The Crown Jewels and Risk Management

February 6, 2016 7 comments

When considering information security or cyber risk, you usually concentrate on risk to the ‘crown jewels’ – those information assets and services that are most vital to the enterprise.

I am going to suggest that we can extend the concept of a focus on crown jewels to broader risk management.

I think we all know that risk is created or modified with every decision.

We also know that those decisions are made by people, who we know are imperfect.

In my last post, Why do some take risks while others do not?, I talked about the fact that different people will make different decisions in the same circumstances. We need them to make the ‘right’ decisions, taking the desired level of risk. But, policies and procedures, even risk appetite or criteria statements, may not be enough to ensure they will do so.

People are influenced not only by the perceived ‘culture’ of the organization, but also by a number of personal factors including their prior experience, whether they feel ‘at risk’ if they take too much or not enough risk, and even whether they have a sunny disposition that day.

So we are dependent on these individuals and their actions.

What can be done? How can we obtain reasonable assurance that risks will be managed, by them and through their decisions and actions, at desired levels?

I suggest that we consider which individuals are making the decisions and taking the actions that are most likely to have the greater impact on whether the more significant risks to organizational objectives are at desired levels. Which individuals, which actions, and which risks?

If we can identify these individuals, the decisions and actions that need to be made, and the affected risks and objectives, then we can focus on them as the crown jewels of risk management.

  • Do these individuals understand the potential for their decisions and actions to affect risk levels and the achievement of enterprise objectives?
  • Do they understand desired levels of risk, whether in risk appetite or criteria statements?
  • Do they have sufficient information to make intelligent decisions and take the desired level of risk?
  • What might affect their decision-making in an adverse way, and what can be done about it?
  • What is the likelihood that they will make a decision that takes the level of risk outside desired parameters?
  • How will senior management know when they stray from the desired path?
  • How will we know when the decision-makers change?

There’s probably more that can be said and more that can be done to provide assurance that individuals, whether on the board, in top management, or at other levels, will take the desired level of risk.

What do you think? What should be done?

 

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com. Join us!

 

Why do some take risks while others do not?

February 4, 2016 4 comments

Every time you breathe, you are taking a risk – but usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.)

Every time you make a decision, you are taking a risk – creating or modifying the level of a risk.

So we are taking risk all the time, in pretty much every facet of our personal and professional lives.

But, I think we all know that when faced with the same situation, some will act one way and others another way.

They may have assessed the risk differently (if they go through that process). They may have made different decisions as to whether the risk is acceptable, and also which fork in the road they should take to address it.

Yes, it’s fine to have defined risk criteria or appetite statements, but they rarely cover every decision or action that a manager has to take. So the manager has to make the decision based on what he or she thinks best. Again, different people will make different decisions.

A number of experts will point to risk culture as the answer. They seem to believe that some organizations are more risk averse than others.

But organizations are composed of people: different people in leadership roles, with different backgrounds, experiences, and bias. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude towards risk.

For example, if a decision has to be made whether to select vendor A, B, or C, or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for them. Manager Z may have lived through a disastrous experience where the sole source vendor failed, so he will opt for a combination of two or more vendors.

Manager Z may have suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Their state of mind can influence their risk decision.

It’s not only that different people will make different decisions in the same situation, but each one may make different decisions at different times.

This is important, because as risk professionals we want to obtain a level of assurance that decision-makers will take the level of risk that top management and the board desire.

It’s not just that we want to ensure people don’t take too much risk; we want them to take a desired level of risk. If managers don’t take risk, the organization will die.

We need to know the temperature and overall health of the organization and its decision-makers.

  • Who are we relying on to take the risks that matter most to the organization’s success?
  • How can we obtain assurance that they understand the desired level of risk?
  • How can we obtain assurance that they will act as we desire?
  • How will we know when their risk attitude changes?

