Guiding Principles of Corporate Governance

December 6, 2019 2 comments

The IIA should be congratulated for its recent publication, prepared in collaboration with the Neel Corporate Governance Center at the University of Tennessee, Knoxville, of Guiding Principles of Corporate Governance.

I still prefer the King Code IV from the Institute of Directors, Southern Africa, because it is more thorough. But the IIA document is definitely worth reading.

One area that I think is weaker than I would like is in defining requirements for the information provided so that the board can monitor performance. Principle 6 doesn’t go nearly far enough for me. The board needs to know promptly when there is an obstacle in reality or likelihood to achieving objectives. It should know about significant events or situations that could affect the interests of stakeholders, whether it be a reputation or perception issue, activities by competitors, and so on.

A report like this would benefit significantly from a study of the incidence and severity of governance failures. Has anybody seen something reliable and recent?

I welcome your thoughts.

What do you like in the IIA guidance? How could it be improved?

Is it sufficient to use as a foundation for a model of governance practices?

A risk case study

December 2, 2019 7 comments

I returned this week from a vacation in Mexico, including a day at the Copper Canyon.

Our tour guide took about 20 of us down the mountain side to see some Tarahumara Indian homes. I decided that I wanted to come back ahead of the group, finding my way back up the path and steps to our hotel at the top.

Let’s walk this through.

My objectives were:

  • Get back to the hotel ahead of the group. Many of the members were slow and I would find it frustrating keeping to their pace instead of mine.
  • Do so safely. While the path was not bad, it also was uneven and unpaved with a lot of rocks and steps to climb. The likelihood of a severe injury was very low indeed and I could accept a slight stumble. But if I moved too quickly, I could fall and bruise myself or worse.

What might happen along the way? In other words, what would a risk manager put on a list or heat map?

  • I might fall. The range of pain and injury went from slight (perhaps 5%) to severe (less than 1%).
  • I might get lost. There were multiple paths and I could easily take the wrong one. If I did that, I was confident (>90%) I could either find my way back and take the right path, continue on the (well-worn) path that would eventually take me back to the hotel, even if the arrival would be delayed, or ask one of the other people that I could see on the paths.

But there was also an opportunity: the chance to enjoy the walk back more than if I were in the middle of a muddling-along group.

I assessed the overall picture and decided that the opportunity outweighed the possibilities for harm.

I started walking, enjoying the faster pace and the fresh air.

But soon I caught up with another member of the party who, unbeknown to me, had also decided to head back early. He was older, with a walking stick, and I was faced with my first decision.

Do I try to pass or do I slow down and follow?

If I tried to pass, the possibility of injury would go up quite a lot. I didn’t try to calculate it, just decided quickly that it was not a ‘risk’ I wanted to take. At the same time, the possibility of getting to the hotel before the crowd was receding. I had to accept that, while looking for an opportunity to pass safely.

The opportunity came a few minutes later when the gentleman stopped to take a rest. I stepped past him with care, but was then presented with a dilemma.

There’s a saying that when you come to a fork in the road, you should take it. That’s what I saw: a fork.

To my right, the path went steeply up the hill. It looked a bit rough, while the path on the left continued straight and level and was clearly well used. There was no sign indicating which way led to the hotel, and the older guy remarked that he had no idea which was the right path to take.

I flipped a mental coin and decided to go left. I was swayed by the fact that the path up the hill presented a greater possibility of falling. It seemed steeper and more uneven than my memory of how we came down. I doubted that was the right way.

The path continued straight and level for a while. Soon, I was wondering whether it was the right path because I couldn’t see where it would start going up the mountainside.

An Indian lady approached. My Spanish is not very good, but I pointed ahead and asked whether it went to the hotel. She said it did. Si!

But after a few more minutes I was starting to believe it was the wrong way. I didn’t think I was lost, because all I had to do was retrace my steps back to the fork.

The foliage cleared and I was able to look up the mountain and see the hotel – which was behind and above me. Now I knew I had gone wrong.

