Risk3sixty refers to itself as providing “insights on information risk management, cybersecurity, IT Audit, and Information Assurance”. Christian Hyatt is the lead author and his posts are typically quite short (unlike some of mine).
One caught my eye: “Application Risk Management”, from April of this year. It suggests three steps:
- Build an application inventory
- Assess the level of risk for each application
- Select projects
In such a short post, it is impossible to be anything but high level, possibly even simplistic. However, let me point out a couple of issues.
- In these days of cloud and mobile, it can be incredibly difficult to get a handle on all of the applications used by management across the enterprise to make decisions, process transactions, and so on. Any inventory you build is likely to be out of date within the month.
- The level of risk should be assessed based on the potential for a failure (of or relating to the application) to affect the operation of the business and achievement of enterprise objectives.
Expanding on the latter point, is it better to build the risk assessment based on an inventory of applications (which is a ‘bottoms-up’ approach) or by taking each enterprise objective and considering whether a failure in an application would have a significant effect (which is a ‘top-down’ approach)?
My personal view is to place more attention on the latter, but I can understand the desire to supplement it with a bottoms-up approach.
As Christian asks: how do you assess risk relating to applications?
I welcome your comments.
Let me share a metaphor that illustrates my thinking about risk management – and how many only practice it partially.
Imagine a house.
On a regular basis, inspections are conducted to identify, assess, evaluate, and treat conditions found around the home.
- The cleanliness of the home is inspected and action taken to clean carpets, and so on
- Termite inspections are performed, as well as inspections for other pests
- The condition of equipment is checked, such as the filters and vents for the heating/air conditioning system, the safety of the electrical wiring, the condition of the plumbing system, and so on
- The cars are checked for fuel and oil levels, tire and brake condition, and so on
- The insurance policies are updated as needed, and emergency supplies are verified
A report is provided to and reviewed with the homeowners, who decide whether to make any repairs or other corrective actions.
That all sounds good. It is somewhat analogous to the traditional risk management activity, where risks to objectives are assessed, reports are reviewed with senior management and the board, and actions taken where the ‘risks’ are outside desired boundaries.
But is it enough?
Imagine the same house.
It is a place where people live. The family that resides there is changing the condition of the house all the time, using the equipment and possibly breaking it, cooking and possibly leaving crumbs around to attract pests, leaving toys on the stairs, making a ruckus and annoying neighbors, and so on.
People in the house are making decisions and taking actions that create or modify risk.
Risk needs to be understood and an integral part of the decisions made by the residents, whether grandparents or grandchildren.
So what am I saying?
The management of risk entails both periodic inspections and continuous practice.
Does your organization both inspect the house and live safely in it?
I welcome your comments.
Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.
You can also read World-Class Risk Management.
My congratulations go to RIMS and the authors of their State of ERM Report 2015, Carol Fox and Steve Minsky.
The report has some interesting and valuable content. It is well worth taking the time to download and consider.
Let’s start with their definition of ERM. The report says:
RIMS defines enterprise risk management (ERM) as follows: Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
Taking an enterprise risk management approach transitions beyond the traditional realms of risk management in that it:
1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual ‘silos’;
3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
6. Views the effective management of risk as a competitive advantage; and
7. Seeks to embed risk management as a component in all critical decisions throughout the organization.
Later, they say:
Enterprise Risk Management (ERM) reduces uncertainty and, over time, improves the prospect of success for organizations that have risk management competency.
I like all 7 of the points in the list, especially the last one. While it is important to (as John Fraser says) take periodic stock of the more significant continuing risks, it is just as important (I would argue that is more important) to embed the consideration of risk into every decision-making process across the extended enterprise. Risk doesn’t wait for a periodic review to change; instead, it is created or modified by every decision, every day.
Carol and Steve also promote the formal evaluation of the management of risk:
In today’s complex and interconnected world, companies are in need of a formal evaluation of the effectiveness and maturity of their enterprise risk management programs in order to achieve corporate goals, effectively respond to changing regulations, protect themselves from negative events or trends, and maintain (or improve) credit ratings for efficient borrowing.
