Is a new maturity model for GRC the right model?

September 25, 2016 2 comments

I have been a proponent and supporter of the OCEG[1] view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).

I remain an advocate of their definition of GRC as well as their focus on Principled Performance.

Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.

This paragraph from the Introduction to the paper explains both GRC and Principled Performance.

As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.

GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”

What I like about their definition is:

  • It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
  • It describes a capability that is more than the sum of its parts. It is more than governance[2], which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
  • It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.

This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:

“A system of people, processes and technology that enables an organization to:

    • Understand and prioritize stakeholder expectations
    • Set business objectives that are congruent with values and risks
    • Achieve objectives while optimizing risk profile and protecting value
    • Operate within legal, contractual, internal, social and ethical boundaries
    • Provide relevant, reliable and timely information to appropriate stakeholders
    • Enable the measurement of the performance and effectiveness of the system”

The question for me as I review the maturity model is whether it truly describes a GRC capability.

I believe it is a valuable piece of work, but only if you are concerned about the R and the C.

I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.

The ‘G’ in GRC is silent.

Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?

Don’t expect harmony when people do not see the songsheet.

Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.

Where is the integration of performance management and risk management? Sadly, it is not here either.

This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?

Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.

I welcome your views.


[1] OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at with many valuable resources for members. Membership is free for individuals.

[2] I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

The Wells Fargo “Staff Scam”: More questions and fewer answers

September 16, 2016 11 comments

Since I wrote about the astonishing Wells Fargo fraud, I have been waiting for additional news to shed some light on what happened – and didn’t happen.

By ‘didn’t happen’, I am referring to the actions that should have taken place to detect the frauds, identify their causes, stop further fraud, and report all of this to the board.

I am not talking about 2016, I am talking about 2011, 2012, 2013, 2014, and 2015.

But, the news has been scarce and little has been revealed.

….Except for interviews with Wells Fargo’s CEO John Stumpf, discussed in a Huffington Post article entitled Wells Fargo CEO Blames Multimillion-Dollar Fraud On The Lowest-Level Employees.

Let’s examine the few facts we know:

  • He does blame some number of rogue employees.
  • He does say that the 5,300 employees that were fired included “some” branch managers and a number of “managers of managers”.
  • He says that neither his nor any other “named person’s” compensation (as I understand it that would include the CEO, CFO, and other highly-compensated individuals) was based on the number of accounts opened.
  • As far as we know, no senior executive has been disciplined.
  • He has not acknowledged any wrongdoing, even blindness, on his part or by any other senior executive. In fact, he presents an optimistic figure that should be retained to lead the company forward.
  • Under gentle pressure from his friend Cramer in the Mad Money interview, Stumpf acknowledged that he was accountable – but showed no remorse to my eyes. He apologized but was clearly coached – as were many of his answers to Cramer’s questions about holding senior managers to account.

On balance, maybe it is a fair headline. You will decide for yourself.

The Mad Money interview revealed one disturbing ‘fact’.

Stumpf said that the 5,300 employees were fired over a period of 5 years – a rate of about 1,000 each year.

He is not saying that the 1,000 per year was an average with 100 in the first year and thousands towards the end of the five year period. (Apparently, the fraudulent activity was first discovered in 2011.) He implies that the number was about the same each year for 5 years.

He told Cramer that the branch system has about 100,000 employees, so only 1% were involved – as if that was acceptable and even predictable.

So we have to understand that for five years there was a steady stream of 1,000 being fired each year.

We know nothing about those who were subject to less stringent discipline – and of course nothing about anybody who was not found out or where the manager looked the other way.

Given this new information, I have more questions:

  • If about 1,000 people were fired in 2011 for their fraudulent activities, opening accounts for customers that they had not authorized, why wasn’t action taken in 2011 to prevent this fraudulent activity continuing?
  • If another 1,000 were discovered in 2012 and then in 2013, who did nothing? What about 2014 and 2015?
  • Who discovered the frauds, when, and what did they do? Neither Wells Fargo nor the regulators (in the Consent Decree) have identified a whistleblower, internal audit action, or other source.
  • When was this reported to the Compliance Officer, senior and executive management, the board, and internal audit? Were the risk officers ever informed?
  • Was there a concentration of these frauds in a particular region or was it widespread?
  • Who should have known? Are they being held to account?
  • Who should have been watching? Are they being held to account?
  • What happened when a customer complained?
  • Did anybody check customer signatures?
  • Is there a culture of not coming forward?
  • Who set these targets, knowing that many if not most new accounts did not involve ‘new money’, but were funded by transfers from existing accounts? Since they did not influence income, they seem to be silly targets. Wells is refunding just $2.6 million in fees – which is probably less than all the bonuses awarded for opening the 2 million unauthorized accounts.

