I have to ask this question after reading two recent papers. The first is from an organization that positions itself as not only an expert in cyber but one that offers related consulting services and solutions.
Practical Guide to Measuring Cyber Resiliency and Effectiveness was published by Lockheed Martin earlier this year.
The authors suggest a seven step process for establishing “an effective, sustainable computer network defense program”.
While the piece has some value, I have some major issues with it.
Let’s start with the fact that cyber is a business issue, not just an IT one. Yet, the only people on the recommended team are techies. In fact, they recommend a team of three “highly-skilled Technical Leads and Cyber Analysts with experience in Threat Monitoring, Incident Response, Cyber Threat Intelligence, Malware Analysis, and Computer Forensics, DevOps, Analytics, and general cybersecurity and IT skills”.
Nowhere is there any mention of the need to involve business personnel.
In my presentations and courses, I often talk about this hypothetical situation.
Imagine that we are in a conference room and hear a loud BANG from outside. We run to the window and see that a large safe has landed in the middle of the parking lot. Security guards rush to surround it. They string barbed wire around the safe, with bright lights and 24-hour monitors.
But then an executive appears and tells a guard to open the safe.
The executive looks around and spots a wicker basket against the fence, close to an exit from the lot.
He strolls over and sees the crown jewels wrapped in tissue paper in the basket.
The point is that you protect what needs to be protected.
You need to know what assets are at risk before setting up a cyber program or any other form of controls and security.
Yet, the paper does not mention any form of risk assessment.
The risk from cyber is not the technology or network; it is the effect on the achievement of a business objective.
I have additional issues with the paper.
- The analysis assumes that all attacks can be detected. This is a huge assumption and not credible in my view
- There is no mention of risks introduced by mobile or cloud applications and services
- There is no discussion of threats to the organization through attacks on the extended enterprise. Many organizations have outsourced services to a third party; those services may be at risk. In addition, many attacks are on our partners in the extended enterprise; once an intruder has gained access to a partner, they may be able to access our network and systems. Finally, many intruders are attacking employees’ personal devices and systems – and could gain access that way
- The issue of educating the organization to be security-conscious (such as avoiding clicking on links or attachments that introduce malware or using better passwords) is ignored. In fact, the use of non-simple passwords is totally absent.
I am afraid I find this paper quite lacking from a business perspective.
Now, perhaps all my points are discussed by this vendor in different publications – but that is not apparent from this piece.
The second paper is The Cyber Threat Risk – Oversight Guidance for CEOs and Boards. It has a foreword by Sameer Bhalotra, Former White House Senior Director for Cybersecurity, so I was expecting a better paper than the Lockheed Martin one – especially as it is targeted at CEOs and board members.
But, the same criticisms apply.
There is no business risk assessment, there is no mention of mobile or the cloud, a security-conscious culture is absent, and the extended enterprise is ignored.
It does have some better content, including:
- a description of the problem we face
- an emphasis on detection as well as prevention
- a discussion of mean-time-to-detect and mean-time-to- respond
Most of the techies I know understand all my concerns. But I have to ask when so-called cyber experts write and share papers like these.
I welcome your thoughts.
An interesting McKinsey piece, by a retired CEO of Toyota in Canada, makes some interesting points about effective leadership. (Still) Learning from Toyota includes reflections on how Toyota implemented and obtained success from the Lean methodology. But in the process it makes points that apply whether you are using Lean or not.
Here are a few excerpts (emphasis added):
- The reality is that many senior executives—and by extension many organizations—aren’t nearly as self-reflective or objective about evaluating themselves as they should be. A lot of executives have a propensity to talk about the good things they’re doing rather than focus on applying resources to the things that aren’t what they want them to be.
- What happens in Toyota’s culture is that as soon as you start making a lot of progress toward a goal, the goal is changed and the carrot is moved. It’s a deep part of the culture to create new challenges constantly and not to rest when you meet old ones. Only through honest self-reflection can senior executives learn to focus on the things that need improvement, learn how to close the gaps, and get to where they need to be as leaders.
- A self-reflective culture is also likely to contribute to what I call a “no excuse” organization, and this is valuable in times of crisis. When Toyota faced serious problems related to the unintended acceleration of some vehicles, for example, we took this as an opportunity to revisit everything we did to ensure quality in the design of vehicles—from engineering and production to the manufacture of parts and so on. Companies that can use crises to their advantage will always excel against self-satisfied organizations that already feel they’re the best at what they do.