A periodic survey will, perhaps, give you a moment-in-time view. But, people change. Managers and executives leave; new ones join; people’s perspective and desire to take risk changes – especially if they see their compensation or termination likely to be affected by their decision.

This is a complex issue that risk professionals need to understand and then assess within and across their organization.

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.

In the meantime, how do you address this?

How do you know that your decision-makers will take the desired level of risk?

Misunderstanding risk and internal audit

February 2, 2016 19 comments

There are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.

A recent piece on AcountingWeb entitled More boards count on internal audit to identify risks has good intentions, but could lead people astray.

For a start, it is not internal audit’s role to identify risks. That is most definitely management’s responsibility. Internal audit should:

  • Audit and assess management’s ability to identify, assess, and manage the more significant risks that can affect (positively or negatively) the achievement of objectives. That assessment should be communicated formally to the board and top management on at least an annual basis
  • Audit and assess the adequacy of the controls relied upon to manage the risks that matter to the achievement of objectives, reporting same to board
  • Ensure the board understands where the controls are not adequate and that failure raises the level of risk to objectives to an unacceptable level. Internal audit should (but frequently does not) identify which objectives are affected
  • Add value by providing insight and recommendations to management to improve the systems of risk management and internal control

Now, if internal audit is not doing the above there is a problem. Reading the article, it can be assumed that many internal audit departments are falling short – and that management and the board do not set the expectations for internal audit high enough.

Another assumption from the article is that many management teams do not have the capability to identify, assess, and manage risk. That is why some are defaulting to internal audit to step in. But, while internal audit can and should report situations where the risk is different to what management and the board believe, internal audit should not be the function relied upon to identify risk.

Yes, internal audit can take on additional risk management responsibilities – as a coordinator, facilitator, and evangelist. But, it must not assume management tasks such as assessing the level of risk or deciding what action is required – which would compromise its independence and objectivity.

Do you agree?

We can discuss this further in Chicago in April. See www.riskreimagined.com for details.

Isn’t it time our ideas on risk maturity grew up?

December 28, 2015 10 comments

Today, I am going to share a guest post by my good friend and, in many ways my mentor, Grant Purdy. I have great respect for my learned friend. Not only has he served with distinction as Chief Risk Officer for one of this world’s largest companies, but he was influential in the development of Australia/New Zealand’s standards for risk management – and later in the development of the ISO 31000:2009 global risk management standard.

Please consider this post. I have a few comments of my own, which follow his reflections.

=============================================================

Isn’t it time our ideas on risk maturity grew up?

Grant Purdy, Associate Director, Broadleaf Capital International

The confected expressions ‘risk maturity’ and ‘risk management maturity’ (which typically are used interchangeably despite having entirely different meanings) have gained currency with apparently little thought as to their meaning or inherent validity.

 Used variously as both a descriptor of a desirable state of affair and as an arbitrary continuum for use as a measure of what ‘good’ risk management looks like, the question is whether these expressions, and their related dogma and systems, are actually helping or hindering organisations achieve their objectives through better decision making – which, of course, is the sole purpose of risk management.

We all deal with uncertainty, every day, as an intuitive part of making decisions before we act. Some of us are better at it than others and most of us could improve – if we knew how.

In organisations, decisions are always made in the context of the organisation’s external and internal environments and so inevitably involve some uncertainty as to the actual effect of any decision. The effect of that uncertainty on the organisation’s objectives is what is commonly described as ‘risk’.  Detecting, understanding and (if beneficial to do so) modifying ‘risk’ (and having the intent and capacity to do so) is what, by habit, we call risk management.

Risk management – concerned as it is with both consideration of uncertainty and with the organisation having the intent and capacity to do so – is something that organisations either do well or not so well; they can do it intuitively or deliberately and either always or sometimes.

As with income and expenditure data, production figures, and other organisational performance measures, it is helpful for organisations to be clear about how good is their ‘risk management’. Otherwise, they cannot enjoy the confidence of knowing that decisions will lead to the intended outcomes which, after all, is the basis of good governance.