I had to make another decision. Do I continue to where this path might find its way up the mountain (I hoped), or should I turn around? I considered the likelihoods of harm and opportunity and decided that, on balance, it was better to go back.

A few minutes later, I was a second path leading up. Decision time! This was definitely not the way we came down, but it looked like it should work. Do I take the new option or continue to retrace my stapes back to the fork? I weighed the possibilities of getting lost or delayed and the opportunity to get back faster than going all the way back. In addition, the path looked less steep that the way we had come down, so it should be somewhat safer (if my guess was right, since I couldn’t see all the way up the path to the top).

I decided to take the path up. Soon, I saw a path joining mine – with the rest of the group climbing it.

I got to the top, where my wife was waiting for me and asking where I had gone.

What can we learn from this?

  1. The levels of ‘risk and opportunity’, or the effects of uncertainty on my objectives, changed often and without warning. Relying on a list of risks at the start of the journey back would not have been useful.
  2. My ‘risk management’ was iterative and continuous. A periodic assessment, even every few 10 minutes, would not have been of great value.
  3. To make my (hopefully informed and intelligent) decisions, I needed to consider all the things that might happen and see which way the scales were tipped.
  4. Trying to assess likelihood and impact with any level or precision was unnecessary. Common sense was sufficient. Many practitioners may have a problem with that, but in real life it’s very often quite clear when the possibility of severe harm is unacceptable.
  5. We do this all the time. ‘Risk management’ is neither new nor a separate process from running our business, making as intelligent and informed decisions as reasonably possible.

I welcome your comments.

Why does internal audit need to be agile?

November 18, 2019 7 comments

You don’t have to go very far to hear an internal audit leader talk about agile. Richard Chambers, President and CEO of the IIA, shared this:

A lot is being said about the need for internal audit to be “agile.” My definition of agility is simple: “Internal audit’s ability to pivot swiftly to address emerging risks and changing stakeholder expectations.” It’s critical to our success!

Why does internal audit need to be agile?

We live in a world where business conditions are changing all the time and the pace of change is accelerating. That is universally accepted.

Internal audit needs to be able to respond to those changes promptly.

When new risks of significance to success are identified, internal audit needs to be able to update its plan and provide the assurance and insight that leaders need – when they need it, not when a static plan provides.

This is why Richard and I both talk about auditing at the speed of risk. I also talk about auditing at the speed of the business, which perhaps more clearly identifies that we need not only to be agile in our audit planning, to add and then perform the audit of a new area promptly, but also provide the assurance and insight that is needed at speed.

If the CEO comes to you, as the internal auditor, and asks for your thoughts on a new strategy, can he wait weeks or months until there is a gap in your audit schedule? No.

If the CEO asks for your thoughts as you complete the fieldwork, is it appropriate to make him wait until everybody has blessed a formal audit report? No.

It starts with an agile audit plan, where you can ensure each audit project is focused on what is needed now, for today and tomorrow.

But then you need:

  • Every audit project to be as short as possible. It’s very hard to move quickly to a new topic when the audit team is tied up on month-long (or longer) projects. If you limit each audit to the enterprise risks that matter, eliminating the work that would only matter to local or middle management, you can keep the great majority of audits within my target of 60-100 hours.
  • The ability to complete every project quickly. When you have done enough work to determine your opinion, stop. Don’t keep working to fill the time available/budgeted. Don’t work just to complete the audit program or checklist when the results are already known.
  • Eliminate unnecessary documentation. Only document your work to the extent that there is value, not just to comply with department standards. If documentation is required by regulators who may audit your work, or if the results are disputed by management, then ensure your documentation is sufficient. But otherwise, challenge the need for every hour spent.
  • Auditors who can think, not only performing work at speed, but are able to know when they have done enough and can stop.
  • The ability to know when you need to change the audit plan. You need to know when business conditions and plans change, either downgrading and removing projects that are no longer high risk-rated, or adding new ones.
  • A relationship with management where you can discuss the results of your work and agree on necessary corrective actions quickly.
  • An audit committee that understands the need for agile auditing.

