Five US regulators have jointly published proposed rules regarding compensation risk at the financial institutions they oversee. The agencies are:
- Office of the Comptroller of the Currency, Treasury (OCC);
- Board of Governors of the Federal Reserve System (Board);
- Federal Deposit Insurance Corporation (FDIC);
- Federal Housing Finance Agency (FHFA); National Credit Union Administration (NCUA); and
- S. Securities and Exchange Commission (SEC).
I believe the principles behind these rules are relevant to every organization, whether non-profit, for profit, large, small, manufacturing, retail, or other.
In general, the proposed rules would require a deferral of compensation (which includes salary, bonus, options, and more) that allows time before payment for consideration of whether excessive levels of risk were taken by individuals that led to their achieving or exceeding targets and earning compensation. Clawback provisions are included.
The rules are not limited to executives. They also apply to any individual whose actions could put the organization at significant risk.
The rules specify the obligations of the board and its compensation committee (all of whose members must be independent).
They also require that the risk officers be independent of the units taking the risk. They do NOT require that the risk office report directly to the CEO or board.
Reviews and reports on the effectiveness of the compensation and risk processes by both the risk office and internal audit are required.
Also required are policies and so on that mandate actions consistent with these requirements.
There’s a lot to like here. The agencies have asked for comments in their >500 page document.
The only item that I have a problem with is when they say “The proposed rule … provides that an incentive-based compensation arrangement will be considered to encourage inappropriate risks that could lead to material financial loss to the covered institution”. (They define ‘material financial loss at 0.5% of the organization’s capital.
- No likelihood is defined for ‘could’. Is 0.00001% acceptable? How about 1% or 2% or 5%?
- As with so many of these regulator’s rules, everything is expressed in financial terms – $$$. But, how do you measure compliance risk? Can you put a quantified value on it? At least the discussion includes a reference that incurring excessive compliance risk is a consideration of whether excessive risk overall was taken to earn a reward.
As I reflect on my experience (it is a great many years since I worked in financial services), I can see these principles addressing a couple of real-life problems at non-financial institutions.
- At a number of companies, there was a risk that sales personnel and even management (including both general management and, in some cases, financial management) would collude with third parties such as customers and channel partners to inflate sales for a quarter. Management would agree (a ‘side-letter’) with the third party where the customer or partner would increase an order beyond their needs and receive a credit memo in the next quarter. The fraudsters would receive a larger bonus based on the inflated revenues. Many sales personnel, especially, move from company to company and are willing to take the risk that any discovery of the scheme will be after they have departed. More senior managers, especially if financial managers are part of the scheme, don’t expect to be caught.
If bonuses were deferred, that would delay the reward and reduce the (net) incentive to cheat.
- At several companies, individuals were compensated for actions that were not tied directly to profits. Sales and even production personnel were rewarded for actions such as increasing revenue that have little or no margin (‘empty revenue’) or increasing production when margins were negative. I actually heard, in a management meeting when margins were reported as being negative, “we can make it up on volume”.
What do you think?
How can these principles be applied broadly to good effect?
The remainder of this post is excerpts from the >500 pages.
There is evidence that flawed incentive-based compensation practices in the financial industry were one of many factors contributing to the financial crisis that began in 2007. Some compensation arrangements rewarded employees – including nonexecutive personnel like traders with large position limits, underwriters, and loan officers – for increasing an institution’s revenue or short-term profit without sufficient recognition of the risks the employees’ activities posed to the institutions, and therefore potentially to the broader financial system. Traders with large position limits, underwriters, and loan officers are three examples of non-executive personnel who had the ability to expose an institution to material amounts of risk. Significant losses caused by actions of individual traders or trading groups occurred at some of the largest financial institutions during and after the financial crisis.
