What is your consolidated risk exposure?

May 23, 2018 2 comments

This question came up as I was reading the preface to what appears to be a major contribution to risk management thought leadership.

Prepared to Dare is by Hans Læssøe, formerly the chief risk officer at LEGO. His risk management program has been profiled extensively, for example in the Wall Street Journal, Strategic Finance magazine, and in the work of Professors Robert Kaplan and Anette Mikes.

I like what Hans has to say in the description of the book (with my highlights):

The discipline and profession of risk management is undergoing significant changes these years, and will continue to do so for years to come. In an ever-changing world, the attention towards taking risks and managing the risks taken becomes increasingly important for businesses and organisations to survive and prosper.

The stakes are getting higher and speed is increasing. Hence, intelligent risk taking becomes a necessary core competence of leaders at all levels of an organisation.

This book builds on solid and practical experience, and takes the reader from the basic concepts and approaches to making maneuverability a true competitive advantage by actively and deliberately leveraging the tools and processes of risk management in business design, strategic and operational decision making.

One of the thoughts that he shares is that thinking about what might happen (risk) comes before you take the risk. Contrast this with COSO, where risks are identified after strategies are defined.

By the way, I encourage everybody to read and listen to the work of Alex Sidorenko (see his blog). In January, he interviewed Hans.

There’s a difference, though, between my books (World-Class Risk Management and Risk Management in Plain English) and this new one by Hans.

The difference is clear when you examine this description of chapter 2 from the Preface to the book.

In this chapter, I will describe an avenue to establish an Enterprise Risk Management (ERM) which is consolidating the risk exposure of an organisation as well as enable depiction of the key risks of the organisation. Different approaches to portfolio consolidation, including Monte Carlo simulation will be described and assessed. I will also describe potential linking between risks and opportunities.

Taking the second half of the paragraph first, Hans provides guidance on useful risk management tools and techniques, such as Monte Carlo simulation and game theory.

My books don’t cover those techniques as they focus more on how risk practitioners can contribute to the success of the organization as a whole – by enabling informed and intelligent decision-making.

Hans also emphasizes informed decision-making, but I see his book as adding more value when it comes to specific risk management tools and techniques.

The major difference, as I see it, is in that first sentence.

What is the “consolidated risk exposure”?

At LEGO, Hans used likelihood and impact scales, together with heat maps.

I have problems with those, instead suggesting that we should focus on the likelihood of achieving objectives.

After all, it’s not about managing risks; it’s about managing the organization (my latest mantra).


Let’s consider the partner of a CPA firm. As he considers his audit of the financial statements of his major client, he is required by standards to assess the risk. The risk he is considering is the risk of issuing the wrong opinion.

If you asked him about his level of risk, I think he should think first about the likelihood of reaching an incorrect opinion. He might also consider the likelihood of upsetting the client; failing a PCAOB examination; going over budget; or having problems among the staff.

Several things might happen, each of which is a source of risk. I would not advise assessing each source of risk, but instead consider the overall likelihood of achieving his objectives.


I have just started a book suggested by my wife, I’ve Decided to Live 120 Years: The Ancient Secret to Longevity, Vitality, and Life Transformation. (I am not recommending it yet as I have only read the first chapter or so.)

The author’s goal is to live and enjoy his life for another 50 or more years (he is in his late 60s).

How would he assess his “consolidated risk exposure”?

I don’t think he would appreciate a heat map as much as knowing the likelihood of living to 120 in a style that affords meaning to the second half of his life.


Then let’s turn to the CEO of a large organization. He will probably be turned off when he hears the phrase “consolidated risk exposure”. He will prefer reports that show the likelihood of achieving EPS, market share, customer satisfaction, revenue growth, and other targets.


So where does this leave me?

I recommend that risk practitioners charged with their organization’s ERM program read both my and Hans’ books – and monitor Alex Sidorenko’s site for blogs and interviews.

Internal auditors will, I think, gain more from my books. They need to understand the principles and how risk management can contribute to success more than they need to understand specific risk management tools and techniques.

Board members and those advising the board and/or the C-Suite should read Risk Management in Plain English.


What do you think?


Is it really all about culture?

May 19, 2018 3 comments

For the last several years, practitioners and consultants have been talking about culture. For example:

You have probably seen these and more about culture, specifically focusing on risk, compliance, and ethics.

I shared a different way of thinking about culture in How do you manage culture and The board and enterprise culture.

Two new pieces reinforce my view that culture is not just about risk, compliance, and ethics. There are many, many dimensions and sometimes they may actually conflict.