In my view, the CEO should provide an assessment to the full board and/or the audit committee. In addition, the CAE should provide a formal report every year.
The report includes some recommendations for taking a risk management program to the next level. I would have liked to have seen more emphasis on:
- Effective, informed, and intelligent decision-making
- Improving the likelihood and extent of good things happening, and
- Breaking down the risk management silo and, instead, considering the management of risk part of effective management. Period.
I welcome your views.
For more of my risk management thoughts, please tune in to our upcoming free webinars.
Note: this post has been updated with additional information and corrections from Noah Gottesman – thanks, Noah!
The IIA recently published reflections on GRC from two vendor representatives: Noah Gottesman from Thomson Reuters and Sergiu Cernautan from ACL.
The two gentlemen answered five questions posed by staff of the Internal Auditor magazine:
- How do you define GRC?
- What constitutes an effective GRC strategy?
- What are the biggest compliance risks your clients are talking about?
- How can the various compliance, risk, control, and assurance functions better align?
- How are your compliance clients addressing regulatory fatigue and increased liability for compliance failures?
I am going to add my own thoughts on these questions, except I won’t answer the last one because I don’t have any “compliance clients”!
How do you define GRC?
It’s of more than passing interest that the IIA has its own definition of GRC: governance, risk management, and internal control. However, I agree with both interviewees that GRC stands for governance, risk management, and compliance.
We may know what it stands for, but does it actually mean anything of value?
I have been writing about this for years and will say here what I have said from the beginning: most people refer to GRC when what they really mean is risk and compliance. The G is silent. Yet, governance stands for so much:
- the work performed by the board and its committees, including the hiring, firing, and compensation of the CEO; the approval of corporate strategies, plans, budgets, major initiatives, and policies; the oversight of management, both sets of internal auditors, the filing of reports with the regulators, the system of internal control, and the management of risk;
- the work performed by the executive leadership team, including the setting of strategies and objectives; the monitoring of performance; the design of the organizational structure; and more; and,
- the work of the legal department and the internal audit activity – and I know there is much more I haven’t listed.
Yet, most commentators omit any reference to the G in their explanation of GRC and what it actually means.
Noah shared this in his email:
Yes, we share that the “G” is way too silent; but that is why I also blog about it:Governance In GRC: http://governanceingrc.blogspot.com/
I congratulate Sergiu Cernautan for his reference to the Open Compliance and Ethics Group definition, which is:
“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It encompasses the governance, assurance and management of performance, risk, and compliance.”
This definition makes sense to me, while others seem without clarity or real value.
What Noah Gottesman says doesn’t mean anything to me. He equates GRC with “balance”, whatever that means.
This is how he explained it to me in an email today:
One, the concept of balance is similar to work-life balance, it is never perfect, it never will be, it is truly something that we all strive to achieve.Second, balance is top-down / bottoms-up to Governance that fails in the great majority of organizations. While so many organization discuss bottoms-up assessments, financial reconciliations, etc., etc. In reality, the entry level or front-line personnel are being greatly ignored, if not overlooked; don’t trust me….it is evident in the number of whistle-blowing cases reported now to the SEC, because employees could not even trust their own hotlines. [So much focus on external stakeholders and forgetting the external stakeholders.]
What constitutes an effective GRC strategy?
Frankly, this is a weird question. There has to be real meaning to the term GRC before you can have a GRC strategy. I would interpret the question as asking what would constitute an effective strategy to achieve effective GRC as defined by OCEG.
Noah gets it right.
It’s about getting the various parts of the organization to work together, in a collaborative if not integrated fashion, to achieve corporate objectives.
I enjoyed writing this metaphor to explain effective GRC in 2011.
