing
  • When and how often it is being addressed
  • The time it takes to do that
  • How the results of their work are communicated, including the speed of that communication


The author references a director who is on “an experienced board with battle-hardened veterans in both the ranks of the executive and non-executive directors.” Even so, “he indicated that the board and executive team seriously struggled with the enormity of the challenges facing the organisation”.

He continues:

While he indicated that the board were quite mature in terms of risk management and business continuity planning, the sheer scale of the Covid-19 crisis literally floored the board both in terms of the scale of business impact, the impact on their employees and currently how difficult it is to plan for the “new normal”. The scale of the crisis necessitated a number of major decisions to be made in a very compressed timeframe.

While the board may consider themselves “quite mature in terms of risk management”, that is questionable – but not a topic for today.

Here are some notable points with my comments:

  • While a board has many broad types of responsibilities, the fundamental responsibility of a board is to make major decisions. At a time of extreme crisis management, this acute responsibility comes to the fore and represents a fundamental test of a board of directors in terms of its calibre, decisiveness, effectiveness, judgement and performance.
    • Comment: I would argue that what is even more critical is the ability of the executive management team to make quality decisions at speed and communicate those decisions effectively.
    • In addition, there needs to be an agreement between the board and the executive team (including the CAE and CRO) on what will be shared with the board, how, and when.
    • The practitioner needs to be alert, communicate issues in this area, and offer constructive suggestions for improvement.


  • The brutal reality of the Covid-19 crisis is that major decisions have had to be made and continue to be made by boards in compressed timeframes of days and in extreme cases hours that have very serious consequences for the organisation, its employees, its customers and shareholder/stakeholders. While in many cases, government and public health regulations dictated timeframes for major decisions, the reality is that in the vast majority of cases, boards are having to get used to extremely short review cycles for what are often complex choices with significant consequences for each option.
    • Comment: again, this applies to the management team as well. Do they have the capacity to make informed and intelligent decisions at speed?
    • Do they know when they have to make decisions?
    • Do they have the agility and flexibility to make decisions, or is there too much red tape?


  • The quality of information is the life-blood of a board in terms of major decision making in normal times. At severe crisis management times like this, it is very challenging for the CEO and executive team to devote the usual time needed to develop comprehensive board packs when in some cases you may have just 24 hours before the next virtual board meeting. In these cases, I believe quality is more important than quantity in terms of helping the board understand the logic behind major proposals from the CEO and executive team. In some cases, while not ideal, CEOs and executive teams are heavily relying on gut instinct in terms of picking from what appears to be radically different options. In these cases, it is important to provide the NEDs with your “gut instincts” and assessment of the pros/cons of each major option.
    • Comment: in times like these, any ‘risk’ practitioner needs to ensure that any identification or assessment of what might happen (which could be adverse, risk, or favorable, opportunity) is performed at an appropriate frequency and speed.
    • Talk about ‘gut instinct’ brings up the issue of cognitive bias, as well as the fact that many decision-makers don’t know what information is available that would be of value, let alone what information can be made available.
    • One thought is to examine the agility of any IT function in providing decision-makers with the information they need, when they need it.


  • It is vital that where needed, a board gets external expertise to help with a major decision. This might be an experienced existing advisor partner who understands the organisation and sector but also may be a truly independent sector expert who could provide a brutally cold objective assessment of the options that could ultimately improve the final decision-making process.
    • Comment: this is where the practitioner can help. I prefer management and the board to use internal resources like internal audit before even thinking of going outside to an organization that doesn’t have much of an understanding of the company and its operations.

The overall message is that the way in which the board and executive management teams have to operate to thrive in today’s environment is changing.

The members of the board, the management team, and both internal audit and risk practitioners need to ensure they can and have changed as well.


I welcome your thoughts.