The first of these is an interview with another friend, Jim DeLoach.

5 Keys to Building an Innovative Culture: A Q&A With Protiviti’s Jim DeLoach has some interesting comments. I cannot disagree with Jim this time, especially when he says:

When I think of innovation culture, I’m thinking about an organization that innovates with speed, is able to make decisions at a relatively high velocity, an organization that is very engaged and focused on customers, an organization that embraces external trends.

One key point, one that Jim doesn’t make but which I am sure he will agree with, is that if you are so focused on the ‘risk culture’ that you become risk averse, you can not only slow down decisions and inhibit performance, but also make it more difficult to be innovative.

A more fascinating piece appeared this month in Harvard Business School’s Working Knowledge (its well worth subscribing to): Amazon vs. Whole Foods: When Cultures Collide.

The authors described a “culture clash”.

Amazon’s acquisition of Whole Foods last August was the corporate equivalent of mixing tap water with organic extra virgin olive oil. You’d be hard-pressed to find two companies with more different value propositions.

Even so, it was surprising to hear reports shortly after the marriage about Whole Foods customers, really angry customers, regularly encountering empty shelves at their favorite retailer. Then stories surfaced about Whole Foods employees crying over their new performance-driven working conditions imposed by Amazon.

Both Amazon and Whole Foods had a ‘culture’ that emphasized and encouraged the behavior that made them successful. As the piece says, “This is not a story where there is a good guy and a bad guy”.

So what does this all mean?

Culture is not something that is limited in its scope to ethics, risk, and compliance.

It’s about the behaviors that are necessary for the organization to thrive, with people making the decisions you want them to make. You want them to be ethical, compliance, and risk-aware, but you also want a culture of innovation and creativity, empowerment, customer-focus, teamwork, quality, performance, openness, and so on.

My advice?

Stop talking about ‘culture’ without at least adding a modifier, such as risk or innovation.

Start recognizing that sometimes you have to make compromises in one dimension of culture in favor of another. For example, you cannot always involve everybody or seek all possible information when a decision has to be made with speed. Sometimes you have to take a cyber risk that is outside your comfort zone to keep up with your competitors in a dynamic world.

Define the behaviors you need, from ethics to teamwork to performance to innovation. Then and only then think about whether your organization’s culture provides reasonable assurance that those behaviors will be practiced.

If you don’t have that assurance, then do something about it.

If you do, continue to monitor the situation because culture tends to change with every new executive or acquisition (for example, Amazon and Whole Foods).

I welcome your thoughts.


A must read: Carillion, £5bn UK public company that failed, is pummeled in an official report

May 16, 2018 7 comments


I have never seen such language from officials as was used to describe the situation at Carillion.

This corporate failure may lead to a revolutionary change in the external auditing profession in the UK, if not elsewhere. In addition, I would be surprised if the role of the external audit firms in providing internal audit services is not reviewed.

Here is some of the language.

  • Carillion’s rise and spectacular fall was a story of recklessness, hubris and greed.
  • Even as the company very publicly began to unravel, the board was concerned with increasing and protecting generous executive bonuses.
  • Carillion’s board are both responsible and culpable for the company’s failure.
  • The board was either negligently ignorant of the rotten culture at Carillion or complicit in it.
  • Richard Howson, Chief Executive from 2012 to 2017, was the figurehead for a business that careered progressively out of control under his misguidedly self-assured leadership.
  • Carillion’s accounts were systematically manipulated to make optimistic assessments of revenue, in defiance of internal controls.
  • Carillion treated suppliers with contempt
  • In failing to exercise professional skepticism towards Carillion’s accounting judgements over the course of its tenure as Carillion’s auditor, KPMG was complicit in them.
  • Deloitte, paid over £10 million by the company to act as its internal auditor, failed in its risk management and financial controls role.
  • The key regulators, the Financial Reporting Council (FRC) and the Pensions Regulator (TPR), were united in their feebleness and timidity.
  • reckless short-termism
  • The individuals who failed in their responsibilities, in running Carillion and in challenging, advising or regulating it, were often acting entirely in line with their personal incentives.
  • There is a danger of a crisis of confidence in the audit profession. KPMG’s audits of Carillion were not isolated failures, but symptomatic of a market which works for the Big Four firms but fails the wider economy. There are conflicts of interest at every turn.
  • I would not hire you to do an audit of the contents of my fridge
  • Auditing is a multi-million-pound business for the Big Four. On this morning’s evidence from KPMG and Deloitte, these audits appear to be a colossal waste of time and money, fit only to provide false assurance to investors, workers and the public.
  • no-one stopped directors “stuffing their mouths with gold”

Here are some references. Each is well worth the time reading. The Annual Report describes the company, the summary gives an idea of the background, and the the parliamentary committee report will astound you!