Of particular note were incentive-based compensation arrangements for employees in a position to expose the institution to substantial risk that failed to align the employees’ interests with those of the institution. For example, some institutions gave loan officers incentives to write a large amount of loans or gave traders incentives to generate high levels of trading revenues, without sufficient regard for the risks associated with those activities. The revenues that served as the basis for calculating bonuses were generated immediately, while the risk outcomes might not have been realized for months or years after the transactions were completed. When these, or similarly misaligned incentive-based compensation arrangements, are common in an institution, the foundation of sound risk management can be undermined by the actions of employees seeking to maximize their own compensation.
Flawed incentive-based compensation arrangements were evident in not just U.S. financial institutions, but also major financial institutions worldwide. In a 2009 survey of banking organizations engaged in wholesale banking activities, the Institute of International Finance found that 98 percent of respondents recognized the contribution of incentive-based compensation practices to the financial crisis.
Executive officers and employees of a covered institution may be willing to tolerate a degree of risk that is inconsistent with the interests of stakeholders, as well as broader public policy goals.
The Federal Banking Agencies have found that any incentive-based compensation arrangement at a covered institution will encourage inappropriate risks if it does not sufficiently expose the risk-takers to the consequences of their risk decisions over time, and that in order to do this, it is necessary that meaningful portions of incentive-based compensation be deferred and placed at risk of reduction or recovery. The proposed rule reflects the minimums that are required to be effective for that purpose, as well as minimum standards of robust governance, and the disclosures that the statute requires.
…the proposed rule would apply to any covered institution with average total consolidated assets greater than or equal to $1 billion that offers incentive-based compensation to covered persons.
The proposed rule identifies three categories of covered institutions based on average total consolidated assets:
- Level 1 (greater than or equal to $250 billion);
- Level 2 (greater than or equal to $50 billion and less than $250 billion); and
- Level 3 (greater than or equal to $1 billion and less than $50 billion).
…the proposed rule provides that compensation, fees, and benefits will be considered excessive when amounts paid are unreasonable or disproportionate to the value of the services performed by a covered person, taking into consideration all relevant factors.
The proposed rule … provides that an incentive-based compensation arrangement will be considered to encourage inappropriate risks that could lead to material financial loss to the covered institution, unless the arrangement:
- Appropriately balances risk and reward;
- Is compatible with effective risk management and controls; and
- Is supported by effective governance.
…the proposed rule specifically provides that an incentive-based compensation arrangement would not be considered to appropriately balance risk and reward unless it:
- Includes financial and non-financial measures of performance;
- Is designed to allow non-financial measures of performance to override financial measures of performance, when appropriate; and
- Is subject to adjustment to reflect actual losses, inappropriate risks taken, compliance deficiencies, or other measures or aspects of financial and non-financial performance.
Under the proposed rule, the board of directors of each covered institution (or a committee thereof) would be required to:
- Conduct oversight of the covered institution’s incentive-based compensation program;
- Approve incentive-based compensation arrangements for senior executive officers, including amounts of awards and, at the time of vesting, payouts under such arrangements; and
- Approve material exceptions or adjustments to incentive-based compensation policies or arrangements for senior executive officers.
The proposed rule would apply deferral requirements to significant risk-takers as well as senior executive officers, and, as described below, would require 40, 50, or 60 percent deferral depending on the size of the covered institution and whether the covered person receiving the incentive-based compensation is a senior executive officer or a significant risk-taker.
A Level 1 or Level 2 covered institution would be required to consider forfeiture or downward adjustment of incentive-based compensation if any of the following adverse outcomes occur:
- Poor financial performance attributable to a significant deviation from the covered institution’s risk parameters set forth in the covered institution’s policies and procedures;
- Inappropriate risk-taking, regardless of the impact on financial performance;
- Material risk management or control failures;
- Non-compliance with statutory, regulatory, or supervisory standards resulting in enforcement or legal action brought by a federal or state regulator or agency, or a requirement that the covered institution report a restatement of a financial statement to correct a material error; and
- Other aspects of conduct or poor performance as defined by the covered institution.