Internal audit is referenced in the CFPB Consent Decree, but only in a requirement to perform an audit to confirm agreed-upon actions have been taken.

There is no indication that internal audit did in the past or would in the future look at:

  • The setting of compensation targets (for example to confirm they will drive desired behavior and are consistent with the achievement of corporate goals, not just that they deter undesirable behavior as referenced by the regulator)
  • The culture of the organization, how whistleblowers are treated and whether employees are willing to come forward
  • The design and operation of controls over the opening of customer accounts
  • The design and operation of controls around customer complaints, for example to identify trends

We still know very little.

All we can do is hope the board is asking these and other questions – and being more skeptical than Cramer in his interview!!!



The astonishing Wells Fargo fraud

September 10, 2016 43 comments

The news about the staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling.

It’s not just that staff at Wells Fargo “opened an estimated 1.5 million deposit accounts and applied for roughly 565,000 credit card accounts according to the Consumer Financial Protection Bureau (CFPB). Once the accounts were opened the employees transferred money to temporarily fund the new accounts which allowed them to meet sales goals and earn extra compensation.”

It’s not just that Wells Fargo was fined $185 million (including the largest ever fine by the CFPB).

It’s not even that the scam lasted 5 years.

What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees.

In time, I am sure more details will surface.

But I have a problem with this statement from the bank’s CEO:

“Our entire culture is centered on doing what is right for our customers.”

How can he say that when 2% of the total Wells Fargo workforce was fired as a result, presumably, of being involved?

When 2% of employees were fired, you have to assume that more people knew or should have know. The prevailing Wells culture in reality was to do what was right for the staff, not the customers!

According to an article in the NY Times, “Wells said that the employees who were fired included managers and other workers. A bank spokesman declined to say whether any senior executives had been reprimanded or fired in the scandal.”

The lack of information implies, in my mind, that senior executives have not been held to account. Can that be right? I hope that will change.

The CFPB says, “Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges.”

The Director of the CFPB adds, “Unchecked incentives can lead to serious consumer harm, and that is what happened here.”

It’s so easy to say that “unchecked incentives can lead to serious harm”. That’s so obvious. It applies to every organization.

It’s also easy to say, as they do, that internal controls failed.

But this incident raises so many questions!

  1. The culture was clearly massively flawed, despite what the CEO says. In fact, his statement reveals a lack of understanding not only of the word ‘culture’ but also of the real problem. I am not sure how the board can have confidence in his ability to change the culture. The surviving employees will be in shock and so risk-averse that the bank will suffer enormously.
  2. The PCAOB and others love to use the word ‘pervasive’. But here is an example of something that is truly pervasive. I believe senior executives either knew or should have known of the problem. Did no employees come forward? Did nobody see a trend in customer queries and complaints about accounts being opened they had not requested? Where was the Chief Compliance Officer?
  3. Was top management asleep or did they just have their eyes and ears closed?
  4. Should risk management have done something?
  5. Where was internal audit?
  6. Where was the board?

We have insufficient information with which to answer these questions.

I don’t know that risk management could or should have done anything. I doubt this kind of scam would be identified as a risk.

I do have to ask whether risk management:

  • had satisfied themselves that the fraud risk assessment (assuming one was done) was complete;
  • were monitoring the level or type of consumer queries and complaints, which should have been a leading risk indicator;
  • had effective monitoring of customer satisfaction, which should have been a risk to assess and watch; and
  • had done sufficient work relating to the organization’s culture.

The same questions apply to internal audit.

But, I would expect internal audit to be more aware of customer complaints and customer satisfaction than risk management. Controls over customer satisfaction risk, and especially responses to complaints, should have at least been considered in building the audit plan.

They should also be more skeptical than risk management can afford to be (for political reasons) of organizational culture, and I have to question whether any warning signals were picked up by auditors in the course of their work. Were they so focused on completing the audit program that they were not watching and listening to what was happening around them? Were they ‘auditing by walking around’? Did they listen to customers at all?

I don’t expect that the board had any reason to believe this was going on. They have to rely on management, risk management, and internal audit for information on culture, the management of fraud and other risks, and the performance of controls.

But I do expect the board to take swift and decisive action once a problem like this appears.

That includes educating the CEO that his comment about Wells’ culture is absurd and that the culture needs to be fixed.

It also includes holding senior management to account. Hopefully we will hear more about that in time.

What do you think?

Do you agree with my comments?

What would you expect from the board, risk management, and internal audit?

Leading an effective information security capability

September 4, 2016 3 comments

With all the press and concern about cyber at all levels of the organization, with the regulators, and among the public, it is a worthwhile exercise to consider what this should mean for the Chief Information Security Officer (CISO) or equivalent.

Some point to the need to elevate the position of CISO to report directly to a senior executive, even to the CEO.

