IIA Insights on Internal Audit Effectiveness

July 22, 2016 Leave a comment

Two new reports from the IIA are worth downloading and reading carefully:

I read the Benchmarking report first. Written by three eminent academics, it summarizes results from the IIA’s CBOK survey and attempts to assess the maturity of internal audit departments around the world.

I say “attempts” because it does not really share a full maturity model with us. I would expect to see something that takes key attributes of performance and defines what can be expected at different levels of maturity. Instead, it lists (without always providing a clear definition) several attributes and indicates how many report they have achieved some level of performance against them.

For example, it talks about aligning internal audit work with the strategies of the organization, but does not explain what that means. I doubt that it means that all internal audit engagements are designed to address critical risks to the objectives of the organization as a whole. If that were the case, very few would audit payroll, fixed assets, accounts payable, or employee expenses. When have you ever heard of an organization failing, or even substantially missing performance targets, due to control failures in any of these areas?

Even so, 45% of internal auditors responding to the CBOK survey said their department’s plan was not really aligned!

That is a problem.

How can we expect to be contributing to the organization’s success if the audit plan is not driven by the organization’s strategies and related risks?

In the second CBOK study, written by my friends, Larry Harrington (current IIA chair) and Angela Witzany (incoming chair), the same topic is explored – with more meaningful results. (Perhaps this is to be expected: practitioners vs. consultants).

They say:

Internal auditors must understand the mission, strategy, and objectives of their organizations. This was a central, overriding message from all categories of stakeholders. Whether they are board members or part of executive management, stakeholders are primarily focused on the organization’s success in accomplishing its mission. Naturally, they want to see internal auditors looking at their role in the same way, concentrating on how they can help the organization be successful.

One area addressed quite well in the Maturity report is internal audit’s risk assessment activity, the basis for the audit plan and the engagements that are performed.

Apparently, 32% only update their assessment of risk (and, I assume, their audit plan) once a year; 23% do so continuously; 36% periodically; and 9% never update their assessment!

While this is better than it has been in the past, I don’t believe that risks only change once a year, or even once a month! If we want to audit the risks of today and tomorrow, we have to constantly be aware of the changing risk environment.

According to the Witzany/Harrington report, executives are well aware of the need for internal audit to audit what matters now and in the near future:

A CFO in the United States expressed it this way, “Because technology is changing so much, we need to be focused on things that are happening right now. Ideally, [internal audit] can be looking at the future, but we can’t get there just yet.” Many others, however, recognize that future risks cannot be sidelined because they will soon be current risks. A chief executive officer (CEO) from South Africa commented, “Risks are always changing.

Now, the academics included in their maturity assessment whether internal audit has a formal, current, audit manual.

Sorry, but in these days of dynamic change, a formal manual with documented audit procedures is one of the very last things I would worry about. In fact, if a lot of time is spent documenting today’s practices, it is not only going to be out of date very quickly but will consume resources that need to be spent auditing risks that matter.

One interesting topic in the second CBOK study talked about the value of assurance and whether it should be prioritized over advisory/consulting work.

I was very pleased to see the executives say that assurance comes first – and you do advisory work with remaining available resources. I have held this position ever since I became a CAE more than 25 years ago.

“Assurance activities would still go first, and if there are sufficient resources, the remaining resource will go for consulting.” —Board Member, Taiwan

“Assurance is essential and consulting is nice to have, but should be second in priority.” —Board Member, United States

“First of all, priorities should be identified. I think assurance activities come first.” —Executive Management, Turkey

All in all, these are useful reports and I recommend downloading and reading them both.

What is your reaction to these points, especially the focus on assurance and the need for continuous risk assessment and updating of the audit plan?

Deloitte predicts change for Internal Audit

July 20, 2016 3 comments

A new report from Deloitte has some interesting conclusions – plus predictable ones.

2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content.

Deloitte says there is a choice to be made: “Evolution or irrelevance”.

They surveyed more than 1,200 CAEs from 29 countries and the majority voiced concern over the current state of internal auditing.

That is not surprising in itself; as I have previously reported several surveys of executives and board members (such as from KPMG and PwC) have said the same thing, notably that internal audit was not consistently auditing the risks that matter.

But it is surprising that so many CAEs, who should be in a position to make the necessary change, echo the concern.

Some excerpts of note:

  • Our research found that CAEs have serious concerns. They know that their organizations are changing—that’s been the case for a while. They also know that Internal Audit needs to respond to meet the changing needs of their organizations.

Those organizations need Internal Audit to inform them about the future rather than only report on the past. They need insights as well as information, advice as well as assurance. They need reviews of not only financial and operational controls, but also of strategic planning and risk management processes. They need internal auditors to apply their rigor, objectivity, independence, and skills in new ways.