However, as with other types of organisational performance measures (such as considering actual against budgeted revenue), it is necessary to know what ‘good’ risk management looks like before organisations can understand their shortcomings and plan improvements.

The proponents of ‘risk maturity’ concepts envisage that ‘good’ = ‘mature’. But is that valid? If ‘maturity’ is used just to characterise ‘good’ then, in itself, it adds nothing and it would be better to use the normal word ‘good’ instead.

Defining ‘good’ risk management is, in fact, quite simple because, if its ultimate purpose is to enhance decision-making, it must deliver three key things:

  1. When decisions are finalised, the ‘risk’ associated with the decision is fully understood.
  2. The type and magnitude of that risk is acceptable, i.e., optimal, taking into account those aspects that facilitate objectives and those that might detract from them.
  3. Changes inside or outside the organisation that occur after a decision has been made, and are of a type that could have the effect of modifying the risk, are detected, the resulting risk assessed and, if warranted, the decision is amended and the subsequent actions are revised.

These three criteria for ‘good’ need to be satisfied for every decision because, as with the links of a chain, it doesn’t matter that the risk associated with 99 decisions meets the criteria if there is one decision in which an unacceptable risk went undetected, was misunderstood, or was not modified to ensure it was acceptable. This is very similar to the preparation of a profit and loss statement that comes down to similar matters of fact: (1) were all elements of expense and revenue captured and, (2) are the arithmetic and accounting treatment of each item correct?

In summary, ‘good’ risk management is only concerned with its universal application to decision-making and its consistent, technically competent application and, as can be seen, such criteria, like the links of a chain, do not lend themselves to measurement using arbitrary scales or matrices.

If risk management is not satisfying the above criteria of ‘good’ then the organisation should remedy any specific shortcomings in:

  • the organisation’s intentions (i.e. whether or not it intends to consider the effect of uncertainty on its objectives of its decisions throughout the organisation), and;
  • its capacity to give effect to those intentions (e.g. individuals having clear instructions, skills and relevant tools and there being a system of performance measures).

Remedying shortcomings in intent or capacity in an efficient way requires very specific and tightly constrained remedies such as revised instructions, improved explanation, targeted training, improved tools and improved surveillance.

So ‘good’ has nothing to do with ‘maturity’ but all to do with being ‘effective’, which has the ordinary meaning of ‘having the effect intended’.

George Orwell wrote:

the slovenliness of our language makes it easier for us to have foolish thoughts[1]

Isn’t it about time we abandoned using the slovenly expression ‘maturity’ as an expression of ‘good’ and instead use the simple and accurate word ‘effective’? And, at the same time, avoid the deceptive use of any form of maturity scale. Instead, shouldn’t we just focus on the selection and implementation of actions that, quite simply:

  • monitor and test the application of approaches that discover, understand and, if necessary, modify uncertainty as part of decision-making;
  • monitor and test the technical adequacy of such activities;
  • design and monitor remedial actions?

 

[1] George Orwell: Politics and the English Language, Horizon, London, 1946.

============================================================

Norman’s Comments

I understand and agree, to a large extent, with Grant’s views. I too write about effective risk management enabling better decisions, at all levels of the extended enterprise.

I have sympathy for Grant’s position that we must be clear when we talk about matureeffective, or good risk management.

I divert from Grant’s stated position (although it may be more a matter of semantics) when it comes to what constitutes an acceptable level of risk management – what I would refer to as ‘effective’. (I don’t know what ‘good’ risk management is and don’t talk about it).

My position is that the risk management capability, including framework and processes, can only provide a reasonable level of assurance that the desired level of risk will be taken. Incorrect or misguided, even misinformed decisions will still be made. Perfection is not achievable.

What I say in World Class Risk Management is that risk management can be considered world-class when the likelihood and extent of a failure to manage risk at desired levels is acceptable. Please see the book for a detailed explanation of this new concept.