Elevating the position, in my opinion, will not necessarily do more than elevate the voice of cyber in the executive suite. It won’t necessarily drive the resources necessary for an effective cyber program, nor will it necessarily change the minds and attitudes of people from the executives on down.

In fact, elevating the position carries the risk that the CISO will get caught up in organizational politics instead of focusing on cyber risk itself.

Deloitte tackles this and other opportunities in a new piece, The new CISO: Leading the strategic security organization.

Of course, they are using words intended to induce people to read: ‘new’ and ‘strategic’. I think we can easily disregard them and focus on the problem at hand.

First, let’s acknowledge that the role of the CISO (or other individual responsible for information security) should never be considered as simply a compliance function.

Deloitte talks about “the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise”.

But even when I had information security reporting to me 30 years ago, it was about protecting the organization and not just about compliance.

It is foolish to believe that executives or the board will invest if the only return is compliance. Yes, it is necessary but a compliance function will never receive the attention of a function that contributes to the success of the organization. Executives will commit resources to the level they think prudent, but not necessarily what it will take to enable success – because they don’t understand how cyber relates to their personal and corporate success.

If they don’t know that it matters to success, it won’t matter to them.

The successful CISO helps everybody appreciate how cyber contributes to and enables success.

Buried in the Deloitte material are two sections of great importance:

  • While the CISO may think in terms of reducing risks, business leaders take risks every day, whether introducing an existing product to a new market, taking on an external partner to pursue a new line of business, or engaging in a merger or acquisition. In fact, the ability to accept more risk can increase business opportunities, while ruling it out may lead to their loss. From this perspective, the role of the CISO becomes one of helping leadership and employees be aware of and understand cyber risks, and equipping them to make decisions based on that understanding. In some cases, the organization’s innovation agenda may necessitate a more lenient view of security controls.
  • …… CISOs [need] to pivot the conversation—both in terms of their mind-set as well as language—from security and compliance to focus more on risk strategy and management. Going beyond the negative aspect of how much damage or loss can result from risk, CISOs need to understand risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.

These are, in my opinion, the keys to an effective cyber program.

If the CISO is going to influence not only the resources he or she is given but the attitude and actions of the organization, it is necessary not only to understand how the business is run, but to talk to executives in the language of the business.

Talk about how the achievement of objectives may be affected by a cyber breach. Talking about specific objectives is the best way to influence hearts and minds.

Help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.

Talk business risk, not technobabble.

Do you agree?

Are there other points of value in the Deloitte paper?

Have your provided comments on the COSO ERM draft?

August 31, 2016 7 comments

I hope you have reviewed the draft, available through or at

Please share your views on this important document.

I realize that some of you prefer the ISO 31000:2009 global standard on risk management. But let’s recognize that nearly half of the risk management functions around the world are influenced by if not using the COSO framework.

Even if you will not adopt COSO, it is in all of our interests for it to be of the highest possible quality, driving the achievement of enterprise goals through informed and intelligent decision-making.

I submitted my comments some time ago. You can see them on the COSO site at

How to do your internal audit risk assessment

August 27, 2016 20 comments

A long-time vendor of software for internal audit departments, Thomson Reuters, has published a piece by Noah Gottesman. Prior to joining Thomson Reuters in 2012 as Director of Audit Advisory and Innovation, Noah was with EY (which is where I met him, if memory serves me right). In that capacity, he has performed and managed a variety of internal audits.

Get Your Internal Audit Risk Assessment Right This Year has some good suggestions for the traditional internal audit team. It includes “five steps to turning risk assessment principles into positive actions”, as well as sections on:

  • Listen to management: the real opportunity
  • Lay the foundations: the importance of a robust methodology
  • Know your organization’s risk appetite
  • Get into the details
  • Plan for success
  • Understand the business and its culture

Most will see value in these sections.

But, I have significant issues with the approach and assumptions.

My problem starts very early.

The paper quotes the COSO Internal Control – Integrated Framework:

“…risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.”

Yet, this quote is followed by a reference to an “annual risk assessment process”.

Buried at the end of page 7 of the Thomson Reuters paper is this sentence:

“With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top-down approach, beginning with management interviews and input.”

COSO similarly talks about a “dynamic and iterative process” (almost the same words as the ISO 31000 principle: risk management is “dynamic, iterative, and responsive to change”.

An annual process is NOT dynamic, iterative, nor responsive to change.

Change does not occur on an annual basis. It is all the time, which is why we use the word ‘dynamic’.

McKinsey prefers the word ‘turbulent’, as do I.

Internal audit needs to be aware of and responsive to changes in known risks or the emergence of new risks continuously, not on an annual cycle.

The move to a continuous, dynamic audit plan will be a major change for most internal audit departments. Many are already on that journey and have to adjust from a major initiative focused on listening to executives once a year to monitoring how business objectives and risks are changing.

