Internal audit and ERM accused of failing to hit the mark

July 15, 2017 8 comments

The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag.

It has been used recently to support an argument by a critic that both internal audit and ERM are failing. This was said in the last few weeks on Twitter:

  • “CEB survey focuses on some key failings of traditional internal audit and ERM.”
  • “CEB survey report does a good job describing problems with IA/ERM but not as good with its prescription to fix the problem.”
  • “CEB/Gartner report puts the spotlight on assurance silo overload.”

Leaving aside the fact that it is a 2014 product based on 2012 and 2014 analysis (and therefore should not have been used to discuss the current situation), how good is the CEB piece and what does it say about (a) internal audit, and (b) risk management? How accurate and relevant are its observations today?

Unfortunately, the critic mistakenly conflates internal audit and risk management. Both have their challenges, but they are different – different challenges for different organizations.

One is part of management and the other is independent.

Lumping to them together confuses and distracts from addressing their individual challenges.

The CEB piece gets off to an awful start with this sentence:

In the present day, when those types of risks [financial and hazard risks such as the effects of a typhoon] can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that assurance functions and business leaders must identify and manage themselves.

First, practitioners know that you cannot really “transfer” a risk. That is dated thinking (sorry, insurers). Instead, you are sharing it more often than not. For example, there is always a possibility that the insurance claim will be denied, the insurer will fail, or not all the effects will be fully compensated.

Secondly, assurance providers do not “identify and manage” risks – that is the responsibility of operating and executive management with oversight from the board.

CEB recovers somewhat when they talk about how the increasingly extended enterprise and the growing volume of data captured by any enterprise has changed at least part of the risk landscape.

But then they start to categorize risks, saying:

With shareholder value as the barometer, the most potentially damaging types of business risks are the strategic ones, such as competitive incursions or declining demand for a core product. CEB’s analysis of significant market capitalization declines in the past decade shows that 86% of them were caused by risks that were strategic in nature—with operational risks as a distant second place.

Risk is the effect of uncertainty on objectives. That means that to properly assess any source of risk you have to consider how it could affect the achievement of specific objectives.

So, the only risks that rate as “high” would be those with a significant potential effect on the achievement of objectives.

Operational miscues can have a dramatic effect on objectives, leading to customer dissatisfaction and loss, product failure, and so on. Just think of Deepwater Horizon.

Compliance failures can similarly impact objectives when they are so severe that operations are constrained or even closed. Consider the Novartis problem in Japan.

CEB’s analysis by categorization is fallacious and misleads more than it helps.

If you say that strategic risks are those that might have a significant effect on objectives, which can include operational and compliance risks, then it is only to be expected that these are the ones that result in failures to execute and deliver on strategies.

Then there is the paragraph that has drawn the attention of the critic:

At most companies, however, assurance departments with the formal responsibility of identifying (and sometimes managing) risks—such as with Internal Audit in the following graphic—consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.

This is simply a misreading of the situation.

While it is true, based on other surveys and my own observations (the CEB offers no evidence to their observation) that many internal audit functions do not include all significant risks to enterprise objectives in their audit plans, it is not because they consider them “out of scope”.

All risks are potentially auditable. CEB gets that 100% wrong.

Further, all risks are business owners’ responsibility, so the statement about strategic risks being business owners’ responsibility carries no weight.

IMHO, it’s true that many internal audit functions don’t include all significant sources of risk to strategies and objectives in the audit plan. But the reasons lie elsewhere.

It may be because:

  • They don’t have the resources or ability to address them and are unwilling to ask for those resources.
  • They simply didn’t think of them.
  • The audit committee doesn’t support their auditing these issues.

That’s all that is said by CEB about internal audit. The rest is about risk management.

The following CEB assertion may be true (again, no evidence is offered but I believe it to be often true):

Operational executives know risk and strategy go hand in hand, but they struggle to address them together. Similar to how enterprise risk management (ERM) efforts rarely link cohesively into corporate strategy, typical strategic planning processes run by line executives do not do enough to incorporate and address risks.