So, what do you think?

 

Let’s talk about culture

December 19, 2015 5 comments

Organizational culture has been blamed for many recent disasters, including BP Deep Water Horizon (which has been referred to as a “culture of greed” as well as a culture that had defects relating to safety), GM (“…a culture where you get fired if you do talk about quality and safety issues, and you get fired if you don’t talk about them”), Toyo Tire (“Toyo Tire’s problems stem from its corporate culture”) and VW (‘North Korea without labour camps”).

Some interesting articles have been written about culture, including:

In our webinar on December 8th[i], Richard Anderson and I talked about organizational culture. I made the points that:

  • There are many aspects or dimensions of organizational culture, illustrated by people talking about ‘safety culture’, ‘risk culture’, ‘ethical culture’, and so on.
  • There is no single corporate culture. Culture can be quite different between units, departments, locations, or teams within a single organization.
  • Culture reflects people, and since the employee population is changing all the time, we should expect culture and the behavior patterns it influences to similarly change. However, there can be a dominant culture that reflects the influence of leadership (whether of the organization, a unit, team, or so on), and that influence is likely to remain fairly constant until there is a change in leadership

Richard shared the results of some research and study into corporate culture, with an emphasis on risk culture. He talked about the fact that while many are driven by performance, others are driven by a need for ‘control’. A balance needs to be found.

Some are highly collaborative, while others are prone to taking the lead and directing others to follow.

These differences in personality can drive behavior when it comes to risk decisions – how much ‘risk’ to take.

Richard is the author of the IRM’s publication on Risk Culture. (I was one of many reviewers). I believe you will find it an interesting read.

Richard and I have scheduled additional opportunities to discuss risk culture and its effect on the management of risk. Details are at www.riskreimagined.com.

But in the meantime, I have some thoughts I want to share on how to assess whether your organization’s culture is what it should be.

  • Because there are so many aspects or dimensions of organizational culture (safety, ethics, risk, and so on), I would focus on a limited number of dimensions at a time.
  • I would endeavor to define (a) what I want to see in a model culture; (b) how defects in culture would impact corporate success and the achievement of objectives (in other words, I would assess the risk); and, (c) how I might identify red flags that would indicate such defects.
  • Based on the above, I would determine appropriate assessment methods and tools. I personally like surveys and have used them with some success in partnership with the Human Resources department. However, we should not underestimate the fact that all of us (if we are alert) can provide input and insight into the culture of our organization. We typically know, or at least suspect, when there are problems with the corporate culture. I was very much aware of issues at several of my employers, and always (a) considered whether they represented a threat to the organization that merited my attention, (b) took them into consideration when defining my internal audit plan, and (c) discussed serious issues with top management and the board. Of course, I did not rely on my own suspicions; I would use surveys and interviews to provide additional information for confirmation or clarification.

Are you sensitive to the possibility of defects in corporate culture that might represent an unacceptable level of risk – through their impact on decision-making – to the achievement of organizational objectives?

I am interested in your experiences and insights.

 

[i] I believe that if you register, you can listen to recordings of both webinars

Internal audit and cyber risk

December 15, 2015 2 comments

Deloitte has published good work. One of my favorites is their risk-intelligent white paper series.

Recently, they released Cybersecurity and the role of internal audit. It has both superior and inferior advice. Let me walk through it.

The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could cost businesses over $2 trillion by 2019, nearly four times the estimated 2015 expense. Many audit committees and boards have set an expectation for internal audit to understand and assess the organization’s capabilities in managing the associated risks.

This is good advice. Cyber is one of the most significant risks on the agenda of the board and audit committee.

Our experience shows that an effective first step for internal audit is to conduct a cyber risk assessment and distill the findings into a concise summary for the audit committee and board which will then drive a risk-based, multiyear cybersecurity internal audit plan.

This is wrong (IMHO) on so many levels!

