Time to wake up to risk reality

April 2, 2020 29 comments

This is a post about news we should have known for a long time.

It’s time to recognize the truth about risk management.

For 11 years, the ERM Initiative at North Carolina University has surveyed executives (this year they were again all financial executives) about what they call “the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape”.

On April 1st, they published the 2020 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices – 11th Edition.

It is jarring to see how the authors continue to ask the wrong questions.

Consider how the Journal of Accountancy wrote about the study. This is their lead observation about the results of the study:

While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.


These are finance executives and you would expect more of them to see the value, if it existed, than other in the executive suite. In many cases, they are responsible for the risk management function! Other surveys have reported much lower numbers, such as that by Deloitte. In fact, the numbers are declining even as people get, arguably, more sophisticated.

Yet, the authors of the study persist in talking about the maturity of a program that, where it exists, is not seen as adding strategic value! They have this damning point sixth on their list of key findings.

Ask yourself why so many companies are not investing the resources and attention to bring their risk management program up to what the authors reference as mature.

I believe that executive teams are failing to invest in fully mature ERM programs and directors are not discussing the results of such a program because it is separate from how they run the organization for success. That is clear when risk discussions are distinct, even with different people, from strategy and performance discussions.

Practitioners and board members, ask each of your executives whether risk management at your organization is providing significant strategic value, whether it makes a marked and important contribution to the development and execution of strategies and achievement of success.

If they say no (or fail to enthusiastically say yes), ask why not. Listen and then make sure they get what they need.

If they say yes, make sure you are asking them about whether risk management contributes to their decision-making and success, not about whether it has ‘value’. It should have value, even if it’s limited to satisfying the regulators and avoiding (some) harms. If they continue to say yes, then celebrate and tell us all what you did different.

Yes, there are areas where traditional risk management is the right thing to do. For example, it is essential in project management, safety management, and the management of a financial portfolio. But putting together a list of top risks for the organization as a whole and the idea that you need to manager risks should be something done to satisfy the regulators, not how you run the business.

As for academics and consultants, PLEASE STOP preaching what doesn’t work, traditional risk assessments and reporting. START understanding what leaders of the organization need and how it can be provided efficiently and effectively. How can so-called risk practitioners help the organization increase the likelihood of success?

Where do you stand?

Are we getting the COVID-19 information we need?

March 26, 2020 15 comments

Like most people (I assume) I am following my local (county), state, and national public health agencies’ web sites for information on the spread of the COVID-19 virus. I also watch the PBS NewsHour TV program and read the news from the BBC and major newspapers.

I am retired, so I don’t have to worry about any corporate effects; I only have to worry about what my wife and I need to do if we are to stay safe. While I also worry about the health and safety of my family in Nashville and London, as well as my friends around the world, there is nothing much I can do for them. (They reassure me they are practicing appropriate social distancing when we chat.)

My question today is whether my wife and I are getting the information we need. Are we able to make the informed and intelligent decisions necessary for our health and welfare?

Each of us may have different questions to answer and different decisions to make.  Today I am talking about my personal ones – and later will make a more generalized point.

What are the questions I have to answer? Here are the first that come to mind:

  1. Do I need to stay in my house?
  2. When, for what purpose, and how often should I leave it?
  3. Do I need to do something different to stay healthy, like take extra vitamins?
  4. Do I need to buy something so that if I am infected I will be more likely to survive?
  5. If I need groceries, should I go to the store or order for delivery?
  6. If I get groceries or other supplies, how do I stay safe?
  7. If I order food for delivery, how do I stay safe?
  8. How long will this last?
  9. How will I know when it’s easing off around me?
  10. Should I cancel my trips in April and June?