- Senior executives who are considering lean management (or are already well into a lean transformation and looking for ways to get more from the effort and make it stick) should start by recognizing that they will need to be comfortable giving up control.
- ….there’s ultimately no such thing as perfection. There’s always another goal to reach for and more lessons to learn.
I was fortunate to work at a company, Solectron, that adopted Lean. I know that it can work and provide huge benefits, whether in manufacturing, finance, or internal audit.
I like several things about these messages. An effective culture is about far more than ethics and compliance. It includes:
- The ability for everybody to contribute to the performance of the organization without being dominated by the executive team. Leaders can and should come from every corner of the organization, but have to be freed of the chains of structure, position, and rank.
- A desire to continuously improve, not occasionally, but all the time. Kaizen is not something you “do”, it is a cultural philosophy.
- A shared commitment to excellence in performance, quality, and efficiency.
- Knowing when to invest scarce resources, and being willing to change what has worked in the past because it may not be best for the future.
- Embracing innovation, whoever’s idea it is.
- The ability to learn from and take advantage of setbacks, rather than always trying to pin the blame on a culprit.
- There’s no reason why people cannot enjoy their work.
When governance, risk, information security, internal audit and other practitioners focus exclusively on culture being about ethics and compliance, it can come at the expense of performance.
A focus on not doing wrong can inhibit the ability to do what is right. It can make an organization excessively risk averse.
When you consider culture, are you only thinking of ethics and compliance or are you looking at what it takes to be successful?
I welcome your thoughts and comments.
I worry when I see consultants and thought leaders say the board needs to include experts on cyber or other topics.
I agree that cyber is one of today’s hot topics and represents a risk to pretty much every organization.
But is the answer to have a director who is considered a cyber expert?
After all, that usually means having one director who understands information security issues, probably because they served as an IT executive or had a leadership position with a consulting organization.
One person who is limited in the amount of time they spend talking to management, a part-timer who is unlikely to fully understand the complete range of technology used by the organization, how it is used, the process for managing it, and the people relied on to address related risk.
One person who is almost certainly spending the great majority of his or her time running their own consulting business – or is retired and may no longer be current and up-to-date. After all, this is a dynamic technology environment.
For example, I have what many would consider a strong technology background. I was a senior IT audit manager with one of the Big 4 audit firms, was the executive responsible for information security and governance for a major financial institution, and had both the IT audit and IT quality assurance functions report to me.
But while I still understand the principles of technology use and related risk, I would not position myself as an expert.
I would not be comfortable having any board rely on me for assurance on technology risk.
I would only be comfortable if I was able to surround myself with experts on whom I could rely. (I was fortunate to have several during my time as CAE.)
Boards should, in my opinion, take the same approach.
Rather than relying on the mistaken belief that a single board expert (who may not be current) can cover a critical topic, they should ensure that management has the personnel they can rely on.
The board should question management with an appropriate level of professional skepticism in discussions about cyber.
Management presentations and the ensuing discussions are opportunities for the board members to seek and gain assurance that management has a good handle on technology-related risks.
The goal should be to get comfortable with management rather than to decide themselves whether cyber is properly managed.
Cyber is just one of the topics requiring specialized experience and insight. Others might include commodity and/or currency hedging; compliance with anti-bribery and other regulations; conducting business in China and other nations; the activities of competitors; and so on.
The board cannot be an expert in every area of risk.
They cannot have an expert on everything.
Believing that they can discuss cyber and all other specialized areas and decide whether risk is at desired levels is, in my opinion, both arrogant and unwise. One former CIO who talks to the company’s technology people once a quarter is insufficient
Boards are generally composed of current and former CEOs, CFOs, and similar. The directors are experts in the specialized area of hiring good people and monitoring their performance.
I would much prefer that board members not just once but continuously assess the executives individually and as a team.
Are they competent and capable of managing the organization to success, including addressing issues like cyber, economic disturbances, and so on?
So while I would be happy to serve on a board as their technology or risk management expert, sadly that is not the answer.
The answer is to have confidence in the people who run the organization every day.