I welcome your thoughts.

Silos are thriving even in ERM programs

November 15, 2019 6 comments

You are the captain of a ship that is sailing from Singapore to Auckland with a cargo that needs to be kept cold and will lose its freshness if you don’t arrive within a few days of your schedule.

The navigator bounds onto the bridge, brandishing a sheaf of papers. “There’s stormy weather ahead, captain! I recommend changing course to bypass the cyclones that are forming. It will delay our arrival by 48 hours, but at least we will be safe.”

The engineer hears the shouting and tells you that any delay of more than a few hours will be a problem. “I canna keep the engines running and the refrigeration going at full power for two extra days. We will run out of fuel.”

At this, the second officer reminds you that any delay will cost the company a great deal of money. “If we don’t deliver the cargo on time, it will degrade and we will incur a huge performance penalty.”

The safety officer steps forward. “If we sail through these cyclones, we are exposing the crew to danger that is avoidable. It would be a violation of our safety procedures and protocol.”

You have to make a decision.

You have to understand the problem, consider the options, and then take the necessary actions.

In order to do that, you need to weigh all the possibilities together, not one at a time.

But that’s what addressing a variety of risks (or sources of risk) one at a time does. It fails to see and take action based on the big picture.

Traditional risk management, even when it is called enterprise risk management, simply puts together a list of risks. It doesn’t help you see how they, collectively, should affect your strategies and how you achieve them. It doesn’t help you weigh the pros and cons of each option.

Fortunately, Able Seaman Jones steps forward (after giving you a cup of coffee).

“Captain, sir! I’m taking an MBA course and have learned about some techniques, like Monte Carlo simulation, that will help you take all of these issues and give you an idea of the overall costs and benefits of the various options. With your permission, I can work with your officers and use the information each has developed to provide you with the information that should help you make the best decision for the company.”

World-class risk management (as described in my book of that name, updated by the discussions in Making Business Sense of Technology Risk) not only breaks down the silos but takes the information from individual areas such as Compliance, Safety, Sales, Marketing, Finance, Engineering, Supply Chain, and so on to compile and provide leaders with the big picture analyses they need.

Sadly, I keep seeing silos not only continuing but growing in number. For example, there is separate and isolated discussion of:

  • Cyber risk management
  • Safety risk management
  • Project risk management
  • Credit risk management
  • Operational risk management
  • Strategic risk management
  • Financial risk management
  • Third party risk management
  • Extended enterprise risk management (a new one to me, recently pushed by Deloitte)
  • Digital risk management
  • Supply chain risk management
  • And so on

Risk practitioners need to turn their attention to providing leaders and decision-managers at all levels with the information they need to make the informed and intelligent decisions necessary to achieve enterprise objectives.

Stop providing them with what you want to say about risk. Start providing them with the information they need to run the organization and achieve success.

A list of risks, or a heat map (no matter how pretty), simply doesn’t cut it.

If I was on the board or was CEO and was given a list of risks or a heat map, I would ask “what does this mean and how does it help me run the business,” send it back, and ask for something that will help me do my job!

Instead of talking about this risk management or that risk management, enterprise risk management or integrated risk management, let’s talk about effective management – how to achieve enterprise objectives. Manage success, not risk.

I welcome your comments.

Finally some good advice on risk for boards

November 9, 2019 6 comments

While I still disagree in some areas, I applaud Jim DeLoach for his latest piece for the (US) National Association of Corporate Directors, Revamping Risk in the Digital Age.

Please read the entire piece, but here are points I especially like, with my highlights:

  • It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns—it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.
  • In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.
  • Over three decades, best-of-class [in Jim’s opinion] risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks, to an enterprise-wide approach focused on the most critical business risks and integrated with strategy-setting and performance management
  • In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value.
  • Digital leaders proactively take risk, whereas digital skeptics do not. 
  • a traditional approach to risk management might be the biggest risk that an organization faces. 