  1. Management and not internal audit should be performing the cyber risk assessment. The role of internal audit is to assess the adequacy (which includes the currency) of that risk assessment.
  2. While the audit plan should be enterprise risk-based, a multiyear plan makes no sense. Who in these days believes that the cyber risks will be the same in 2016 and beyond as it has been in late 2015?
  3. There should not be a separate ‘cybersecurity audit plan’. As most have pointed out, cyber is a business risk, and addressing the IT aspect in isolation from other business measures is less than optimal.

Business units and the information technology (IT) function integrate cyber risk management into day-to-day decision making and operations. This comprises an organization’s first line of defense. The second line includes information and technology risk management leaders who establish governance and oversight, monitor security operations, and take action as needed, often under the direction of the chief information security officer (CISO).

Deloitte does well to point out that the so-called 1st line of defense (better referred to as ‘offense’ in my opinion) includes operational management from the business as well as IT. However, I cannot explain why it ignores the role of enterprise risk managers. Also, a growing source of risk is the extended enterprise – partners, consultants, and others who work with the company and provide access points to the organization’s crown jewels.

By the way, Deloitte does not refer to ‘crown jewels’ and the need to understand what they are. I don’t know why not.

Increasingly, many companies are recognizing the need for a third line of cyber defense—independent review of security measures and performance by the internal audit function. Internal audit should play an integral role in assessing and identifying opportunities to strengthen enterprise security. At the same time, internal audit has a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.

There are some good points here. A formal assessment and report to the board or audit committee should be provided, perhaps as part of the overall report by the CAE on the management of key risks. In addition, internal audit needs to have the skills necessary to perform the assessment and to suggest possible improvements – something Deloitte expands on later.

For internal audit to provide a comprehensive view of cyber security, and avoid providing a false sense of security by only performing targeted audits, a broad approach should be employed.

This is another good point: internal audit has traditionally looked at certain areas, but a more holistic assessment should be made of how well cyber risk is addressed.

The Deloitte framework looks OK and I welcome comments on it.

Deloitte references testing and assessments that might be performed as part of the organization’s SOX program. However, SOX scope is limited and the cyber management program, and internal audit’s related work, should address all significant cyber-related risks and not be limited to those that might affect the integrity of financial reporting.

I am not a fan of Deloitte’s risk assessment framework. I prefer something that is driven by the objectives of the enterprise (not mentioned by Deloitte) and how a cyber-related issue might affect them.

Overall, this is a very important topic. My experience, based on discussions with board members as I participated in NACD events where the focus was on cyber, is that many boards lack confidence in the ability of internal audit to provide the necessary value in this area. Deloitte says that “A tech-oriented audit professional versed in the cyber world can be an indispensable resource.” I agree totally and my practice always included a high percentage (20% – 25%) of technology specialists.

What do you think?

 

Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.

You can also read World-Class Risk Management and/or World-Class Internal Audit.

The risks when workplace automation replaces humans

December 6, 2015 3 comments

People charged with risk, governance, and assurance for their organization (i.e., the board; executive management team; risk, security, and audit practitioners) have a lot to monitor. Risks are changing and new risks are emerging all the time.

The dynamic workplace and business environment requires constant vigilance, as every decision within the extended enterprise changes or creates risk – and many decisions by others, outside the enterprise, affect the organization as well.

One area where there is change now, and every indication of change in the future, is ‘workplace automation’.

McKinsey Quarterly recently published an interesting article, Four Fundamentals of Workplace Automation. It points out that a growing number of tasks formerly performed by humans are now being performed by machines. The trend is not limited to robots in manufacturing or in warehouse operations. Just think of how you check in for your flight, whether at the airport (kiosks) or at home (with mobile boarding passes), and how you order items from Amazon and other retailers.