If I look at the information provided by the county, state, and federal agencies, I get some information:

  • The county tells me the total of confirmed cases; the number hospitalized; how many have died; how many are infected because of close contact with known cases; and the number infected due to presumed community transmission. There’s also a breakdown of the age of confirmed cases by decade. They tell me that schools will remain closed until May 1st and the shelter-in-place order is through April 7. There’s an additional Frequently Asked Questions section.
  • But the county does not tell me how many have been tested; how many are waiting to be tested; the wait time to be tested; or the trend – the shape of the curve that people keep talking about.
  • The county also doesn’t tell me how many people have called their doctor to report symptoms and stayed home without being tested. They recently announced that the federal government has asked them to gather and report those numbers.
  • The state tells me similar information: the number of positive cases and deaths; how many were community-acquired; the number of health care workers infected; the age breakdown, but only in 5 groups rather than by decade; and the gender of those tested positive.
  • One of the frustrating aspects of the situation is that some reports say the risk is greater for those over 70, some say (as does the state) over 65, while others say 60.
  • As with the county, the state provides general guidance on how to wash your hands and the symptoms of the disease.
  • But neither shares the information that would help me to see the trend, the shape of the curve. Nor do they tell me how to be safe when it comes to grocery-shopping or food deliveries, or how else to prepare.
  • The federal government has some high-level data to share: total cases; total deaths; the sources of exposure (97.5% are ‘under investigation’ so that data is useless); and the trends in total cases, although they indicate that recent data is incomplete. That data doesn’t make it clear whether the rate of increase is slackening or not. Nor do they break the data down by region or state.

Does this give me all the information I need to make informed and intelligent decisions?

Not really.

There are many sources of additional information in the media and on the web. The question is whether that information is (a) relevant to my decision, and (b) reliable. US government and state officials hold frequent press conferences, but not everybody believes what they have to say – especially when they contradict themselves and each other.

A number of health professionals have addressed some of my questions in the media and on YouTube. But I check their credentials before considering them credible. For example, one of my friends shared advice from an MD and when I checked into him I found that he was a specialist in treating allergies.

I will share this important video on safe shopping because it’s important and credible.

So, I don’t believe I am getting all the information I need. I have to make decisions based on what I do know and what seems prudent.

Now to the more general point.

What is happening is that these agencies are sharing what they want to tell me. In some cases, they are complying with federal or state requirements.

They are not thinking about what each of us needs to know so we can make our own informed and intelligent decisions.

I call this ‘push’ reporting. What we need is ‘pull’ reporting, where the individual who has the data understands what the consumer of the information needs to know. He or she understands the decisions that have to be made and the information necessary to enable them.

As practitioners, we need to do the same.

What do the decision-makers need from us?

What does the executive team need from us?

What does the board need from us?

Don’t follow standard practice and give them a report that doesn’t help them make their important decisions.

If you don’t know what they need, even if you believe they don’t know themselves, find out!

Then execute and tell them the shape of the curve, and so on.

I welcome your thoughts.

How will risk management change as we emerge from this crisis?

March 21, 2020 14 comments

People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.

In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and today is no exception.

Keep Calm & GRC On! reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense.

GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

He spells out his vision, what he sees in his crystal ball, of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19.

But I have a different perspective.

It’s a tough line, but we need to face reality.

Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.

These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis – and whether it is helping them navigate through it now.

If risk practitioners (and internal auditors) are setting their prior practices, frameworks, and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.

But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.

Now is the time to prove our worth. Find out how we can help and then do it.

Later, we should change from what I call (in Lean terminology) a ‘push’ approach to one that is more of a ‘pull’ approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) – instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.

I explain this and more in a video call I did on Wednesday with Alex Sidorenko. (I come onto the call a few minutes after it starts.)

I welcome your comments.

Train your internal audit team for free

March 19, 2020 13 comments

Many of us are home-bound for the next (hopefully few) weeks.

It’s a time we can use for team training.

With that in mind, I am making available at no charge the first 5 case studies in a pair of books I am working on.

The idea is that a team leader can share a hypothetical case study with the team members for their reflection and preparation. Then, the team can come together (using Skype, Zoom, or similar) to discuss the issues and questions in the case study and what the answers should be. It’s a way to extend and train the team in a way that not only makes them think out-of-the-box but do so in a way that can build teamwork.