As the results of this survey indicate, Internal Audit will have to evolve in specific ways in order to meet these needs. The needed changes are clearer than ever. CAEs must now lead their functions to take the next critical steps. In addition, Internal Audit’s key stakeholders, notably the audit committee and the executive team, must support the function as it takes those steps.

  • The status quo is not an option when 85 percent of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79 percent) expect similar change in Internal Audit. The survey also found that most CAEs believe that management and the audit committee will expect Internal Audit to step up to meet new challenges
  • Only 28 percent of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16 percent noted that Internal Audit has little to no impact and influence. Meanwhile, almost two-thirds believe that Internal Audit’s strength in these areas will be important in the coming years. This disconnect—between current and needed impact and influence—must be addressed, for the good of Internal Audit and the organization.
  • Dynamic reporting is poised to increase. Most Internal Audit groups communicate with stakeholders through static text documents and presentations. Use of text in particular is expected to decrease (from 78 percent to 58 percent) as dynamic visualization tools increase dramatically (from 7 percent to 35 percent). These dynamic visualization tools enable Internal Audit to deliver more insightful observations, interact with stakeholders, and deliver greater value.
  • Reviews of strategic planning and risk management will increase. While about one third of Internal Audit groups have evaluated their organization’s strategic planning process in the past three years, over half expect to do so in the next three to five years. A strong increase is also expected in the number of Internal Audit groups reviewing their risk management function.
  • To make changes in its approaches and activities, Internal Audit should embrace an innovative mindset, as well as actual innovations. However, the function is not known for aggressive innovation.
  • Perhaps Internal Audit should adopt the mantra of many companies—if you are not moving forward, you are moving backward, if only in relation to everyone who is moving forward.

If you have seen my posts for the last few years, you will expect me to agree with many of the points Deloitte makes in this publication.

I especially like the comments about (a) moving to a new model where internal audit communicates what stakeholders need to know, when they need to know – dynamically, taking advantage of today’s and tomorrow’s technology; (b) assessing and contributing to the improvement of risk management; and, (c) assessing the strategic planning process.

I believe that by auditing what matters to the board and executives, internal audit’s influence will soar.

However, I am more cautious about the use of analytics. I wholeheartedly encourage the use of mobile analytics by the entire audit staff, where the time spent obtaining insights into the underlying data is minimal. But, I fear the extensive investment some are making into analytics that are not molded to a dynamic audit approach where few audits are repeated and management is responsible, not internal audit, for risk monitoring.

I always used co-sourcing as CAE. Deloitte stresses this, as any good co-source provider would.

But, I believe there is a point here worth thinking about.

If, as I believe we should, internal audit will need to be very much more agile in the future (if not already), agility in resourcing will become more important.

We need to staff for the audits we perform, not perform audits based on the staff we have.

If our audits are ever-changing, and the skills and experience we need also change at speed, we may need fewer employees and more co-sourced staff. We still need a core with a deep understanding of the business and of the risks that will need to be addressed every year. But, if we expect to perform audits of many different risks each year, we may need to go to the co-source well much more often.

What do you think?

I recommend reading the entire Deloitte report.


Risk and Opportunity Management

July 2, 2016 9 comments

As we review the exposure draft (ED) from COSO of their ERM Framework, one of my concerns has been whether it pays sufficient attention to the positive effects of uncertainty (things that might happen in the future that would increase the success of the organization).

While COSO ERM 2004 told us that there are both potential positive and negative effects of uncertainty, the detail in the framework focused exclusively on the negative (which it referred to as ‘risk’, with ‘opportunity’ the positive).

The 2016 ED again tells us that organizations need to manage all the potential effects of uncertainty and not just the adverse.

Do they do that well?

My comments on the ED, which are downloadable and are summarized on my IIA blog, include an assessment of this issue.

The title of this post is “Risk and Opportunity Management” because the exposure draft of the South African corporate governance code (King IV) no longer refers to risk management. It now refers to risk and opportunity management.

I think this is an excellent move.

Rather than trying (as ISO 31000:2009 does without sufficient success) to explain that risk can be either positive or negative, battling uphill against common English usage of the word, perhaps it is time we started talking about risk and opportunity.

A new report from The Risk Institute at Ohio State University, their second Annual Survey on Integrated Risk Management, shares some interesting insights.

One of the things I like in the report is how they talk about the fact that many if not most see risk management as a defensive strategy.