I welcome your thoughts.

Is it a management or board failure when no action is taken on audit findings?

May 14, 2018 16 comments

My good friend, Richard Chambers (President and CEO of the IIA), recently wrote about this in C-Suite Owes More Than Simple Awareness of Internal Audit Reports.

He cited several examples where an organization experienced a public failure even though the issue had previously been identified and reported by the internal audit team.

Richard then said:

Each of these instances provides an example of governance meltdowns fed by board and management inaction or indifference to internal audit’s work. Such instances, at best, frustrate practitioners who take seriously their task of providing assurance over risk management efforts. At worst, they can demoralize internal audit staff, thereby eroding the function’s effectiveness.

I have written about this, not so much as a governance failure but as a failure of internal audit to communicate!

When internal audit is seen as focusing on the mundane and burying any gems in a haystack of words, is it any wonder that management doesn’t look forward to internal audit reports? They don’t seem them as a valuable source of insight and actionable information that is critical to their running of the organization.

In fact, the auditors should have already worked with management to agree on both the issues and the actions to be taken. The audit report is how resolution is communicated, not how change is encouraged.

This is the comment I left on the post.

Richard, while I agree that management and the board often fail to pay attention to issues raised by internal audit, it is necessary to ask whether internal audit did its job in communicating the results of its work.

  • When I see a report of 20 pages or more, I am not surprised that executives fail to read it promptly and act on its recommendations.
  • When I see an audit report with a table of contents, I am sure it will be read out of duty not because it has actionable insights.
  • When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.
  • When I see a report that talks about risks but not what they mean to the strategies and objectives of the organization I see a report that is unlikely to communicate what executive management and the board need to know.
  • When I see a report that says what IA wants to say rather than clearly and concisely tell leadership what they need to know, I put a lot of the blame on IA.
  • When I see an IA function that fails to sit down with leadership and have a discussion rather than rely on a formal, traditional audit report, I see one that does not have a seat at the table, one that is not a trusted advisor.

I could have said, but did not out of respect for Richard (for whom I have great respect): “Those who live in glass houses should not throw stones”.

How effective are your organization’s internal audit reports? I have a 34-page chapter on this topic in Auditing that Matters. This is how I closed that part of the book:

It is one thing to reach an assessment and develop our advice and insight. It is quite another to communicate that promptly, efficiently, and effectively to our stakeholders.

We are only effective when we not only perform quality work but provide the audit committee, executives, and operating management the information they need to be successful – when they need it, in a readily consumable and actionable way.

I welcome your comments – and please join the discussion on Richard’s blog.

Are you managing risk or are you managing the organization?

May 12, 2018 13 comments

There’s a huge difference between the perspectives advanced by the National Association of Corporate Directors (NACD), a US organization of and for board members, and those of some of the leading thought leaders.

As explained in this article, “in January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its Director’s Handbook on Cyber-Risk Oversight. In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations”.

The NACD guidance sets out five principles for board members:

1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue

At first glance, this makes good sense. But enterprisewide risk management should be about helping people make intelligent and informed decisions. It should not be the end itself.

I would prefer to say that cyber-related risk should be considered in business decision-making. It is just one of typically many sources of risk (what might happen) that can affect the ability of the organization to achieve its objectives.

“2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances”

Certainly, a cyber breach can have legal implications, including potentially implications for the board and each of its members. I worry that directors might be so consumed by CYA that they hamper proper risk-taking by management.

“3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas”

Manage the business rather than manage any single source of risk! Obtain assurance that management has the capability to understand cyber and how it might affect each of its strategies and objectives.

If cyber is a major source of risk, then go ahead and have a discussion – but ensure you understand how it might affect the enterprise strategies and objectives.

But don’t spend time on cyber when it is a relatively low source of risk compared to, say, cash flow, price and product pressure from competitors, and an uncertain economy.

“4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget”

I prefer to set the expectation that every significant decision will be informed and intelligent, with reliable information (as best we can) on what might happen.

If we focus on what it takes to have quality decision-making, we will achieve effective management of risk.

“5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance”

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

Now for the contrast.

Two of my friends recently met (presumably in Melbourne). Alex Sidorenko interviewed the incomparable Grant Purdy.