Follow the links on each book title to download it. Only the team leader should download the second volume, which is the Discussion Guide.

Your comments, as always, are welcome. Reach out if you want to discuss.

Time to read a good (practitioner) book

March 17, 2020 3 comments

Every so often, I get a question about how to advance a practitioner’s career or which of my books they should read.

Others have written good books (for example, Hans Læssøe has just this month published Decide to Succeed, and several other friends have books worth reading), but I am going to try to answer the question about my books. (All of my books are available on Amazon and you can find more details here.)

If you are a ‘risk’ practitioner:

My best-selling World-Class Risk Management should be essential reading for anybody who calls themselves a risk officer, internal auditor, IT auditor, information security professional, or ‘GRC’ practitioner. (There’s a special edition for those in Non-Profits.) The book is on the mandatory reading list for a number of risk management college classes.

I wrote Risk Management in Plain English: A Guide for Executives for both practitioners and the leaders of the organization, including board members. It explains how the ‘risk’ word interferes with productive discussion and practice. My intent was that practitioners who like what I have to say would give copies to executives and board members to frame a constructive discussion.

Making Business Sense of Technology Risk is, again, for all practitioners and not just for those who specialize in technology-related matters. After all, technology is at the heart of what we do and how we do it. The book explains how the frameworks developed by the techies don’t provide business leaders with the information they need to make informed and intelligent decisions for the enterprise, and suggests a better approach. It takes the thinking in World-Class Risk Management to another level.

If you are an internal auditor:

My seminal book, which I recommend to every internal auditor from junior to CAE, is Auditing that Matters. It covers a lot of ground and challenges traditional practice and thinking. Some CAEs have purchased copies for their entire team.

Building on Auditing that Matters is Is Your Internal Audit World-Class. The book contains a sophisticated and detailed maturity model for assessing the quality of your internal audit function.

If you want a more entertaining book, try World-Class Internal Audit: Tales from my Journey. It’s a collection of short stories from my career that led me to the thinking and practices reflected in my books. It has received rave reviews both for its humor and for its insights into what world-class internal auditing is all about.

If you are involved in SOX:

Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization – 4th Edition, published by the IIA, is considered the best book on how to run a SOX program.

If you want to know about GRC:

I recommend How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.

If you go here, you will find more details and also links to Amazon.

I would appreciate your sharing:

  1. Your experiences with my books
  2. Other books you recommend and why

What are you doing different because of COVID-19?

March 13, 2020 21 comments

Please share how you are responding to COVID-19, whether in your personal or professional life.

I am especially interested in people sharing their ideas and practices so others can benefit.

Toss out traditional risk management thinking

March 7, 2020 15 comments

I live in San Jose, which is in Santa Clara County where a number of coronavirus cases have been identified.

My wife’s church has canceled tomorrow’s services as a precaution.

A local bridge center (I am an avid player) has closed down until further notice. One of my bridge partners placed himself in self-quarantine after his wife returned from a cruise where individuals tested positive for the virus. Another bridge player remains in Colorado, hospitalized and recovering after his cruise.

What has this got to do with my perennial rant that traditional risk management, considering only the potential for harm, doesn’t help organizations succeed?

Consider the decisions that people and businesses now have to make. For example:

  • Should an airline cancel all its flights, not only to places like China but also to Seattle? After all, these are ‘hotspots’ and if you are only managing the possibility of infecting your employees or being involved in the spread of the virus you can best minimize that risk by not flying where passengers might bring it on board.
  • Should a hotel in Seattle close down for the duration, for similar reasons?
  • Should an organization in New York, which today declared a state of emergency because 75 people there have tested positive, tell all of its employees to work at home?
  • If you have an outstanding purchase order for critical materials with a vendor in China or Korea, which is delayed due to temporary measures imposed by the government there, should you cancel it and buy instead from a US vendor at a far greater cost?
  • As the head of sales, should you cancel a visit to a major customer that would involve a long flight, touring their plant, and meeting many people?
  • As an individual, should you go to church or to a flower arrangement class? Should you even go to work or the grocery store?