Some may say that the board needs a technology person to ask the right questions and know when the answers are poor. My answer to that is that I need a CEO who can ask the CIO and others on his team the right questions. I need a CEO who can be comfortable that cyber is being addressed every day, not just once a quarter.
The board should be able to assess the CEO and how he or she works with the CIO, CTO, CISO, and so on to manage cyber risk.
I welcome your comments.
I usually like McKinsey’s thought leadership pieces.
However, Five questions boards should ask about IT in a digital world is not, in my opinion, up to their normal standard.
These are the five:
- How well does technology enable the core business?
- What value is the business getting from its most important IT projects?
- How long does it take the IT organization to develop and deploy new features and functionality?
- How efficient is IT at rolling out technologies and achieving desired outcomes?
- How strong is our supply of next-generation IT talent?
There’s nothing wrong with asking any of these questions.
I’m just not sure they go far enough!
For example, if I was on the board I would be asking the management team:
- How will you know when emerging technology has the potential to advance the business?
- Whose responsibility is it to identify both opportunities and threats that may result from new technology? How are they evaluated and by whom?
- How is new technology considered in developing the strategies presented to the board for our review?
- How agile is the organization when it comes to the ability to embrace and take advantage of new technology?
McKinsey makes the obvious point that this is a digital world. However, they then seem to focus on the IT department rather than how the organization as a whole can take full advantage of new technology, while recognizing and addressing risk.
That is an executive management issue that cannot be left to the technicians in IT.
Agility is a tough topic that should merit piercing questions from the board. It’s not only legacy hardware and software that may need to be changed; attitudes and habits across the management team may need adjustment.
What are the questions you think should be asked by the board about technology (i.e., not limiting the discussion to IT)?
Two new reports from the IIA are worth downloading and reading carefully:
- Benchmarking Internal Audit Maturity, by Abdolmohammadi, D’Onza, and Sarens
- Voice of the Customer: What Stakeholders Are Telling Internal Audit, by Harrington and Witzany
I read the Benchmarking report first. Written by three eminent academics, it summarizes results from the IIA’s CBOK survey and attempts to assess the maturity of internal audit departments around the world.
I say “attempts” because it does not really share a full maturity model with us. I would expect to see something that takes key attributes of performance and defines what can be expected at different levels of maturity. Instead, it lists (without always providing a clear definition) several attributes and indicates how many report they have achieved some level of performance against them.
For example, it talks about aligning internal audit work with the strategies of the organization, but does not explain what that means. I doubt that it means that all internal audit engagements are designed to address critical risks to the objectives of the organization as a whole. If that were the case, very few would audit payroll, fixed assets, accounts payable, or employee expenses. When have you ever heard of an organization failing, or even substantially missing performance targets, due to control failures in any of these areas?
Even so, 45% of internal auditors responding to the CBOK survey said their department’s plan was not really aligned!
That is a problem.
How can we expect to be contributing to the organization’s success if the audit plan is not driven by the organization’s strategies and related risks?
In the second CBOK study, written by my friends, Larry Harrington (current IIA chair) and Angela Witzany (incoming chair), the same topic is explored – with more meaningful results. (Perhaps this is to be expected: practitioners vs. consultants).
Internal auditors must understand the mission, strategy, and objectives of their organizations. This was a central, overriding message from all categories of stakeholders. Whether they are board members or part of executive management, stakeholders are primarily focused on the organization’s success in accomplishing its mission. Naturally, they want to see internal auditors looking at their role in the same way, concentrating on how they can help the organization be successful.
One area addressed quite well in the Maturity report is internal audit’s risk assessment activity, the basis for the audit plan and the engagements that are performed.
Apparently, 32% only update their assessment of risk (and, I assume, their audit plan) once a year; 23% do so continuously; 36% periodically; and 9% never update their assessment!
While this is better than it has been in the past, I don’t believe that risks only change once a year, or even once a month! If we want to audit the risks of today and tomorrow, we have to constantly be aware of the changing risk environment.
According to the Witzany/Harrington report, executives are well aware of the need for internal audit to audit what matters now and in the near future:
A CFO in the United States expressed it this way, “Because technology is changing so much, we need to be focused on things that are happening right now. Ideally, [internal audit] can be looking at the future, but we can’t get there just yet.” Many others, however, recognize that future risks cannot be sidelined because they will soon be current risks. A chief executive officer (CEO) from South Africa commented, “Risks are always changing.