This is how Alex describes Grant:

Grant Purdy has specialised in the practical application of risk management to support decision making for nearly 42 years, working across a wide range of industries and in over 25 countries. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for over 14 years and was its chair for seven. He is co-author of the 2004 version of AS/NZS 4360 and has authored many other risk management handbooks, guides and books. He was also the nominated expert for Australia on the Working Group that wrote ISO 31000 and Guide 73 and later Head of Delegation for Australia on ISO PC 262 that revised ISO 31000.

The interview is available on Alex’s Risk Academy blog.

I strongly encourage everybody to either listen to the interview (it is long, at 50 minutes) or read the transcript.

Here are some key points.

  1. If we can’t agree on what the word ‘risk’ and the phrase ‘risk management’ mean, how can we expect to have a constructive discussion using them. I agree and have suggested that we use plain English (thus the title of my latest book, Risk Management in Plain English); we should talk about ‘what might happen’ rather than ‘risk’ as we need to consider everything that might happen as we strive to achieve our objectives. ‘Risk’ is a word that limits discussion due to its common usage as either something bad that might happen or the likelihood of something bad happening.
  2. Risk registers, heat maps, and such (including COSO’s risk profile) don’t help us make decisions. They can help you decide on whether to act to address a risk, but not whether you should choose this vendor, go ahead with a new ERP implementation at this time, or even cross the road here or over there.
  3. Grant talks about achieving an acceptable level of certainty that you will achieve your aims (i.e., your objectives). I know what he is talking about, but disagree with this characterization. You can never be certain and this may lead people to choose an option where they are most ‘certain’ of the results. In a LinkedIn discussion, I asked:

 Alex, would you choose an option where you have a 70% level of confidence in your assessment that you are 80% likely to gain $500, or one where you have 90% confidence in your assessment that you are 60% likely to gain $450? Is it about being sufficiently certain? What about where there are multiple potential consequences and you have differing levels of confidence?

If your aim is to earn $300, which option do you choose? One where you are highly confident of achieving your goal or one where you are a little less confident but might surpass that goal substantially?

I much prefer to focus on making the informed and intelligent decisions necessary for success.

Grant and I have discussed this and remain apart – but I expect that in time we will, as we have before, come to a meeting of the minds.

  1. Grant focuses on assumptions. This is a great point! Whenever we make decisions, we have assumptions. Frequently, we fail to recognize that we are making those assumptions. Instead, we should be clear about what they are, how they affect the decision, and how we will monitor them. If they are critical to the decision, then should things turn out differently than anticipated we should be ready to change or a least modify the decision.

For example, when the CFO presents his forecast for the next quarter, it is based on assumptions. The executive team should make sure they understand those assumptions, challenge them as needed, and then adapt as conditions change.

  1. Towards the end, Grant captures the essence of what we should all be striving for.

…it’s actually very, very simple. And actually, I’ve gone back to the very beginning. It’s what I used to do years and years and years ago, which is I don’t have to worry about definitions. Just make better decisions by exploring scenarios, looking at certain uncertainties. It’s as simple as that. And particularly the assumptions.

What are the key points for you?

Are you a believer in the traditional methods apparent in the NACD guidance or the ideas and philosophies expressed by Grant, Alex, (and me)?

I welcome your thoughts.

The essential competencies of an effective risk officer

May 5, 2018 7 comments

I recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective.

He listed “probability theory, statistics foundations, risk perception and cognitive biases, decision theory and corporate finance”, saying that “without these competencies risk managers are useless to the business”.

Here’s an interesting piece on the question: What competencies should risk managers outside of banks and insurance companies really have?

My response was:

I would put these competencies first:

  1. Knowledge of the business
  2. Understanding of the goals and objectives of the organization
  3. Communication and teamwork skills
  4. Empathy
  5. Common sense and judgment
  6. Understanding of performance management

While for some situations, especially where a key decision is needed and multiple possibilities (and multiple effects) need to be carefully analyzed, quant methods such as modeling and Monte Carlo simulation are essential. But for many others, I can be quite comfortable with the use of informed and considered judgment. (Note that I emphasize informed and considered.) I especially like cross-functional workshops.

My friend responded, “I personally don’t see risk management without proper quants. Just talking about risks is insufficient for complex objectives, projects or decisions”.

I said, “I think it all depends on the business and how it operates. For example, how much math and statistics do you need in a retail business, an IT service provider, a consulting organization, or one that manages construction projects?”

Another friend (a venture capitalist) chimed in: “I think we can all agree that very few successful business executives are dumb. I find that many executives are constantly ‘rolling dice’ in their heads and doing back of napkin analysis that helps them make decisions to ‘win 3 ways and only lose 1 way’ and the like. This, too, is a sort of low fidelity math that operates in a world of the truly unknown future”.