I entirely agree with these excerpts:

  • Too much focus on risk versus reward can encourage “risk aversion,” resulting in lost growth opportunities.
  • The risk prevention activities (i.e., eliminating any chance of risk) that are appropriate for other kinds of risks can lead to avoidance or aversion of strategic risks that companies would be better off taking. When companies overemphasize the risk (not reward) of strategic decisions such as developing new products, entering new markets, or selecting merger and acquisition targets, they can inadvertently foster indecision or inaction among executives and frontline staff by making them too cautious.
  • Leading companies view every decision they make as a risk decision; they explicitly link risk to overall corporate strategy and deliberately choose their risks with great calculation.
  • In short, leading companies win because they empower their employees to take and manage risks, not because they do a better job preventing them
  • Incorporating multiple perspectives on both risk and opportunity removes biases in the planning process and improves confidence in strategic decisions.
  • Scenario planning is a common approach that incorporates strategy and risk. Leading companies are increasingly conducting scenario analyses on hypothetical strategies to identify potential outcomes, associated risks, and alignment with corporate risk thresholds.
  • Embedding risk in strategic planning, and vice versa, is most effective during planning months and for a short time afterward. But during the rest of the year, risk-comfortable executives who lack clear understanding and guidance on what is, and what is not, an acceptable level of risk will expose the company to greater risks through their day-to-day decisions.
  • From our experience, leading companies that ensure a risk-based context for strategic decisions improve decision quality by as much as 42%, and companies that effectively reduce risk aversion can accelerate executive action by 34%.
  • Companies’ greatest risks are their people. Instead of focusing disproportionately on risk processes, leading management teams and assurance groups anticipate and manage the root cause of most risks: human behavior and judgment.

So overall, the CEB has some good stuff. I really like much of their language, especially in the points above about risk aversion and indecision. There is more in their document that has merit, especially about human bias and how it affects judgement and risk-taking.

But does it capture all or even the more significant problems with either internal audit or ERM practices? Does it offer the right solutions?

I am not persuaded that it does on either count.

I am not going to conflate the two separate activities. Let’s take them one by one, starting with internal auditing.

First, I have to say that while there has been significant progress in internal audit practices over the last several years, problems remain. As I have written before, the majority of board members and executives report that they do not believe internal audit addresses the risks that matter to them, the more significant risks to enterprise objectives.

This is critical!

In addition, many internal audit functions:

  • Only update their audit plans annually. They should instead, as recommended by Richard Chambers and me, be updated continuously – at the speed of risk.
  • Do not provide assurance on the management of risks to objectives. Instead, they assess and rate controls without indicating which objectives might be affected and by how much.
  • Do not provide actionable information, helping leaders know not only what might be wrong but whether strategies and even objectives might need to be changed.
  • Limit the insight they provide to what is written in the audit report. It’s so much better to have a conversation.
  • Make it difficult for leaders to find the nuggets of valuable information in their audit communications by burying them in a mountain of trivia in their audit report. Auditors need to communicate what leaders need to know, not what they themselves want to say, and do it clearly, concisely, and promptly. Leaders need actionable information now.

If CAEs and their teams focus on these six points, they are on the way to success.

Turning next to risk management, the CEB identifies some important points.

But there is a huge disconnect between practitioners and leaders at many if not most organizations.

Here are some of the problems, all of which I have written about before. Too many risk management functions:

  • Focus on the possibility of failure instead of how to succeed.
  • Think that the periodic review of a list of risks is risk management. It is not. It is enterprise list management (DeLoach). Risk needs to be managed continuously.
  • Focus on risks out of context instead of the possibility and degree that an enterprise objective might or might not be achieved.
  • Do not set as a goal helping decision-makers make the informed and intelligent decisions necessary for success.
  • Apply their discipline only to the possibility and magnitude of potential bad things, not to both good and bad.
  • Fail to recognize that an event or situation can have multiple effects, some of which are good and some not so much.
  • Talk in their own technobabble (i.e., risk) instead of the language of the business. It is better by far to talk about what might happen and is that ok.
  • Do not understand that risk is taken or modified with every decision. Relying on a corporate-level risk appetite statement doesn’t guide every decision and taking of risk.

There is more, but if risk managers address these eight points, they should be on the way to success.

I discuss both issues, internal audit and risk management effectiveness, in separate books: Auditing that matters and World-Class Risk Management. There is more to be said and done on this topic and hopefully both practitioners and their critics would see value in reading them.

What would you add?

I welcome your comments and perspectives.

What does your risk management activity seek to achieve?

July 8, 2017 4 comments

From time to time, I am asked to help an organization take its risk management to the “next level”.

I strongly believe that, as ISO 31000:2009 says in one of its principles, risk management needs to be customized to meet the needs of the organization (and changed iteratively as the business and its needs change).

An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.

An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.

It is essential to understand what the organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

That is why I like a feature in Enterprise Risk (the official magazine of the Institute of Risk Management) where Iain wright was interviewed. In Living on the Ceiling, Iain describes how he defined a vision for his risk management function at Old Mutual Wealth.

