Leaders you would willingly follow?

March 23, 2015 2 comments

I am interested in the topic of “leadership”. I have chosen to define it in terms of whether people willingly follow (or stay with) an individual.

While others identify as effective leaders those who have been at the helm of successful organizations, in my experience leaders are not limited to those whose organization’s succeed. CEOs with poor leadership skills have seen their organization excel – perhaps by luck or the ability of others within the organization. CEOs with excellent leadership skills have seen their organizations fail, through no fault of their own.

I have had the pleasant experience of working with several that I would call effective leaders. These are people I would willingly follow.

But, they are all different. The have different qualities, each of which have made me want to work with and for them.

Is that your experience?

What has made you want to stay with or follow a leader?

New information and perspectives on cyber security

March 21, 2015 10 comments

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.

Cybersecurity in 2015: What to expect

Cybersecurity Hindsight And A Look Ahead At 2015

COSO in the cyber age

As always, I welcome your comments.

Do you need a risk committee?

March 14, 2015 1 comment

A new paper from RIMS (the Risk Management Society) carries the title Exploring the risk committee advantage. RIMS is an interesting organization. While it has some excellent members (including Carol Fox), when I attended their meetings I was struck by the number of people whose understanding of enterprise-wide risk management is limited. I hope the association continues its strong efforts to educate the many who started as managers of their organization’s insurance function and are now stepping up and leading their organization to an enterprise risk management system.

This new paper is a reasonable discussion of the role of a risk committee. It explains that a risk committee can take multiple forms, from a board-level committee (such as is becoming common in financial services organizations) to a C-suite committee, to an operational risk committee.

Because the paper has taken on these three different topics, it is not possible for the authors to dwell on any of them at any length. Instead, it sensibly suggests that each organization should determine what form of committee would add value in its specific circumstances (and that may mean it has one, two, or all three forms), define its objectives, develop a charter, and so on.

The paper then suggests how the risk officer can make use of these committees and what it should be doing to support them.

When I established risk management at Business Objects, the CEO agreed to a C-suite level risk committee. This small group of business leaders helped me ensure that we had a common process and language for risk management and were excellent ambassadors for integrating the management of risk into and across the organization.

But it was always clear that management was responsible for the identification, assessment, and treatment of risk. I was a facilitator, mentor, and so on.

I am not sure that is clear in this paper. I suspect that the authors see more ownership of risk by the CRO than I do.

At Business Objects, we did not have a risk committee of the board. The audit committee oversaw the risk management system, and the full board considered strategies and risks to those strategies together.

Do you have a risk committee (or multiple risk committees)? How well do they work for you?

Predictions for GRC, risk management, and compliance

March 7, 2015 4 comments

MetricStream[1] has shared with us a November, 2014 report from the analyst firm, Forrester: Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption (registration required).

I have had serious issues in the past with Forrester, their understanding and portrayal of risk management and GRC, their assessment of the vendors’ solutions, and the advice they give to organizations considering purchasing software to address their business problems.

However, they do talk to a lot of organizations, both those who buy software as well as those who sell it. So it is worth our time to read their reports and consider what they have to say.

I’m going to work my way through the report, with excerpts and comments as appropriate.

“…the governance, risk, and compliance (GRC) technology market is ripe for disruption”.

I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient, and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance, and so many more.

In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities, but only use some of what they have bought – and what they do use may not be the best in the market to address that need.

Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.

“A Corporate Risk Event Will Lead TO Losses Topping $20B”

What is a “risk event”? This is strange language. Why can’t they just talk about an “event” or, better still, a “situation”?

I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage, and huge losses. I also agree that the size of those losses continues.

But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market, or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).

Management should consider all potential effects of uncertainty on the achievement of objectives.

“Embed risk best practices across the business…Risk management helps enhance strategic decision-making at all organizational levels, and when company success or failure is on the line, formal risk processes are essential.”

The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as he or she makes a decision, so they can take the right amount of the right risk.

“Read and understand your country’s corporate sentencing guidelines.”

This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.

“Build and maintain a culture of compliance.”

Stating the obvious. It is easy to say, not so easy to accomplish.

“Review risks in your current register and add ‘customer impact’ to the relevant ones.”

All the potential consequences of a risk should be included when analyzing it. Rather than ‘customer,’ I would include the issues that derive from upsetting the customer, such as lost sales and market share.

Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.

Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong.

However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.

I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.

What do you think of the report, the excerpts, and my comments?

Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance, and risk solutions?

[1] By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.

The risk of an ineffective CIO

February 28, 2015 1 comment

According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.

Why worry about the “big” risks on the WEF or Protiviti list when the “small” risks that let your business survive and thrive are huge?

For example, the survey behind the report found that:

  • “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
  • “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
  • “In the 2012 survey on business and tech­nology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”

With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:

  • Managing IT infrastructure – 43%
  • Governing IT performance – 26%
  • Driving technology enablement or innovation in business processes and operations – 24%
  • Actively managing IT organization’s health and culture (not only its performance) – 22%
  • Introducing new technologies faster and/or more effectively than competitors – 18%

There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:

“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”

The report closes with some suggestions. I like the first one:

“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”

Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?

Is this a risk that is understood and being addressed?

I welcome your comments.

KPMG and I talk about changes at the Audit Committee meeting

February 21, 2015 11 comments

I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.

That title not only sets the expectations high, but sets KPMG up for a fall.

This is how they start us off, with an astonishing headline section:

ACs TODAY DEAL WITH A BROAD RANGE OF ISSUES, AND ACCOMPANYING RISKS, THAT ARE BEYOND FINANCIAL STATEMENTS, REPORTING AND INTERNAL CONTROLS OVER FINANCIAL REPORTING – THEIR TRADITIONAL AREAS OF RESPONSIBILITY.

These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.

My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.

KPMG continues:

THE DAYS WHEN THE AC AGENDA WAS SOLELY DOMINATED BY AUDIT MATTERS AND TECHNICAL ACCOUNTING DISCUSSIONS ARE GONE.

Sorry, KPMG, but the world does not spin around the axis of the CPA firm.

Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:

“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”

In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.

So what are the changes that should be happening at the audit committee? Here are six ideas:

  1. The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
  2. The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
  3. With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
  4. Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
  5. The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
  6. With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?

If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.

I welcome your comments – especially on these six suggestions.

Going crazy with COSO 2013 for SOX

February 18, 2015 17 comments

For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.

PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.

The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.

I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.

The key is to be able to demonstrate that.

We need to remember these facts:

  1. Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
  2. COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
  3. COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.

Now let’s have a look at what PwC has to say.

“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”

I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.

“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”

They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.

“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”

While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.

In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.

“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”

Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).

Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.

But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!

“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”

Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.

It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.

“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”

I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.

“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”

If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!

While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.

I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.

“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”

The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.

PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.

However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.

“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”

We are back on solid ground.

The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.

Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.

But let’s not go crazy!

I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.

By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.

Do you agree?

 

Follow

Get every new post delivered to your Inbox.

Join 5,585 other followers