I wish Noah had talked about the fact that every organization has hundreds if not thousands of risks. An internal audit risk assessment that includes, as he suggests, listening to management at all levels across the organization will identify a great many risks that matter to those managers.

But are they risks that matter to the organization as a whole?

In World-Class Internal Auditing: Tales from my Journey, I said:

When internal audit focuses on the risks that matter to the organization, provides objective and insightful assurance on how well they are managed, and use their intellect and imagination to work with management to effect necessary changes, amazing things can and do happen.

I believe internal audit should first understand the value drivers and the objectives of the organization. It should then seek to understand the risks (and continuously maintain that understanding) that are critical to the delivery of value and the achievement of corporate objectives.

One excellent question is “what could go wrong” and another is “what needs to go right”.

The risks to enterprise objectives that are identified are the risks that matter.

Those are the risks that need to be addressed in the audit plan.

I, and many other CAEs around the world, believe that internal audit should provide its stakeholders with a formal assessment of the condition of risk management and internal control as they relate to the more significant risks to the organization.

A major element of audit planning is ensuring that sufficient work is performed to support that assessment.

Another dimension to audit planning is whether an engagement will add value. Some risks are well-known and are already being addressed. In those cases, an internal audit engagement will probably add little value.

On the other hand, sometimes there are situations where the risk is seen as moderate but an advisory engagement would add value to the extent that it merits inclusion in the audit plan.

This whole question of the internal audit risk assessment is a tough one. I hope to provide more of my thinking on the topic later.

In the meantime, please share your thoughts on best practices.

Do techies really understand cyber risk?

August 20, 2016 10 comments

I have to ask this question after reading two recent papers. The first is from an organization that positions itself as not only an expert in cyber but one that offers related consulting services and solutions.


Practical Guide to Measuring Cyber Resiliency and Effectiveness was published by Lockheed Martin earlier this year.

The authors suggest a seven step process for establishing “an effective, sustainable computer network defense program”.

While the piece has some value, I have some major issues with it.

Let’s start with the fact that cyber is a business issue, not just an IT one. Yet, the only people on the recommended team are techies. In fact, they recommend a team of three “highly-skilled Technical Leads and Cyber Analysts with experience in Threat Monitoring, Incident Response, Cyber Threat Intelligence, Malware Analysis, and Computer Forensics, DevOps, Analytics, and general cybersecurity and IT skills”.

Nowhere is there any mention of the need to involve business personnel.

In my presentations and courses, I often talk about this hypothetical situation.

Imagine that we are in a conference room and hear a loud BANG from outside. We run to the window and see that a large safe has landed in the middle of the parking lot. Security guards rush to surround it. They string barbed wire around the safe, with bright lights and 24-hour monitors.

But then an executive appears and tells a guard to open the safe.

It’s empty.

The executive looks around and spots a wicker basket against the fence, close to an exit from the lot.

He strolls over and sees the crown jewels wrapped in tissue paper in the basket.

The point is that you protect what needs to be protected.

You need to know what assets are at risk before setting up a cyber program or any other form of controls and security.

Yet, the paper does not mention any form of risk assessment.

The risk from cyber is not the technology or network; it is the effect on the achievement of a business objective.

I have additional issues with the paper.

  • The analysis assumes that all attacks can be detected. This is a huge assumption and not credible in my view
  • There is no mention of risks introduced by mobile or cloud applications and services
  • There is no discussion of threats to the organization through attacks on the extended enterprise. Many organizations have outsourced services to a third party; those services may be at risk. In addition, many attacks are on our partners in the extended enterprise; once an intruder has gained access to a partner, they may be able to access our network and systems. Finally, many intruders are attacking employees’ personal devices and systems – and could gain access that way
  • The issue of educating the organization to be security-conscious (such as avoiding clicking on links or attachments that introduce malware or using better passwords) is ignored. In fact, the use of non-simple passwords is totally absent.

I am afraid I find this paper quite lacking from a business perspective.

Now, perhaps all my points are discussed by this vendor in different publications – but that is not apparent from this piece.


The second paper is The Cyber Threat Risk – Oversight Guidance for CEOs and Boards. It has a foreword by Sameer Bhalotra,  Former White House Senior Director for Cybersecurity, so I was expecting a better paper than the Lockheed Martin one – especially as it is targeted at CEOs and board members.

But, the same criticisms apply.

There is no business risk assessment, there is no mention of mobile or the cloud, a security-conscious culture is absent, and the extended enterprise is ignored.

It does have some better content, including:

  • a description of the problem we face
  • an emphasis on detection as well as prevention
  • a discussion of mean-time-to-detect and mean-time-to- respond


Most of the techies I know understand all my concerns. But I have to ask when so-called cyber experts  write and share papers like these.

I welcome your thoughts.