First, it needed to provide the business with consistent insight and challenge. Second, effectively advise and support the business and strategic decision making. Third, give assurance that customer and shareholder interests are protected. Finally, build trust with internal and external stakeholders through consistent delivery and high performance.

It is simply stated, meaningful, and sets the bar high.

If achieved, Iain’s team should be seen by the board and top management as having great value, helping them make informed and intelligent decisions that drive the successful achievement of objectives.

Before you can determine whether your risk management activity is effective, you have to know what the organization needs from it. Then you set objectives and strategies to achieve them before executing on them, monitoring performance, and adjusting as needed.“

It’s just like managing any other part of the business or the organization as a whole.

Is it clear what risk management needs to deliver at your organization for it to be successful?

I still like the question Deloitte asked of board members and executives: does risk management help you set and then execute your business strategies?

I welcome your comments.

What do audit committees think about risk and audit?

June 29, 2017 4 comments

I am encouraged by the latest KPMG report, their 2017 Global Audit Committee Pulse Survey.

I am encouraged because KPMG appears to be asking the right questions and getting intelligent answers.

Here are some interesting excerpts, with emphasis added:

  • …nearly 4 in 10 said the [audit] committee’s effectiveness would be most improved by having a “better understanding of the business and key risks”
  • The effectiveness of risk management programs generally, as well as legal/regulatory compliance, cyber security risk, and the company’s controls around risks, topped the list of issues that survey participants view as posing the greatest challenges to their companies. It’s hardly surprising that risk is top of mind for audit committees— and very likely, the full board—given the volatility, uncertainty, and rapid pace of change in the business and risk environment. More than 40 percent of audit committee members think their risk management program and processes “require substantial work,” and a similar percentage say that it is increasingly difficult to oversee those major risks.
  • Internal audit can maximize its value to the organization by focusing on key areas of risk and the adequacy of the company’s risk management processes generally. The survey results show that audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks (e.g., cyber security and technology risks) and related controls—and not just compliance and financial reporting risks. They also want the audit plan to be flexible and adjust to changing business and risk conditions.
  • Tone at the top, culture, and short-termism are major challenges—and may need more attention. A significant number of audit committee members—roughly one in four—ranked tone at the top and culture as a top challenge, and nearly one in five cited short-term pressures and aligning the company’s short- and long-term priorities as a top challenge. Meanwhile, nearly the same percentage of audit committee members said they are not satisfied that their committee agenda is properly focused on those issues.

Whether you are on a board, an executive, a risk or internal audit practitioner, each of these areas merits attention.

Does this survey reflect the situation at your organization? If so, what is being done about it?

I welcome your views.

The future of risk management

June 24, 2017 Leave a comment

The Institute of Risk Management has a great feature where they have asked people around the world, including a number of luminaries, about the future of risk management.

I was honored to be asked to contribute a video, which you can find on their web page, Risk Agenda 2025: Hear from the experts.

It is intentionally provocative and I hope it will provoke you to join the debate.

Trusted advisors and world-class internal auditors

June 23, 2017 3 comments

I was recently privileged to receive a signed copy of Richard Chambers’ latest book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors. Richard is the President and CEO of The Institute of Internal Auditors, a veteran of internal audit at the highest level, a friend, and an individual with whom I love to debate the practices of internal auditing and risk management. (I hope I am influencing his views on the imminent update of the COSO ERM Framework.)

I thoroughly recommend the book for any internal auditor, at any level.

Richard covers nine attributes of internal auditors who are seen by their customers in executive and operating management as “trusted advisors”. They are based on the results of a survey of CAEs and are grouped into three categories:


  • Ethical resilience
  • Results focused
  • Intellectually curious
  • Open-mindedness


  • Dynamic communicators
  • Insightful relationships
  • Inspirational leaders


  • Critical thinkers
  • Technical expertise

I will let you purchase the book (now on sale to IIA members) and read it in detail.

It makes an excellent companion to my book, Auditing that matters. I focus on the design and staffing of a world-class internal audit function, with a portion dedicated to the attributes of what I consider ideal members of the team, while Richard focuses the whole book on the latter.

So how do you leap from a trusted advisor to a world-class internal auditor? There are a couple of points that I did not see covered. Maybe I am taking them to the next level.

The first is seeing your purpose, your mission, as helping the organization and its leaders succeed rather than simply avoiding failure.