In addition to deferral, downward adjustment, and forfeiture, the proposed rule would require a Level 1 or Level 2 covered institution to include clawback provisions in the incentive-based compensation arrangements for senior executive officers and significant risk-takers.
The proposed rule would require clawback provisions that, at a minimum, allow the covered institution to recover incentive-based compensation from a current or former senior executive officer or significant risk-taker for seven years following the date on which such compensation vests, if the covered institution determines that the senior executive officer or significant risk-taker engaged in misconduct that resulted in significant financial or reputational harm to the covered institution, fraud, or intentional misrepresentation of information used to determine the senior executive officer or significant risk-taker’s incentive-based compensation.
The proposed rule would require all Level 1 and Level 2 covered institutions to have a risk management framework for their incentive-based compensation programs that is independent of any lines of business; includes an independent compliance program that provides for internal controls, testing, monitoring, and training with written policies and procedures; and is commensurate with the size and complexity of the covered institution’s operations. In addition, the proposed rule would require Level 1 and Level 2 covered institutions to:
- Provide individuals in control functions with appropriate authority to influence the risk-taking of the business areas they monitor and ensure covered persons engaged in control functions are compensated independently of the performance of the business areas they monitor; and
- Provide for independent monitoring of:
- incentive-based compensation plans to identify whether the plans appropriately balance risk and reward;
- events related to forfeiture and downward adjustment and decisions of forfeiture and downward adjustment reviews to determine consistency with the proposed rule; and
- compliance of the incentive-based compensation program with the covered institution’s policies and procedures.
To be considered independent under the proposed rule, the group or person at the covered institution responsible for monitoring the areas described above generally should have a reporting line to senior management or the board that is separate from the covered persons whom the group or person is responsible for monitoring. Some covered institutions may use internal audit to perform the independent monitoring that would be required under this section.
…the proposed rule includes a requirement that internal audit or risk management submit a written assessment of the effectiveness of a Level 1 or Level 2 covered institution’s incentive-based compensation program and related control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution.
…the proposed rule would require each Level 1 or Level 2 covered institution to establish a compensation committee composed solely of directors who are not senior executive officers to assist the board of directors in carrying out its responsibilities under the proposed rule. The compensation committee would be required to obtain input from the covered institution’s risk and audit committees, or groups performing similar functions, and risk management function on the effectiveness of risk measures and adjustments used to balance incentive-based compensation arrangements. Additionally, management would be required to submit to the compensation committee on an annual or more frequent basis a written assessment of the effectiveness of the covered institution’s incentive-based compensation program and related compliance and control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution. The compensation committee would also be required to obtain an independent written assessment from the internal audit or risk management function of the effectiveness of the covered institution’s incentive-based compensation program and related compliance and control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution.
The proposed rule would require all Level 1 and Level 2 covered institutions to have policies and procedures that, among other requirements:
- Are consistent with the requirements and prohibitions of the proposed rule;
- Specify the substantive and procedural criteria for forfeiture and clawback;
- Document final forfeiture, downward adjustment, and clawback decisions;
- Specify the substantive and procedural criteria for the acceleration of payments of deferred incentive-based compensation to a covered person;
- Identify and describe the role of any employees, committees, or groups authorized to make incentive-based compensation decisions, including when discretion is authorized;
- Describe how discretion is exercised to achieve balance;
- Require that the covered institution maintain documentation of its processes for the establishment, implementation, modification, and monitoring of incentive-based compensation arrangements;
- Describe how incentive-based compensation arrangements will be monitored;
- Specify the substantive and procedural requirements of the independent compliance program; and
- Ensure appropriate roles for risk management, risk oversight, and other control personnel in the covered institution’s processes for designing incentive-based compensation arrangements and determining awards, deferral amounts, deferral periods, forfeiture, downward adjustment, clawback, and vesting and assessing the effectiveness of incentive-based compensation arrangements in restraining inappropriate risk-taking.