That is reflected in the entrenched thinking that risk management is a compliance activity (“33 percent of financial firms reported an “exceptional improvement” in their ability to meet regulatory and compliance requirements when they integrated risk management to improve achieving corporate objectives”;  and “Similar to financial firms, nonfinancial firms reported exceptional improvement (30 percent) in the ability to meet regulatory and compliance requirements and that an ability to avoid litigation and protect the firm against negative events is important”).

The report says (emphasis added by me):

When asked what best describes the “tone at the top” regarding risk management at their company, about 45 percent of respondents in financial firms report that it is reactive or defensive, reflecting a necessity for mandated requirements or for protection against negative outcomes, respectively. However, more than 40 percent of the respondents in financial firms recognize risk management as a value creation tool used across the firm, mostly in a fully integrated way.

In contrast, in nonfinancial firms, 67 percent of respondents see risk management as a reactive or defensive strategy, while about 20 percent of respondents believe that this strategy creates value in a partially or fully integrated way.

The number indicating that risk management is about more than defense is growing.

Previously risk management was only being done to meet regulatory requirements and to protect the firm against the negative effects of volatility in firms’ business environments. While these views are still a common practice, more firms recognize risk management as a source of both growth and value, and emphasize its use in certain, if not all, areas of the firm.

One other interesting point that the report makes is that functions like Marketing, Sales, R&D, and Human Resources are rarely involved in risk management processes.

When I led risk management at Business Objects, these were the functions most heavily involved!

As the report affirms, they are major areas of both risk and opportunity.

Is it any wonder that executives fail to see the value of risk management and how it contributes to the success of the organization, when risk practitioners only talk about potential harms?

Is it time to reposition to risk and opportunity management? Is it time for risk practitioners to remove the blinders, see the big picture, and pay attention to both creating and preserving value?

Or is it time to stop talking about either, instead talking about informed and intelligent decision-making? Maybe we should just talk about effective management!

I welcome your comments.


As a reminder, my comments on the COSO ERM ED are available here.

Risk reporting to the Board

June 26, 2016 4 comments

Jim DeLoach and I are friends that, I believe, share mutual respect but sometimes disagree[1]. I like to think our occasional disagreements are more about how we present and discuss topics than they are of substance. Nevertheless, I have made some less than positive comments on his and his firm’s work a few times in these pages.

Not so much today!

In March, Jim had Six Principles for Improving Board Risk Reporting published in NACD Directorship.

I would not argue with any of his principles:

  1. Focus on critical enterprise risks and emerging risks.
  2. Address ongoing business management risks on an outlier basis.
  3. Ensure risk reporting is linked to key business objectives.
  4. Use risk reporting to advance dialogues around risk appetite.
  5. Integrate risk reporting with performance reporting.
  6. Report on whether changes in the external environment affect the critical assumptions underlying the strategy.

I think the six are all principles that should be a focus of the board’s attention. Jim expands on them in the article.

I would change the order, putting the reporting of risk to objectives first.

My dialogues with board members over the last couple of years (including work with the NACD, where I would often see Jim) have told me that they want to receive information that is actionable.

Actionable information, when it comes to board members and top executives, will focus on the type of decisions that those individuals typically make: decisions relating to strategies, major projects, and so on. While they are concerned about management’s ability to make appropriate choices regarding significant risks, they will (and should) rarely get involved in tactical decisions.

  1. So, whether corporate objectives and strategies, which have been approved by the board, will be achieved should be their first concern.7. This brings me to two points that I would consider adding to Jim’s list:7. Consider and obtain assurance on the culture of the organization. The COSO ERM Exposure Draft makes culture a focus and I just posted (on the IIA site, where I have another blog) a discussion of a new research paper by the Chartered Institute of Internal Auditors.
  2. Assess whether the management team, including the CEO and CFO, have effectively integrated the consideration of risk into every business process and decision. Do they ‘embody[2]’ risk management at all times? As a secondary observation, does the board have full confidence in the chief risk officer and his or her ability to work effectively with the management team?

I welcome your comments.

[1] I was honored to have Jim as one of the reviewers of World-Class Risk Management.

[2] I emphasize the need for every executive to embody risk management in my book. Their actions drive the tone for and culture of the whole organization. They need not only to integrate risk into their decision-making processes but demand the same from their direct reports.

We need to review and provide feedback on the COSO ERM Exposure Draft

June 19, 2016 5 comments

This last week, COSO published an Exposure Draft of its ERM Framework Update, freshly entitled Enterprise Risk Management – Aligning Risk with Strategy and Objectives. You can see an introductory video, review, and then provide feedback on the draft here.

The COSO update is a significant moment for all risk practitioners.[1] So I strongly recommend that everybody take the time to review and give careful consideration to the draft.