There are so many key points here that I encourage you to reflect on each.

I strongly agree that the traditional approach of focusing on the possibility of harm instead of the likelihood of success is itself a great source of risk to the organization.

You simply have to understand all the things that might happen, the big picture where you can see and weigh them all, if you are to make the informed and intelligent decisions necessary for success.

Focusing on harms, especially one at a time, outside the context of performance and strategy execution, is not the same as making sure you are taking the right level of the right risks – and that, as Jim rightly says, is essential if you are to prosper.

Jim and I agree on one word change in the risk management discussion. Rather than the passive expression of accepting risk, he and I both talk about the active form of taking risk.

I believe it is important to use that word and focus on informed and intelligent decisions as part of how any organization sets and then executes on its strategies for achieving its objectives.

I also agree with the idea of integrating the consideration of what might happen (a.k.a risk) with strategy management and performance management and reporting.

  1. Making quality decisions, both setting and then executing on strategy, requires an understanding of what might happen and their effects. It’s integral to the decision-making process, not something that needs to be integrated as if it were a separate activity.
  2. Effective management requires that you understand where you are (performance management), where you want to go (strategy management), and the likelihood of getting there (which should be a combination of performance, strategy, and risk management).

In fact, I have suggested many times that instead of talking about risk appetite as the amount of risk you are willing to take in pursuit of objectives (i.e., ignoring the reason to take risk, the potential upsides), we should redefine risk appetite (although I would prefer a different term) as the likelihood of achieving objectives that you would consider acceptable.

I depart from Jim in some less important areas.

  1. I don’t like the talk about risk culture. It’s an amorphous term that I don’t believe has a great deal of merit. For a start, there is no single risk culture in any organization. Then there’s the point that culture is multi-dimensional, with attitudes towards taking risk just one; others include ethics and moral behavior, entrepreneurship and creativity, teamwork, and so on.

Do you want the same attitude towards risk-taking from accounting, safety, marketing, and sales? I certainly hope not!

It would have been better to just talk about the ability to make intelligent and informed decisions, taking the right risk.

  1. I’m also not a fan of the idea that some risks are compensated and others are not. For a start, the organization may not be able to sustain a huge loss even if there is an equal possibility of a huge gain.

It would have been better to recognize that in any situation there is a variety of things that might happen and you need to assess and weigh them all together.

  1. I’m not sure whether Jim is saying that this is world-class, but if so I disagree: “an enterprise-wide approach focused on the most critical business risks”. World-class is focusing on success, not managing specific risks, especially not one at a time.
  2. Finally, I still have a problem with talking about risk appetite, as explained above. It’s not something that considers the totality of what might happen, plus it is pretty impossible to define for some issues, such as compliance and safety.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.


As always, I welcome your comments.

How effective is risk management today?

November 2, 2019 5 comments

That is a question that State of Enterprise Risk Management 2020, from ISACA®, CMMI Institute® and Infosecurity Group, attempted to answer. They “surveyed a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between”.

My opinion is that if you want to know how effective risk management is, you should ask the customer and not the provider.

Pretty much every survey of top executives and board members has, for years, told us that they do not see risk management as much more than a compliance exercise, something you do because you have to: a requirement of governance codes and boards urged on by consultants. World-class, effective risk management helps people make the informed and intelligent decisions necessary for success. It helps the management of success rather than failure.

But the report does have some interesting comments, including (with my highlights):