Now, the academics included in their maturity assessment whether internal audit has a formal, current, audit manual.
Sorry, but in these days of dynamic change, a formal manual with documented audit procedures is one of the very last things I would worry about. In fact, if a lot of time is spent documenting today’s practices, it is not only going to be out of date very quickly but will consume resources that need to be spent auditing risks that matter.
One interesting topic in the second CBOK study talked about the value of assurance and whether it should be prioritized over advisory/consulting work.
I was very pleased to see the executives say that assurance comes first – and you do advisory work with remaining available resources. I have held this position ever since I became a CAE more than 25 years ago.
“Assurance activities would still go first, and if there are sufficient resources, the remaining resource will go for consulting.” —Board Member, Taiwan
“Assurance is essential and consulting is nice to have, but should be second in priority.” —Board Member, United States
“First of all, priorities should be identified. I think assurance activities come first.” —Executive Management, Turkey
All in all, these are useful reports and I recommend downloading and reading them both.
What is your reaction to these points, especially the focus on assurance and the need for continuous risk assessment and updating of the audit plan?
A new report from Deloitte has some interesting conclusions – plus predictable ones.
2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content.
Deloitte says there is a choice to be made: “Evolution or irrelevance”.
They surveyed more than 1,200 CAEs from 29 countries and the majority voiced concern over the current state of internal auditing.
That is not surprising in itself; as I have previously reported several surveys of executives and board members (such as from KPMG and PwC) have said the same thing, notably that internal audit was not consistently auditing the risks that matter.
But it is surprising that so many CAEs, who should be in a position to make the necessary change, echo the concern.
Some excerpts of note:
- Our research found that CAEs have serious concerns. They know that their organizations are changing—that’s been the case for a while. They also know that Internal Audit needs to respond to meet the changing needs of their organizations.
Those organizations need Internal Audit to inform them about the future rather than only report on the past. They need insights as well as information, advice as well as assurance. They need reviews of not only financial and operational controls, but also of strategic planning and risk management processes. They need internal auditors to apply their rigor, objectivity, independence, and skills in new ways.
As the results of this survey indicate, Internal Audit will have to evolve in specific ways in order to meet these needs. The needed changes are clearer than ever. CAEs must now lead their functions to take the next critical steps. In addition, Internal Audit’s key stakeholders, notably the audit committee and the executive team, must support the function as it takes those steps.
- The status quo is not an option when 85 percent of CAEs expect their organization to change moderately to significantly in the next three to five years, and nearly as many (79 percent) expect similar change in Internal Audit. The survey also found that most CAEs believe that management and the audit committee will expect Internal Audit to step up to meet new challenges
- Only 28 percent of CAEs believe that their functions have strong impact and influence within the organization. A disturbing 16 percent noted that Internal Audit has little to no impact and influence. Meanwhile, almost two-thirds believe that Internal Audit’s strength in these areas will be important in the coming years. This disconnect—between current and needed impact and influence—must be addressed, for the good of Internal Audit and the organization.
- Dynamic reporting is poised to increase. Most Internal Audit groups communicate with stakeholders through static text documents and presentations. Use of text in particular is expected to decrease (from 78 percent to 58 percent) as dynamic visualization tools increase dramatically (from 7 percent to 35 percent). These dynamic visualization tools enable Internal Audit to deliver more insightful observations, interact with stakeholders, and deliver greater value.
- Reviews of strategic planning and risk management will increase. While about one third of Internal Audit groups have evaluated their organization’s strategic planning process in the past three years, over half expect to do so in the next three to five years. A strong increase is also expected in the number of Internal Audit groups reviewing their risk management function.
- To make changes in its approaches and activities, Internal Audit should embrace an innovative mindset, as well as actual innovations. However, the function is not known for aggressive innovation.
- Perhaps Internal Audit should adopt the mantra of many companies—if you are not moving forward, you are moving backward, if only in relation to everyone who is moving forward.
If you have seen my posts for the last few years, you will expect me to agree with many of the points Deloitte makes in this publication.
I especially like the comments about (a) moving to a new model where internal audit communicates what stakeholders need to know, when they need to know – dynamically, taking advantage of today’s and tomorrow’s technology; (b) assessing and contributing to the improvement of risk management; and, (c) assessing the strategic planning process.