More is coming, as white collar jobs are replaced. Here are some salient observations from the article:

Very few occupations will be automated in their entirety in the near or medium term. Rather, certain activities are more likely to be automated, requiring entire business processes to be transformed, and jobs performed by people to be redefined, much like the bank teller’s job was redefined with the advent of ATMs.

….our research suggests that as many as 45 percent of the activities individuals are paid to perform can be automated by adapting currently demonstrated technologies. In the United States, these activities represent about $2 trillion in annual wages. Although we often think of automation primarily affecting low-skill, low-wage roles, we discovered that even the highest-paid occupations in the economy, such as financial managers, physicians, and senior executives, including CEOs, have a significant amount of activity that can be automated.

The magnitude of automation potential reflects the speed with which advances in artificial intelligence and its variants, such as machine learning, are challenging our assumptions about what is automatable. It’s no longer the case that only routine, codifiable activities are candidates for automation and that activities requiring “tacit” knowledge or experience that is difficult to translate into task specifications are immune to automation.

In many cases, automation technology can already match, or even exceed, the median level of human performance required.

According to our analysis, fewer than 5 percent of occupations can be entirely automated using current technology. However, about 60 percent of occupations could have 30 percent or more of their constituent activities automated. In other words, automation is likely to change the vast majority of occupations—at least to some degree—which will necessitate significant job redefinition and a transformation of business processes.

….leaders from the C-suite to the front line will need to redefine jobs and processes so that their organizations can take advantage of the automation potential that is distributed across them. And the opportunities extend far beyond labor savings. When we modeled the potential of automation to transform business processes across several industries, we found that the benefits (ranging from increased output to higher quality and improved reliability, as well as the potential to perform some tasks at superhuman levels) typically are between three and ten times the cost. The magnitude of those benefits suggests that the ability to staff, manage, and lead increasingly automated organizations will become an important competitive differentiator.

The quality and safety risks arising from automated processes and offerings … are largely undefined, while the legal and regulatory implications could be enormous. To take one case: who is responsible if a driverless school bus has an accident?

All this points to new top-management imperatives: keep an eye on the speed and direction of automation, for starters, and then determine where, when, and how much to invest in automation. Making such determinations will require executives to build their understanding of the economics of automation, the trade-offs between augmenting versus replacing different types of activities with intelligent machines, and the implications for human skill development in their organizations. The degree to which executives embrace these priorities will influence not only the pace of change within their companies, but also to what extent those organizations sharpen or lose their competitive edge.

What does this all mean for us, today? My thoughts:

  1. These advances, and other new technologies, represent huge possibilities for almost every organization. However, each also has a huge potential for things to go wrong.
  2. The possibilities, positive and negative, are probably of a scale and type we have not seen before. For example, we are only now starting to worry about people hacking our vehicles. In the future, they might hack our trading system, our CFO, or even our auditors (some would say that would not be a bad thing – smile).
  3. Those charged with running the organization need to be alert to the possibilities, both positive and negative, should they adopt any of these technologies.
  4. Those making decisions on whether and then how to implement new technologies, including whether to replace humans with automation, need a structured and informed decision-making process. I call that ‘risk management’.
  5. Our appetite for taking the risk and implementing new technologies should be increasing, as the potential is increasing that our organization will lose all its market share, let alone its profits, if it does not move with the times.

How ready we are today for the replacement of humans by intelligent ‘beings’ (some combination of software, hardware, and network)? EY’s Global Information Security Survey 2015 reported that:

  • 88% “do not believe their information security fully meets the organization’s needs”
  • 57% say that “lack of skilled resources is challenging information security’s contribution and value to the organization”

My hope is that, at some point in the future, these intelligent automated beings will be able to provide the security they need.

Until then, we are in a quandary:

  • Losses if we fall behind as others take advantage of new technology, or
  • Losses if we adopt it and it fails in some way

I welcome your comments.

 

Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.

You can also read World-Class Risk Management and/or World-Class Internal Audit.

Follow

Get every new post delivered to your Inbox.

Join 6,579 other followers