I think an effective strategy starts with identifying the obstacles to performance today: silos, fragmented operations, failures to share and communicate, duplicative work, and so on. It continues by assessing the damage caused by each of these obstacles, prioritizing the corrective actions, obtaining buy-in from top management and all affected parties, then executing as needed.
Unfortunately, as most would, Sergiu only answers this question as it relates to risk management. For example, there is no way his response would address the failure to link corporate objectives, performance, and executive compensation.
What are the biggest compliance risks your clients are talking about?
I don’t have any compliance clients, but my experience this year is that boards are heavily focused on cyber security. Failures to protect information assets can lead to compliance failures.
How can the various compliance, risk, control, and assurance functions better align?
Gottesman gets it. To quote:
“These functions can better align by sharing their perspective of the organization and the core components of their methodology; specifically: how they view the organization, how they assess it, how they prioritize activities, how they execute on those activities, how they document results, how they determine the significance and priority of their results, and how they plan to follow up on their results.”
I would add:
- They should recognize that they share the same objective, of helping the organization succeed
- They can and must share the information each needs to be effective
- They can and should support each other, for example with internal audit evangelizing the importance of risk management and providing advice on how its practice can be improved
What do you think? Do you agree with my answers?
There are a number of risk management professional associations. I am proud to have been made an Honorary Fellow of one, the Institute of Risk Management (IRM). Headquartered in the UK, but with members around the world, the IRM focuses on enterprise risk management and its successful practice.
I am not a member but have spoken at the conferences of the Risk Management Society (RIMS). I have great admiration and respect for its Director of Strategic and Enterprise Risk Practice, Carol Fox. Carol not only has an in-depth understanding of enterprise risk management in theory and in practice, but served on the US technical advisory group involved in the ISO 31000 global risk management standard.
RIMS has a broader membership than the IRM and covers more ground, perhaps because a great many of its members come from the ranks of insurance and safety, rather than ERM, professionals. However, I recommend the IRM for its focus on ERM, its training, and its certifications. (And no, I receive no compensation or other benefit for this recommendation.)
RIMS recently had its annual conference and a paper based on one of its sessions was covered in an article published in the journal of the IRM, RM Professional.
Successful Enterprise Risk Management is apparently sponsored by a software vendor although it suggests that it is an accurate portrayal of a presentation by “Jack Hampton, risk management author, thought leader, and Professor at St. Peter’s University, and Michael Leibowitz, Senior Director of Insurance and Enterprise Risk Management at New York University (NYU)”. I was not there, so I will take the author (who is unnamed) at his or her word.
The article starts well, with this statement:
“Organisations have long struggled to successfully implement an effective and robust ERM process that helps them capitalise on opportunities and manage the downside of risk.”[i]
What I have a problem with is the description of the “three critical pillars upon which any successful ERM process must rest: Advanced ERM Technology, Executive Support, and Enterprise-wide Engagement.”
The IRM summary describes these as “the correct people in your organisation, developing and effectively communicating your ERM value proposition, and utilizing innovative risk management software to create sustainable, repeatable processes that incorporate ERM as part of a business unit’s daily activities”. However, the paper that is referenced and published by the vendor puts risk management software first. So let’s address that first.
While I wholeheartedly support the use of technology in risk management processes, I would never place that first – even third – as a pillar of successful risk management. As I have explained time and again, management is the one taking risks through their everyday decisions, their management and operation of the enterprise. A periodic assessment and review of risks is not effective risk management. It just enables management to say that they have ticked the risk management box.
It is only when managers and other decision-makers take the right level of the right risks as they set and execute strategies, monitor performance, and make decisions.
Technology only helps if it is used and helps these decision-makers make more informed and risk-intelligent decisions that increase the extent and likelihood of success.
However, there are strong indications that risk is being managed in a silo at the organization used as an example.
“As risk managers develop their ERM plan, they should build a consensus by engaging business units to look at the risks that have been identified. An effective ERM plan will help risk owners prioritise those risks that could have a greater impact on the organisation’s objectives and its business continuity.”