The proposed definition of “significant risk-taker” incorporates two tests for determining whether a covered person is a significant risk-taker. A covered person would be a significant risk-taker if either test was met. [The first test is based on compensation levels.]
The second test is based on whether the covered person has authority to commit or expose 0.5 percent or more of the capital of the covered institution or an affiliate that is itself a covered institution (the “exposure test”).
Clearly, this is the topic of the day, if not the year and decade.
The leader of Protiviti’s IT audit practice, David Brand, has weighed in with “Ten Cybersecurity Action Items for CAEs and Internal Audit Departments”.
He has some valuable ideas that merit consideration, not only by internal auditors, but by security professionals, boards, risk officers, and more broadly among the executive group.
I will let you read his post and suggested action items.
But, as usual, I do have comments.
For a start, the three areas of risk that Brand lists do not top my personal list.
His list does not include the ability of a cyber attack to shut down the company!
When I was at Tosco, an oil and gas refining company, I engaged what was then Anderson (the people are now with Protiviti) to perform some ‘white hat’ intrusion testing. They were able to obtain root level access in one of our refinery’s control systems. That access would have permitted them to change temperature and/or pressure settings that could have led to a fire, explosion, and loss of life. The damage would have shut down the entire refinery, probably leading to the demise of the whole company.
We know that hackers from nation states and others might be interested in attacking our infrastructure systems, again causing catastrophic damage and huge financial loss. Certainly, they might be interested in taking actions that could cause a financial institution to be unable to service its customers.
No wonder the Federal and other governments worry about cyber!
Turning to his ten suggestions, I would prefer greater emphasis on his last point – staffing and resource shortages.
If I was on the board, or helping management assess cyber risk, I would be most concerned about whether the management team has the personnel with the appropriate level of experience and insight to understand cyber risk and adapt as the threats change. I would be concerned about whether they have the budget necessary a well as the influence with management to (a) understand the business risk, and (b) influence them to take necessary actions.
I would also like to see greater emphasis on considering cyber-related risk as new technology is implemented. Before, rather than after the fact! Are the information security personnel appropriately involved when new mobile devices and applications are considered, when Artificial Intelligence and Machine Learning uses are planned, or when the Internet of Things will be leveraged?
I agree with Protiviti that board engagement is important. But would prefer to see them focus their attention on whether management has the capability to manage the risk rather than see them get their fingers into the pie, trying to manage the risk themselves.
So, some useful tips but not, IMHO, a complete list.
What do you think?
An April 2016 publication by PwC should kick-start an interesting conversation.
Risk in review: going the distance makes some interesting points.
“We live in turbulent times. In recent years, widespread business disruption has spurred companies to focus on acquiring the agility to quickly identify and seize new opportunities”.
This is absolutely right. Organizations everywhere need to become more agile. They need to understand change before it hits them between the eyes, adapt at speed, and ensure the corporate vehicle doesn’t tip over in the process.
PwC starts with definitions that merit thought.
- Risk agility: The ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences or market dynamics.
- Risk resiliency: The ability to withstand business disruption by relying on solid processes, controls and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.
I have an issue with their definition of agility. As PwC themselves say, organizations need to build “agile and flexible risk management frameworks that can anticipate and prepare for the shifts that bring long-term success”.
Note the word, “anticipate”.
As an attendee at the Chicago Risk ReImagined event pointed out, we can’t wait and respond. We have to find a way to anticipate what might happen. Let’s change the definition of agility to:
“The ability of management to alter and adapt its strategies, plans, and decisions in anticipation of the potential for markets, customer preferences, market dynamics, regulations, or other factors (both internal and external) to change.”
Note that it is not sufficient for the risk management framework and process to change. The organization as a whole needs to be prepared and able to change its direction – and that requires a nimble risk management capability.