But, let’s do that by looking at the big picture rather than the detail.

Let’s also put aside any predisposition we may have either to like or dislike COSO’s work.

How should we assess the ERM Update draft? That’s the focus of this post.

COSO not only provides the opportunity to submit comments, but has a history of listening and making changes where appropriate[2].

While COSO has provided their own set of review questions, I am not persuaded they strike to the heart of whether the draft meets the needs of its potential users. COSO’s questions seem to assume that their thinking is correct and only asks whether it is clear. For example, rather than ask whether we agree with their concept of risk appetite, the survey asks whether it is clearly explained.

I suggest we do it against criteria that focus on whether the draft will provide the guidance that enterprises need if they are to be successful.

In other words, if organizations adopt the updated COSO guidance, are they likely to increase their ability to set and then achieve their objectives and deliver the value their stakeholder needs[3]?

How about using the following questions as the basis for assessing and then providing feedback? They are distilled from some of the points COSO makes in the video and the Executive Summary of the draft, plus some consideration of the fundamentals of world-class risk management.

  1. Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
    • If the mission is not optimal, it is unlikely that the objectives will be
    • If the objectives are not optimal, it is unlikely that strategies to achieve them will be
    • …and so on
    • In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
    • Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
  2. Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
    • The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
    • But, does the detail of the framework deliver on those promises?
    • As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
    • In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
    • Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
  3. Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
    • COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
    • While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
    • Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
  4. Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
    • Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing both can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
    • Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
    • The actions and decisions of one affect many. Is the guidance sufficient on this point?
    • Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
  5. Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
    • In real life, people have to ‘balance’ risk and reward
    • Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it consider only harms?
    • For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
  6. Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
    • The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
    • Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
    • It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
  7. Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
    • It is encouraging that this is now included. Is it sufficient?
  8. Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
    • There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
    • Many use models. Is this covered sufficiently?
  9. Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
    • If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
    • How does an organization establish the minimum level as well as the maximum?
    • Does COSO provide sufficient guidance on how to assess both the upside and the downside?
    • Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’?
    • The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
    • However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
    • A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
    • What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, surely 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
    • Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
  10. Will it be possible to assess the effectiveness of risk management in practice using the updated version?
    • Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
    • Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
    • If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
  11. Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
    • Is the guidance as good as that in South Africa’s King IV Exposure Draft?
  12. Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?

My request of you is:

  1. Do you think this list of 12 questions (I would prefer that there were fewer, but there you are) would be a sound basis for assessing the Exposure Draft?
  2. If it is, please share your assessment – here as well as with COSO.


[1] In my mind, this should include all executives and board members because everyone who leads and manages an organization, in fact every decision-maker, is a risk manager. Their decisions, from establishing the vision and mission, through strategy and objective-setting, to the decisions that are made every day across the enterprise as we execute on strategy, create and/or modify risk – and by risk, I refer to the effect of what might happen as we go from where we are to where we want to be.

[2] The Internal Control Framework Exposure Draft had issues that several of us pointed out. To their credit, COSO made some substantial changes. For example, they inserted as the first sentence in the section on effective internal control the key observation that effective internal control provides reasonable assurance that the risk to objectives is at acceptable levels. Without that sentence (and, for some, even despite that sentence) they would have created a checklist comprised of principles and points of focus. Instead, they told us to consider risk when assessing internal control.

[3] Asking a question like this is a technique I have used with good effect when running internal audit. It’s not whether the document explains defined content or ideas. It’s about whether it will help those charged with leading, directing, and running the enterprise be successful.


Explaining risk management in plain English

June 12, 2016 25 comments

I have been saying for a while that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits, and projects.

Leaders of the risk management function talk about risks, impact or consequences, and sometimes in technobabble about terms that only risk practitioners and statisticians understand, such as ‘risk capacity’, ‘alpha’, and ‘residual risk’.

The traditional way of explaining the risk management process is (per ISO 31000):

  • Establish the context
  • Identify risks
  • Analyze risks
  • Evaluate risks
  • Treat risks
  • Communicate and consult (throughout the above)
  • Monitor and review (continuously)

Can this be translated into plain English, without using the ‘R’ word?

How about this?

  • Anticipate what might happen
  • Analyze the possibilities
  • Is there a problem? Can we do better?
  • What are the options? Can we improve them?
  • Which is best?
  • Decide
  • Act
  • Review/monitor/learn

I especially like the work ‘anticipate’. It’s better than talking about ‘uncertainty’, another word risk practitioners understand (I hope) but executives find difficult.

Isn’t risk management all about anticipating what might happen between where we are and where we want to be?

I welcome your thoughts.

Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is ‘risk management’?