Pointing out deficiencies, even when you also point out remedies, is insufficient to be world-class. For that, you need to focus on the issues that matter to leadership and then provide them with the assurance, advice, and insights they need, when they need it, in an actionable form that is quickly digested and acted upon. Give them what they need to achieve their objectives and strategies. In other words, help them succeed.

This requires that we have such an understanding and appreciation of the business and what it takes to run it that we are willing to recommend taking risk when that is right for the business. Sometimes, even taking more risk.

The second is related: being able to hold a productive and constructive hour-long conversation about the business with an executive without ever using the words ‘risk’ or ‘control’.

If you are to tackle the issues that matter and add value through your insight, then you need a truly deep understanding of the business and how it is and should be run.

That’s not an easy task!

These are just a couple of attributes of world-class internal auditors, people who stand out to management so much that they are usually offered leadership positions themselves.

What do you think?


Always-On risk and strategy management

June 10, 2017 7 comments

I like the idea of “always-on” strategy and performance management, as discussed in a piece by members of the BCG consulting firm.

Always-On Strategy hardly mentions the word “risk”, but it’s there in a major way.

Consider this:

To increase the odds of success in today’s turbulent environment, leading companies are complementing their annual strategy-setting process with something more dynamic. We call it always-on strategy.

Always-on strategy gives companies a systematic way to scan for signs of disruption and explore unexpected changes to the strategic environment.  Companies identify the most pressing strategic issues and regularly engage senior leaders in formulating a response.

Doesn’t this sound like risk identification, assessment, monitoring, and response?

Aren’t “issues” the same as risks?

Later, the authors say:

Always-on strategy complements the annual [strategy] process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year.

Isn’t this what we strive to achieve with risk management, addressing the issues that might affect the achievement of strategies and objectives?

But the authors see issue or risk monitoring as the responsibility of the Chief Strategy Officer:

The chief Strategy Officer (CSO) and the strategy team are ideally positioned to identify issues from the top down, both in the business units and externally. They can provide a structure and tools to capture and filter information from the broader organization.

CSO doing this instead of the CRO?

What does this mean?

If the language of strategy and issues resonates with leadership, use it instead of the technobabble of risk.

I met one CRO who reports to the CSO.

Is that a model that makes sense (in non-regulated industries – because the regulators have a risk-averse view of risk management)?

Maybe it does.

Maybe it allows and stresses an emphasis on achieving objectives instead of ‘managing risk’.

What do you think?

PwC does better on risk management

June 3, 2017 2 comments

Last week, I wrote about a PwC piece that IMHO gave poor guidance to boards and their oversight of risk management.

To be fair, there are people in PwC who “get it”.

A different piece, presumably by different people, makes some important points.

How your board can ensure enterprise risk management connects with strategy says (emphasis added):

  • Any major strategic decision carries uncertainty. A well-developed enterprise risk management (ERM) program can help executives meet key business objectives.
  • “ERM” means different things to different people. Some companies simply use ERM to identify, prioritize and report on risks—protecting value. The best companies use ERM to make better decisions, improve their strategic, financial and operational performance and create value. But it takes work and buy-in at all levels to make that happen.
  • ERM is the collection of capabilities, culture, processes and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess and manage risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning.
  • ERM should also look at whether the company is taking enough risk and focus on areas of overperformance as much as poor performance.
  • The best ERM programs allow companies to have both risk agility (can you quickly adapt to a changing environment?) and risk resilience (can you withstand business disruption?). And companies that are committed to effective ERM programs periodically assess how they can be further improved.

All of the above is good.

But after a good start, PwC reverts back to a discussion of how to manage the adverse and ignores what it said about making better decisions, creating value, or taking enough risk.

I am afraid that the updated COSO ERM Framework, which is being led by PwC, will do the same. (It did this in 2004 as well). They will start with great stuff about decision-making, setting and then executing on strategies, and creating as well as protecting value.

But then they will revert to their roots and talk about managing a list of risks.

Risk management is about understanding what might happen as you strive to achieve your objectives, then taking actions to increase the likelihood and extent of success.

That means that when you make strategic decisions you have to understand not only the possibilities of bad things but the possibilities of good.

Apply the same discipline and process to the likelihood and magnitude of positive effects as you do to adverse.

In addition, if you don’t focus on the achievement of objectives, but instead manage individual risks, how do you know whether you are likely to achieve them – or the possibility of exceeding them?

I only hope that PwC, with the influence of the COSO Board, gets the COSO 2017 ERM update right.

What do you think?

I welcome your comments?

By the way, if you are involved in the ISO 31000 update, do you expect that to be a leap forward enabling advances in practices such as decision-making?