I also have an issue with the definition of resiliency. Again, the whole organization needs to have resiliency, not just the risk management activity – and its ability should not be limited to respond to adverse events and situations. Let me see if I can put a more positive spin on this.
“The ability of the organization, its systems, processes, organization, and people, to respond promptly and effectively to both threats and opportunities should they arise.”
Note that I was able to avoid using the ‘R’ word. This helps the discussion with management and the board. Risk management provides valuable information to anticipate what might happen, analyze and evaluate potential effects, and identify the best response.
Leaving that aside, there are some nuggets to be mined in the PwC publication. (Emphasis added by me.)
- Our analysis shows that risk-agile companies are far more likely to say they expect significant revenue and profit-margin growth than those that are not risk agile.
- Risk management should be leveraged as a defensive tactic as well as an offensive catalyst. It comes down to how a company manages the upside combined with the downside of each business risk.
- Comment: so much for the idea that it’s all about defense! See the next quote.
- “Historically, risk management has been about preventing losses, protecting the downside,” says Kimberly Johnson, Senior Vice President and Chief Risk Officer at Fannie Mae. “But that’s all playing defense. We think about risk also in terms of how to create opportunities because you find ways that you can make the right risk trade-off: where there are returns.”
- Technology firms excel at identifying opportunities ahead of the competition: 56% of technology firms say they are good at this, compared with only 45% of total respondents.
- Comment: if tech firms lead at 56%, the rest are true laggards – overly focused on defense and resilience.
- Overall, our survey results tell us that for near-term revenue and profit margin growth, risk agility trumps risk resiliency.
- Companies that are able to truly align their risk management activities with their strategic planning process and/or strategic priorities are moving the needle from enterprise risk management to strategic risk management.
- Comment: sorry, PwC, but this is pure consultant b******t. They are defining ERM in terms of the traditional practice of periodic reviews of top risks, when true ERM today is far more dynamic and part of the rhythm of the business. True ERM is what they describe as strategic risk management. Remember that risk management helps an organization achieve its objectives. By definition, when applied to the enterprise, those are enterprise objectives. I will let you decide why PwC is coming up with a new name.
- There are too many examples of companies across sectors that allow their growth to outpace their infrastructure. The unfortunate result is that their vulnerability peaks, and risk events become more crippling to their brands.
- Everyone at the firm—whether you’re an analyst, in operations, on the risk team, the CEO, or the CIO [chief information officer]—everyone is asked to think about risk as part of their business… so there’s constant back-and-forth in a constructive manner. It’s not like we meet only once a week at 7 A.M. and ‘Don’t bother me until then.’ It’s very interactive.
- Within high performing companies, 63% of Chief Risk Officers (CROs) say they are seen as catalysts for growth compared with 36% of CROs overall.
I will close with that last point.
Only 36% of respondents (it not clear whether PwC limited their survey to risk, compliance, and audit leaders, but it appears so) see risk management as a catalyst for growth. While this is higher for ‘high performing companies’, and higher than the results of the Deloitte study that found very few risk functions were seen as enabling the setting and execution of strategy, it reflects a continuing failure of CROs.
Business leaders, in the executive suite and on the board, are focused on performance. While CROs can see hazards and threats as obstacles to performance, they must broaden their gaze – and their language – to speak and act in alignment with their leaders in the organization.
How can we best achieve our objectives of growth, profits, value to our stakeholders, while avoiding stumbles and remaining in compliance?
How can we all help our organizations be nimble and quick?
I welcome your thoughts on this study and what it means.
I have been writing about the tough topic of risk appetite for a long time! Here’s a partial list of my blog posts, which go back to 2010.