As I read this and the rest of the discussion, it becomes clear that the risk manager is identifying the risks (even to the point of defining them) and imposing them (my word) on operating management. The risk officer identifies the risks, explains them to management, creates and sends them the risk report (a dashboard), gets them to join the discussion and (hopefully) take action.
I find this damning:
“We send these reports to the executive risk owner, to the Steering Committee, and to the individual board committee responsible for that area to show the value of our ERM process.”
How about a risk management processes whose aim is to help the organization succeed?
I will repeat my caveat. I have no certainty that this is actually what the speakers said or believe. However, if it is I have to disagree.
For the management of risk to be effective, it has to be owned and operated by management and not by a siloed risk office. The risk practitioner can help, but management understands the organization and risks far better than any risk professional – and adds or changes risk with every decision.
When I see management considering risk, what might happen and how it might affect the achievement of objectives, not only on a periodic basis but every minute of every day, then I will concur that risk management is effective.
I welcome your thoughts.
[i] However, it then strays with this next sentence:
“All organisations face uncertainty, but the challenge they face is determining what amount of uncertainty to accept.”
I recognize that many like to think that they can change “uncertainty”, and that is what this sentence implies. But, I suggest that while they can increase their perception and information about what might happen, they cannot predict it with certainty. What they can do is take actions to modify the likely effect or consequences of what might happen.
It’s not about accepting uncertainty, it’s about accepting the potential effects of uncertainty (what might happen) and the likelihood of those effects.
That translates to what I refer to as ‘taking the right amount of the right risks”.
Yes, there is the argument that uncertainty is created by a lack of information. Well, no human in this world (or machine) can provide sufficient information to predict the future. All we can do is to provide more information and clarity about what we think the future is likely to hold. We can then act to modify its effects or consequences.
Overall, I am pleased to see the progress the internal audit practice has made over the last few years. While there are still serious problems regarding independence and resources in some parts of the world (where internal audit is established only to “check-the-box, not with any intent to be a serious activity), more and more organizations are moving to what I call “enterprise risk-based” auditing; perhaps half are providing assurance through formal audits and assessments of the management of risk; and, many are focusing on identifying problems before rather than after the occur has become a recurring mantra.
Yet, the picture is not entirely rosy.
This year, I have been privileged to work with the National Association of Corporate Directors. I was a panelist at three separate events where they discussed cyber risk.
In one group session, a director said that the board could not ask internal audit to assess and help with cyber risk because they lacked that capability. The others voiced their agreement, one and all.
This is a huge problem!
Internal audit may not always have the talent on staff to address every risk or concern, but if the board would only give it the resources, internal audit can either hire that staff or outsource the task.
As a chief audit executive, I have hired specialists to address specific risks in IT (including highly technical personnel), environmental compliance, engineering, fraud investigations, and more. Where possible, I have provided staff (including myself) training in specialized areas, such as derivatives trading, Six Sigma, and Lean Manufacturing.
I also used outside resources from consulting and personnel agencies:
- A derivatives trading and management specialist
- A “white hat” penetration testing team
- A former global procurement executive
- An expert in sales contracting and management
- A corporate tax specialist
- and more
Some talk about internal audit being the “consultant of choice”. I wouldn’t go that far. Where I would go is that internal audit should have the capability, whether through its own personnel, co-sourcing, or other contract staffing, to address and provide assurance on the key risks facing the enterprise.
Internal audit should:
- Inform the audit committee when it has insufficient resources to address a specialized area of risk, and endeavor to persuade them to provide such additional resources (headcount or dollars) to address the need
- Inform the audit committee that it has the capability to obtain the necessary resources to address specialized areas such as cyber security, ethics compliance, corporate culture, corporate governance and more. This means that the CAE needs to build a network that he/she can tap to locate and hire the necessary expertise
- Challenge management and even the audit committee when either goes outside to obtain assurance on an area of risk
I welcome your comments.