But he also said: “Virtually every business I invest in or operate has at least one ‘mathematical model’ that is central to the organization. I only use Monte Carlo simulations for investment decisions (investments in companies and in technology systems for companies).”

My reply was: “Thanks – that jives with my experience. There are some situations that merit quant methods and some that don’t really. The former are dominant in financial services, less so in other business sectors.” I continued: “PS – you simply cannot model every risk! The organization would come to a halt, as risk is taken with every decision.”

I had asked my first friend how often he used quant techniques in his own business. He replied:

“Only for the decisions that justify risk modelling (high uncertainty, high materiality). And it’s not modelling individual risks, it modelling the effect risks collectively have on a decision or objective.”

That pretty much tied up the discussion. (I totally agree with his last point).

But, on reflection the ability to facilitate a cross-functional discussion would have been among my top competencies

But the top four competencies I shared with my friend remain my top four, as illustrated by a couple of stories in World-Class Risk Management .

… A. T. Kearney … captured this when they told this story:

A risk manager is overheard at a recent intra-departmental meeting: “The Basel II second pillar requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their obligations in this respect and that sufficient oversight is provided by the SREP…” at which point many of the participants have no idea what the risk manager is talking about, but they are too afraid to ask questions so they nod their heads in polite agreement and hope no one will ask them for their personal opinion.

In World-Class Internal Auditing: Tales from my Journey, I tell a story of my own:

I once gave a presentation at a risk management association conference. Afterwards, the president of the association asked to sit with me over lunch as he had a problem he thought I could help with.

He told me that while he reported directly to the CEO, he always found it difficult to get time with him. When he was able to arrange a meeting, the CEO seem to lack interest in what he was saying and was reluctant to act on his recommendations.

As this gentleman was speaking, I realized the problem. I didn’t want to listen to him either, because he was boring! He spoke in a monotone without any passion in his voice, and used technical rather than business language.

If I didn’t want to listen to him over lunch, how could I expect a busy CEO to want to listen?

When management doesn’t find time to talk to you, or starts looking out the window as you are speaking, it’s not a management problem. You are most likely the problem!

We need to talk in the language of the business about things that matter to the business, and make sure the individual we are talking to understands how they affect him.

Let me close with one challenging idea.

Who should run these models?

Should it be the risk officer, or the individual responsible for the strategy, project, or plan?

I actually favor the latter!

So what do you think?

What are the top competencies for success for a risk officer?

The board and enterprise culture

April 30, 2018 2 comments

Deloitte has shared an interesting and useful piece, Corporate Culture and the Board.

It includes a definition of culture that I have seen before and makes sense:

In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization.

They make an important point when they say:

Culture matters, because a strong, positive corporate culture provides a framework not only for risk mitigation, but also for both short- and long-term value creation. It aligns values, goals, behaviors, and systems throughout the organization in ways that can have favorable impacts, both internally (for example, through positive employee engagement or by facilitating optimal performance or a strong safety record) and externally (through positive branding, reputation and competitive advantage).

On the other hand, a damaged or broken culture can create dysfunction throughout the organization and create risk to critical assets, including brand reputation, intellectual property, and talent. As recent developments demonstrate, these and other negative impacts can destroy value and, ultimately, the organization itself. An important takeaway from the above is that a strong, positive culture is an important asset of any organization that should be supported and protected. It is not merely a “soft” issue of interest to investors and the media; rather, it can be critical to the company’s growth and performance.

Deloitte suggests 10 questions for the board to consider. I have a different set. These are questions the board should ask of management – putting the emphasis on management’s responsibility to run the organization, while the board provides oversight and obtains assurance that management is doing a good job.

  1. How have you defined the culture you want the organization to have?
  2. Does it include all forms of desired (and less desired) behavior?
  3. How have you communicated this to everybody involved in the organization’s success?
  4. How have you ensured everybody understands?
  5. Are there repercussions for unacceptable behavior, even if there is no breach of law?
  6. How do you know whether behaviors across the organization reflect the desired culture?
  7. What is the level of noncompliance, how do you know, and is it acceptable? If not, what are you doing about it?
  8. How often is culture discussed, measured, and who is involved?
  9. Do our employees agree our stated culture is appropriate and is in place? How do you know?
  10. How can you keep us assured of an appropriate culture, especially as the environment changes, including the onboarding of new management and staff, completion of acquisitions, and so on?

Please see this earlier post, How do you manage culture?

What do you think?

I welcome your comments.