- Compliance and risk appetite – July, 2015
- A huge problem with risk appetite and risk levels – May, 2015
- Auditing risk appetite – September, 2014
- My tolerance for risk appetite is fading – June, 2014
- Just what is risk appetite and how does it differ from risk tolerance? – April, 2014
- The continuing failure of the risk appetite debate to focus on desired levels of risk – March, 2014
- What is your risk appetite? – September, 2013
- The tricky business of risk appetite: a check-the box chimera or an effective guide to risk-taking – August, 2012
- COSO contributes to thought leadership on risk appetite – January, 2012
- New guidance on risk appetite and tolerance. I like some parts, disagree with others – September, 2011
- An effective risk tolerance, appetite, criteria etc. statement – May, 2011
- A discussion of risk appetite by thought leaders – November, 2010
- Food for thought on risk appetite – February, 2010
Yet, I am still searching for examples of organizations who have done this well – and by that I mean establishing desired levels of risk for the enterprise as a whole that lead to the best business decisions at all levels of the extended enterprise.
Last week, in Chicago, Richard Anderson and I debated this point. He thinks it is being done, but I have significant doubts.
In a few weeks, we will debate this again with a group of practitioners and thought leaders at RiskReimagined London. (Spaces are still available.)
Why am I still searching?
Let me see if I can explain the predicament.
Example 1: we manage a company that grants loans to small businesses across the globe. We set a risk appetite statement that says that we want to take risk that is ‘valued’ at between $100 million and $200 million. It’s a range because if we don’t take enough risk, our profits will suffer. $100 million is the lowest we can go if we are to break even. If we take too much, we may suffer losses that cannot be sustained comfortably and we have defined ‘too much’ risk as $200 million.
We have five offices that grant loans: in Sydney, London, San Francisco, Buenos Aires, and Singapore. In each, five managers approve new loans.
In any of these five, a single manager oversees all the loan approvals and can make sure that his office stays between $20 million and $40 million. We have cascaded our enterprise range and set an allocated range of risk to each office. Some call this ‘risk tolerance’, although that is not how COSO describes risk tolerance.
As a result, the company as a whole will stay between $100 million and $200 million.
But while we are ‘safe’, we have not optimized our results.
Our ideal level of risk will typically be nearer $200 million than $100 million.
How likely is it that we will obtain an enterprise level of risk of, say, $180 million?
Even if everybody is communicating often and openly, it is unlikely.
If Buenos Aires can only sell $30 million and London $25 million, then the other three will have to sell a total of $125 million. That is more than the allocated $40 million they each have.
OK, if one person approves all loans, then it may be possible to get to $180 million. But that level of bureaucracy would slow the company down and make it highly inefficient – damaging customer satisfaction. Remember, customers want quick decisions made locally.
In this example, the risk appetite statement may prevent the company from taking an unacceptably high level of risk, but will it drive optimal performance?
Rather than driving the right decisions and proactively taking the desired level of risk, management can only see total enterprise risk levels after the fact.
Note that I set risk appetite as a range. That is not common. If a low end is not set, will this company survive? Each location could consider it is safe to be much lower than their allocated risk level.
Example 2: this time, our business operates gas stations. We are considering purchasing three more stations. We have set a risk appetite for our total level of oil spill cleanup and remediation at $25 million and our current exposure (based on the stations we already own) is $15 million.
We perform a risk assessment for each of the three potential acquisitions. The level of risk at the first is $5 million, the second is $8 million, and the third is $12 million.
The risk manager decrees that acquiring the third would take us over our risk appetite and we should, instead, focus on the other two.
The problem is that, like most risk managers, he is only considering the downside.
If we look at the potential profit to be earned at each of the three, we find the numbers are: $5 million for the first, $10 million for the second, and $20 million for the third.
Which is the wise decision?
Although the first station is within our risk appetite, an acquisition seems to make little sense from a business point of view.
The second may make sense, but only if the total of all risks relating to the acquisition would not only be lower than potential profit but would deliver an acceptable rate of return on our investment. There are probably other factors that would go into the decision.