  • …practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance practitioners) can be directed to advocate so strenuously and so often in favor of risk reduction that they can sometimes forget that risk management is about optimizing risk rather than removing it entirely.
  • They may focus on unexpected or unplanned events that may impact profitability, competitiveness or reputation but ignore the fact that failure to incur the right risk can likewise be potentially problematic, by causing enterprises to stagnate, lose competitiveness/market share or otherwise underperform their competition.
  • …enterprises question if they are too risk averse or not risk averse enough, if they invested the right amount in risk management processes to bring about the correct maturity level to accomplish their goals, and if they implemented the correct steps to ensure optimization.
    • Comment: the question of how much to invest in risk management is a critical one, one that should be based on an assessment of its value. Value is created when risk management helps people make the informed and intelligent decisions necessary for success, taking the right risks.
  • The survey data show that respondents—particularly those who are at a more senior level in the organizational hierarchy—understand well the most critical risk that challenges their enterprises. They understand both what the risk is—as well as the consequences—should undesirable outcomes occur. Sixty-seven percent of those surveyed indicate that they are either extremely or very familiar with the current business and technology risk facing their enterprise.
    • Comment: I doubt that this is true, because most develop a list of risks that are rated high, medium, or low without considering how they might affect the business and its objectives. If we are to run the business wisely, we need to know which business objectives might be affected and by how much – and I see this done very rarely.
  • What is interesting is that risk awareness correlates to seniority. As the respondent seniority level increases, the more aware they are of the risk that their enterprise faces. Eighty-six percent of respondents at an executive-level job, 80 percent of respondents at a director-level job, 66 percent of respondents at a manager-level job and 55 percent of respondents at a staff-level job are either extremely or very familiar with the business and technology risk.
    • Comment: consider me a skeptic. The recent IIA report (which I wrote about last month) talks about a disconnect between those in senior positions and those in the trenches. It could easily be the case that the executive practitioners (such as the CRO, CAE, and CISO) think they understand the risks but are mistaken. The people closer to business operations may have a better understanding. In any case, I doubt any of them have analyzed the likelihood of achieving objectives, taking into account everything that might happen, both good and bad.
  • Although over 80 percent of respondent enterprises undertake basic risk management steps, the maturity of the risk management process is, on the whole, less than expected given the relatively high adoption of these steps. Only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level of the maturity spectrum for risk identification, which is one of the highest adopted risk management steps. Only 63 percent of respondents report having defined processes for risk identification. Results for risk assessment maturity were similar—42 percent at the managed or optimized level and 64 percent having defined processes.
    • Comment: it would be much more useful to see how many look at the big picture rather than trying to manage one risk at a time. Consider the view from the top (achievement of objectives) instead of from the weeds. Are decision-makers getting and then using the information they need to take the right risks for success?
  • When asked about cybersecurity risk tolerances, only 35 percent of respondents report that their enterprise has a defined (either completely defined or very defined) view of the risk tolerances for their organization.
    • Comment: why is it that so few perform a business impact analysis? How would a breach affect the business and its objectives? How likely is a breach of that magnitude? How much should we spend to mitigate that effect or reduce its likelihood? What is the best business decision?
  • Most risk managers intuitively understand that cybersecurity is a significant area of risk for their enterprises. Survey respondents report information/cybersecurity risk as the most critical risk category facing their enterprises; it is cited as the single most critical risk, with almost double the percentage of the next closest critical risk type (29 percent, compared to a distant second-place reputational risk at 15 percent). Moreover, reputational risk, the second highest type of risk cited, can be a consequence of a cybersecurity risk.
    • Comment: they may understand it intuitively because that’s what the consultants keep saying. But is it? Have they done any form of business impact analysis? Actual breaches have, on average, had minimal effect on business success.
  • The goal of effective risk management is not always to completely remove risk. Risk, when judiciously and strategically undertaken, can lead to competitive advantage, opportunities to better achieve the enterprise mission, entering new markets and numerous other advantages. Instead, the goal should be to ensure that the right risk is being taken in a manner that is judicious and alert to the possibility of potential failure, while ensuring that unnecessary risk—or risk that is out of conformance with the enterprise risk appetite—is avoided.
    • Comment: Absolutely, although I am not in sync with the last part – unless you define risk appetite as the desired level of certainty that you will achieve or exceed your objectives.

I welcome your comments.


November 2, 2019 1 comment

If you purchased my new book on internal audit assessment using a maturity model, send me an email at I have updated the model and want to send you a copy. Indicate the page that the model ends on (not the very last page of the book). I will send you a PDF with the updated model by email.