I believe that by auditing what matters to the board and executives, internal audit’s influence will soar.
However, I am more cautious about the use of analytics. I wholeheartedly encourage the use of mobile analytics by the entire audit staff, where the time spent obtaining insights into the underlying data is minimal. But, I fear the extensive investment some are making into analytics that are not molded to a dynamic audit approach where few audits are repeated and management is responsible, not internal audit, for risk monitoring.
I always used co-sourcing as CAE. Deloitte stresses this, as any good co-source provider would.
But, I believe there is a point here worth thinking about.
If, as I believe we should, internal audit will need to be very much more agile in the future (if not already), agility in resourcing will become more important.
We need to staff for the audits we perform, not perform audits based on the staff we have.
If our audits are ever-changing, and the skills and experience we need also change at speed, we may need fewer employees and more co-sourced staff. We still need a core with a deep understanding of the business and of the risks that will need to be addressed every year. But, if we expect to perform audits of many different risks each year, we may need to go to the co-source well much more often.
What do you think?
I recommend reading the entire Deloitte report.
As we review the exposure draft (ED) from COSO of their ERM Framework, one of my concerns has been whether it pays sufficient attention to the positive effects of uncertainty (things that might happen in the future that would increase the success of the organization).
While COSO ERM 2004 told us that there are both potential positive and negative effects of uncertainty, the detail in the framework focused exclusively on the negative (which it referred to as ‘risk’, with ‘opportunity’ the positive).
The 2016 ED again tells us that organizations need to manage all the potential effects of uncertainty and not just the adverse.
Do they do that well?
The title of this post is “Risk and Opportunity Management” because the exposure draft of the South African corporate governance code (King IV) no longer refers to risk management. It now refers to risk and opportunity management.
I think this is an excellent move.
Rather than trying (as ISO 31000:2009 does without sufficient success) to explain that risk can be either positive or negative, battling uphill against common English usage of the word, perhaps it is time we started talking about risk and opportunity.
A new report from The Risk Institute at Ohio State University, their second Annual Survey on Integrated Risk Management, shares some interesting insights.
One of the things I like in the report is how they talk about the fact that many if not most see risk management as a defensive strategy.
That is reflected in the entrenched thinking that risk management is a compliance activity (“33 percent of financial firms reported an “exceptional improvement” in their ability to meet regulatory and compliance requirements when they integrated risk management to improve achieving corporate objectives”; and “Similar to financial firms, nonfinancial firms reported exceptional improvement (30 percent) in the ability to meet regulatory and compliance requirements and that an ability to avoid litigation and protect the firm against negative events is important”).
The report says (emphasis added by me):
When asked what best describes the “tone at the top” regarding risk management at their company, about 45 percent of respondents in financial firms report that it is reactive or defensive, reflecting a necessity for mandated requirements or for protection against negative outcomes, respectively. However, more than 40 percent of the respondents in financial firms recognize risk management as a value creation tool used across the firm, mostly in a fully integrated way.
In contrast, in nonfinancial firms, 67 percent of respondents see risk management as a reactive or defensive strategy, while about 20 percent of respondents believe that this strategy creates value in a partially or fully integrated way.
The number indicating that risk management is about more than defense is growing.
Previously risk management was only being done to meet regulatory requirements and to protect the firm against the negative effects of volatility in firms’ business environments. While these views are still a common practice, more firms recognize risk management as a source of both growth and value, and emphasize its use in certain, if not all, areas of the firm.
One other interesting point that the report makes is that functions like Marketing, Sales, R&D, and Human Resources are rarely involved in risk management processes.
When I led risk management at Business Objects, these were the functions most heavily involved!
As the report affirms, they are major areas of both risk and opportunity.
Is it any wonder that executives fail to see the value of risk management and how it contributes to the success of the organization, when risk practitioners only talk about potential harms?
Is it time to reposition to risk and opportunity management? Is it time for risk practitioners to remove the blinders, see the big picture, and pay attention to both creating and preserving value?
Or is it time to stop talking about either, instead talking about informed and intelligent decision-making? Maybe we should just talk about effective management!
I welcome your comments.
As a reminder, my comments on the COSO ERM ED are available here.