While the risk manager wants to eliminate the third based on the risk appetite statement, the potential for reward is huge! Perhaps the risk appetite statement should be increased so we can take advantage of the significant increase in profits. In fact, the increased level of profits might well increase our ability to sustain a loss.
Making decisions based only on the potential for harm is not good business decision-making.
Decisions should be made based on the full picture of all the things that might happen.
The upside possibilities should be identified and evaluated in the same way as the downside, otherwise how can management know they are making informed and intelligent decisions that will drive the organization to success?
These are just two examples. I am sure you can come up with more.
Or, can you share how risk appetite statements enable informed and intelligent decisions that enable success? I suspect that all they do is prevent harm rather than enable decisions that lead to taking the right level of the right risks.
I welcome your comments.
How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer.
I am not one of those people.
While I agree that procedures performed by the CAE and his team to assure quality are important, and that an independent quality assurance review should be performed every so often, I am not persuaded that they do enough to assess effectiveness – and especially whether internal audit is provided all the value it should.
Who receives the value from internal audit? The answer is that the board (perhaps via the audit committee) and top management are the primary customers. Other customers include operating management, the external auditors, and (often) the regulators.
The only way that effectiveness and value should be measured is through the eyes of the primary customer.
Do we simply ask them whether internal audit is effective and providing value? Do they even know what internal audit should be delivering?
Maybe they have heard that internal audit provides assurance and value-added advisory/consulting services. But what does that mean? How much should they expect?
Some years ago, I asked the chair of the audit committee how we were doing. His answer was that we “helped him sleep through the night”. I believe that’s a clue.
Later, I asked the two presidents of our major divisions the same question. The first said that “you have yet to perform an audit that I wouldn’t gladly pay for”; he also told a visiting state governor that “internal audit gives the company a competitive advantage”. The second president told a visiting state attorney general that “internal audit helps keep the company efficient”.
These are also clues.
Others lie in work by Deloitte and Ernst & Young with respect to risk management. Deloitte asked board members and executives whether risk management “helps then set and execute on strategy”. That is a very perceptive question that strikes to the core value of risk management. Ernst & Young says that “effective risk management gives leaders the confidence to take risk”. I like that very much as well!
So what is the question that we should ask board members and executives about internal audit?
How about this?
Does internal audit provide you with the assurance you need to have confidence in the ability of the organization’s people, processes, and systems to lead the company to success? Where there are opportunities to improve, do they provide actionable information that enables you to make the appropriate changes?
Note that I didn’t mention either risk management or internal controls. Both are included, essential enablers, of effective systems, processes, and so on.
I don’t want to ask them questions about risk and controls. I want to ask whether our work helps them be more successful.
What is the question you would ask?
Do you like mine?
What do you think the typical answer would be from board members and executives?
Is there a similar question that the board should be asked about the CEO and CFO?
 For more internal audit stories and how I came to my views about internal audit effectiveness, please consider World-Class Internal Auditing: Tales from my Journey
One of the studies I have referenced for a few years has been updated. The ERM Initiative at North Carolina State University has released the 7th edition of The State of Risk Oversight: An overview of risk management practices.
The principals at the ERM Initiative, Mark Beasley in particular, have been active in the ERM area for a number of years. From what I can tell, they have been primarily associated with and involved in the COSO view of risk management rather than that of ISO (the 31000:2009 global risk management standard).
I have been using a sad statistic from the 2010 edition of this publication, which reported that only 3.4% of respondents believed their risk management program was “fully mature”. This number is essentially unchanged at 4% (the latest edition is based on responses to a survey in 2015).
However, respondents are not provided with a definition of “fully mature”- or at least one is not provided in the report.
Instead, respondents define for themselves what a “complete” risk management program entails (another survey uses this as the highest level of risk management maturity) or when it is fully mature.