Risk and Strategy Entwined

June 4, 2016 6 comments

I want to tell you a couple of stories about four people, two sets of twins.

The first two people are O and P; the second pair is SR and RS.

O and P are executives at the same company. The CEO, C, is considering a new venture, so he calls a meeting of his executive team. O and P sit opposite each other and just glare with clear disdain for the other.

C outlines the opportunity and asks for comments from the team. The general counsel and CFO look thoughtful, but before they can say anything O jumps in.

“I think that’s great! I already looked into this with my team and we project an 80% success rate, where we either hit or exceed the targets you outlined. There are a few things we need to prepare before launching, but I am very optimistic (no pun intended) that everything will be set for a launch in just a few months. [The “pun intended” comment was because his real name is Optimist, although his position within the company is Vice President for Strategy and Planning.]

“Oh, O, you are always quick to see the upside without thinking about the many risks involved”, retorts P. “My team also thought the scheme would come up and we have worked with the appropriate departments to compile this list of risks”.

O comments quietly but everyone hears him, “P, you always live up to your name – a Pessimist who sees a cloud in every silver lining”.

P looks quickly at O and says “My job as Vice President and Chief Risk Officer is to make sure everybody is aware of the risks at all times. O, you constantly ignore them.”

Meanwhile, P is passing around a 5-page document describing about 30 areas assessed as ‘major’ risks to the company that exceed its risk appetite, as defined by the Risk Framework and Policy.

C responds to all of this as you might expect – frustration and annoyance. He doesn’t say anything, but he is thinking along the lines of “why did I hire these bozos, who can’t get along with each other and give me the advice and insight I need? One is always ‘full speed ahead’, perhaps to please me, while the other is always quick to point out why we should never do anything. But, if I fire either of them, especially P, I will hear from the board and the regulators.”

Out loud, C puts the list face down after glancing at it and asks his CFO and general counsel, “So, what do you think.”

I am sharing this story because when I write about the risk officer considering both the potential positive and the negative effects of events, situations, and decisions, several people have commented that the risk officer should focus only on the potential adverse effects because others, like the strategy people, are looking at the opportunity side.

I disagree with this perspective for a few reasons.

  1. Any event, situation, or decision can have multiple effects. Some may be adverse, some positive. Often, there will be multiple effects. In my Monopoly blog, I talked about the decision whether or not to buy a property. The purchase would create an opportunity to earn rent, but it would also reduce the cash reserves and increase the significance of having to pay rent, a fine, or so on. The smart manager has to decide whether the potential outweighs the risk. Both sides have to be considered, not just one.
  2. When anybody only explains why you shouldn’t do something, they should expect to be increasingly ignored. How would you react if every time you started to leave home you were greeted with a list of all the bad things that might happen?
  3. Every potential positive effect needs to be assessed with the same disciplined and structured process as an adverse effect.
  4. If you want to be perceived as a partner to the business, behave like a partner to the business! Behave like a top executive who has to make an informed and intelligent decision about whether to move forward, change direction, stand still, or even retreat – based on reliable information about all potential consequences under every option. Behave like an executive and talk like an executive, in the language of the business.

In our second story, which is at another company, the CEO (CE) is also considering a new venture and asks his executive team for input.

SR looks at RS, gets a nod, and answers.

“RS and I have been working together to integrate the consideration of risk into the strategic planning and performance monitoring processes. I am pleased to tell you that our Risk and Strategy teams have been looking at this opportunity together. Strategy [ndm: whose middle name is Risk} and I have this joint assessment for you and the team to review”.

Risk, whose middle name is Strategy, passes around a 2-page document that outlines the results of the two team’s assessment. It includes both the potential upsides, their extent and likelihood, as well as the more significant risks, also with extent and likelihood. There is a Summary section that provides an overview of the most likely net effect of each strategic option.

CE beams with satisfaction. What a change this is from his last company! Here, he has two partners that he can trust to provide him with the information he needs as well as a balanced perspective on the options. He has a strategic advantage over his old friend, C.

He congratulates SR and RS for working together to provide a joint assessment. SR looks to RS before replying that they have agreed on a common framework going forward; both teams are cross-trained so that they always look at an event or situation with a balanced view. The Risk team will assess the full range of potential effects on all issues that come to them, and the Strategy team will include an assessment of both positive and negative effects when proposing new or updated strategies, and when reporting on progress towards objectives.

Let me close with a thought.

Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives.

They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures – implying a desire to stay home and vegetate.

Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.

I welcome your thoughts.



PS – Do you ‘get’ the pun about ‘entwined’?


Get every new post delivered to your Inbox.

Join 7,010 other followers