These are real life decisions, decisions that have to be made by weighing all the things that might happen, not just the potential for harm.

  • Can you afford not to go to work?
  • Can you afford to move to a US vendor instead of one in Asia, not only at a greater cost but also taking on an unproven partner?
  • If you close down part of your business, what does that do to your cash flow? Will you lose customers or even employees?

It’s time to recognize that managing a list of potential harms is not helping the organization make the informed and intelligent decisions necessary for success.

Informed and intelligent decisions depend on the right people having the information they need about where they are and what might happen, and the ability to weigh all the options and their effect on success.

Why do so many still plug traditional thinking about risk management? I asked a professor, formerly at Harvard and now in Lausanne this question. I should point out that she has been awarded a prestigious prize for her “research into risk management” and has been called a “pioneer in the field of risk management”. Yet, she writes books and lectures on traditional ERM: the management of a list of things that might go wrong.

Her answer, which is what I have heard from consultants and other so-called risk thought leaders, is that traditional risk management is what people are familiar with and they think they need. She writes about what people are doing, not what they need to do (her words).

Consider a February 28th post by my good friend, Jim DeLoach. Risk Realities and Enterprise Risk Management in 2020 focuses on a study by Protiviti and the ERM Initiative at North Carolina State University.

Jim is a smart man, but even his magic cannot save the idea that boards and management need to focus on a list of things that might harm the business.

The study identified these as the so-called ‘top risks’ in 2020:

  1. Impact of regulatory change and scrutiny on operational resilience, products and services
  2. Economic conditions impacting growth
  3. Succession challenges; ability to attract and retain top talent
  4. Ability to compete with “born digital” and other competitors
  5. Resistance to change operations
  6. Cyber threats
  7. Privacy/identity management and information security
  8. Organisation’s culture may not sufficiently encourage timely identification and escalation of risk issues
  9. Sustaining customer loyalty and retention
  10. Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees (new in 2020)

Does this list apply to your organization in 2020? Does it apply to any organization in the world, given the trade and economic shocks we are experiencing?

In his post, Jim has a number of questions board members should ask. Think about them. They include:

  • Is our risk management process well-defined, repeatable and understood by stakeholders?
  • Is there a process for identifying emerging risks? Does it allow sufficient time for management to consider response plans to these risks?
  • Does our management dashboard system include robust key risk indicators that enable our leadership team to monitor shifts in risk trends?

At the same time Jim was publishing his article, Alfred Rodas was asking me a question on LinkedIn:

I’m reaching out to you because I hoped you could offer me some suggestions about something. This year, we wanted to try and limit the number of questions we ask senior management from 5-8 questions to 3-4 key questions.  Thank you Norman, regards, Alfred

This was my reply:

OK, that’s a good idea. How about these?

  1. When you make important decisions, what is your process? How do you make sure you consider all the things that might happen, both good and bad?

  2. How do you measure your success? As you go through the year, how do you see whether you are on track? How do you assess the likelihood of being successful, considering all the things that might happen?

  3. How do you know whether everybody is taking the right risks, the ones you need taken if you are to be successful?

  4. Does everybody have your enterprise objectives in mind as they run the business and make decisions? Do they know what they are and how their actions and decisions might affect them?

I think these four questions should be asked by board members and top executives as well.

When it comes to coronavirus, the first question becomes:

  1. When you make decisions about coronavirus, what is your process? How do you make sure you consider all the things that might happen, both good and bad?

Then board members and the CEO can ask specific and more detailed questions to probe management’s decisions.

Isn’t it time to stop managing a list of potential harms and instead focus on how we can make more intelligent and informed decisions – including whether and how we respond to issues like the coronavirus?

I welcome your thoughts.