COSO ERM goes further than, from what I can see, the ERM Initiative surveys. The survey asks about the frequency with which a list of top risks is reviewed and how often it is updated (very few indeed do it monthly or better). But it doesn’t talk about whether the consideration of risk is embedded into decision-making across the organization, which COSO ERM does. Nor does it address whether risk management “helps an organization gets where it wants to go” – another COSO ERM statement, which recognizes that risk management is about more than avoiding hazards and threats.
So what are we to make of this?
There seems to be growing pressure from boards and regulators to improve risk management practices, and there is every reason for them to be concerned at the current state! Yet, little progress is being made. 4% self-report that they have fully mature risk management, with larger companies (revenues greater than $1bn) at 9%.
Will this study make a difference?
I doubt it.
The emphasis has to move towards whether, as Deloitte has said, risk management is helping an organization set and then achieve its strategic goals.
Focusing on risk management as a silo, separated from the rest of effective management of the organization, is not going to persuade boards and executives (the latter are clearly reluctant to invest in what is seen as a compliance activity) to move the practice forward because it is an essential element in informed, intelligent decision-making.
Let’s start talking about effective management that includes risk management.
When will we get a survey on that?
My thanks to the 232 people who answered my short survey.
I wanted to know how many have shifted to basing their audit plan on risks to the enterprise (perhaps linked to their organization’s ERM program); how many remain with the traditional approach of addressing risks to individual processes, business units, or locations; and how many are somewhere in between.
As a reminder, in the traditional approach, an ‘audit universe’ is built, listing all the organization’s business units, divisions, locations, processes, and so on. That list is then ‘risk-ranked’ using attributes such as revenues; assets employed; number of employees; complexity; time since last audit; severity of issues in last audit; whether new systems have been deployed; whether new management is in place; and so on. The entities that rank highest are included in the audit plan. Prior to each audit, a second risk assessment is performed to identify the more significant risks to that entity.
The enterprise risk-based approach starts with understanding the risks to the organization’s objectives and strategies. The risks disclosed in regulatory filings are considered, as are major new initiatives approved by the board. If the organization has an enterprise-wide risk assessment in place that can be relied upon, it is usually a major driver. The goal is to identify the more significant risks to the successful achievement of enterprise goals, objectives, and strategies. It is more of a top-down approach. When individual risks are considered, such as privacy, cyber, or reputation risk, they are assessed based on their potential effect on the organization as a whole.
Here are the results.
- 11% Risks to the enterprise
- 15% Risks to individual auditable entities such as processes, locations, business units
- 32% A combination of the above. but more enterprise risks
- 42% A combination, but more at the process business unit, or location level
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization.
Somewhat more have weighted their plan towards the micro level than the macro level.
So what does this all mean?
My personal assessment is that this reflects solid progress from the traditional (i.e., micro level) towards the enterprise risk-based approach I advocate. But room for improvement remains .
While I agree that certain ‘micro’ risks need to be addressed in audit engagements, I believe that is because they are important to the enterprise as a whole – in other words, although the source of the risk is ‘micro’, I would actually call them ‘macro’ risks. For example, the safety of workers at a single factory might be considered a micro risk. But, I would include a related engagement in the audit plan if I believed that a failure to manage safety risk in that single factory represented a significant risk to the enterprise as a whole. I would not address it otherwise (absent other factors, such as a request from the board or CEO), because there are always more significant (to the enterprise) risks than I have resources to address.
So, I think the results are encouraging.
Hopefully, this will trigger the consideration of the enterprise risk-based approach by those with a more traditional methodology. Let’s audit the risks that matter to the leadership of the organization, what KPMG calls “critical risks”. If we don’t do that, the value gap between board and C-suite expectations (that we provide advice, insight and assurance on the issues they face as they lead the organization) and what IA delivers will persist.
I also believe that The IIA Standards Board should review its risk assessment standards. Do they support the enterprise risk-based approach, or are they only directed towards the traditional methodology. I believe that when they say that a risk assessment should be done for every engagement, focused on risks to the entity being audited, they are falling behind emerging best practices.
I welcome your comments.