The myth of IT risk

August 28, 2015 4 comments

People talk all the time about “IT risk”.

But, is this a useful term? Or can it lead people astray?

As my good friend Jay Taylor has said, I believe that “there is no such thing as IT risk, only [IT-related] business risk”.

Why the distinction?

What matters is the effect of a potential situation or event on the achievement of organizational objectives – not the effect on the IT function’s objectives (ok, it may matter to IT’s management, but how much should it matter to the board and executives?)

The investment that should be made by in addressing so-called IT risks should depend on its significance to the achievement of organizational objectives. Any “IT risk” should be assessed in those terms.

That is why I prefer to talk about IT-related business risks (although I am amending that, as explained later).

ISACA got it right in their RiskIT methodology (now consolidated into COBIT): “IT Risk is Business risk associated with the use, ownership, operation involvement, influence and adoption of IT within an enterprise. It consists of IT related events that could potentially impact the business.”

A few reasons why this is important:

  1. A technology-related risk may be only one of several that could affect the achievement of a corporate objective. All risks related to an objective need to be considered as, when considered together, they may, in aggregate but not individually, indicate a need for action. IT management may consider the risk acceptable, but when considered in combination with other risks to an objective, it is not acceptable to the organization as a whole.
  2. Some technology-related risks may seem significant to IT and other technical staff, but when considered within the context of business objectives pale in comparison to other risks. Executives and boards have limited capital and resources and they cannot afford to invest them based on the assessment by a silo within the organization.
  3. There is only too often a disconnect between those in technical functions and those in the executive suite and on the board – due to the technical people talking in technical terms and not being able to explain an issue in business terms. Talking about technology-related business risk forces the discussion to address how the business will be affected.

I have amended my thinking on this in the last year or so. Instead of talking about “IT-related business risk”, I now talk about “technology-related risk”.


  1. Technology is no longer the sole domain of the IT function. For years, other parts of some organizations (such as the engineering function or similar) have owned specialized technologies. Now, the advent of cloud has enabled every organization to acquire software, often without the need for IT support or capital. I am not sure that the IT department even knows about all the technology deployed across their organization.
  2. It’s about the use, deployment, etc. of technology broadly across the extended enterprise, which is a clear business issue, not just an IT issue. In addition, many risks are affected by actions and decisions made by the business.
  3. Not all technology is information technology. While I know some disagree, I don’t consider robots, process control systems or the like “information technologies”.

A recent report from the IIA talks about technology risks. That’s better, but not as good or clear as “technology-related business risks”.

Do you agree? Is there a risk (pun intended) of assessing (and of auditing) risk in silos?

Talking sense about risk and strategy

August 22, 2015 1 comment

I am heartened by the increasing number of articles and publications that are talking sense when it comes to the management of risk.

The latest is a piece in PropertyCasualty360, Where risk meets strategy.

It’s a short piece, but it is worth reading for these and other points:

A reasonable amount of good risk management is better than no risk management, but too much poor risk management hurts an organization by encumbering resources, slowing decision processes and giving leaders—and the board and other stakeholders—a false sense of security.

…the “wish list” from these executive leaders and board members was pretty simple. In essence, they would like the discipline of risk management to focus on two things: one, helping organizations pursue current and planned opportunities in a nimble risk-aware fashion; and two, helping leaders see the big risks around the corner in time to do something meaningful about them, whether avoidance or mitigation, or better crisis management.

Entrepreneurial spirit does not thrive in cultures that are fearful of taking manageable risk, or otherwise mired in paperwork and process.

By the way, when John Fraser of Hydro One was reviewing a draft of my World-Class Management book (he was one of several global risk practitioners and thought leaders who made a huge contribution through their comments), he pointed out that while every decision changes risk, it is very useful to take a periodic snapshot and review the more significant risks to the enterprise. I tend to focus more on the first in my writing (intelligent and informed decision-making), because many organizations limit their risk management activities to the second (a review of a list of risks).

I very much like the point about nimble decision-making, enabled and enhanced by timely and reliable risk information.

What do you like? Or, do you disagree?

When to audit business locations

August 16, 2015 8 comments

One of the readers of my work sent me this message.

I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.

In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.

I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).

I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.

Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.

I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?

I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.

I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?

The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.

Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!

I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.

But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.

Down in the weeds, missing the big picture.

I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.

Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.

Where are you now and are you changing?

What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?

By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.

Are you ready for the new technology that will change our world, again?

August 8, 2015 5 comments

It’s not that long since we were dismissing the Internet of Things as something very much ‘next generation’. But, as you will see from Deloitte’s collection of articles (Deloitte Review Issue 17), many organizations are already starting to deploy related technologies. I also like Wired magazine’s older piece.

Have a look at this article in the New York Times that provided some consumer-related examples. Texas Instruments has a web page with a broader view, mentioning building and home automation; smart cities; smart manufacturing; wearables; healthcare; and automotive. Talking of the latter, AT&T is connecting a host of new cars to the Internet through in-auto WiFi.

At the same time, technology referred to as Machine Learning (see this from the founder of Sun Microsystems) will be putting many jobs at risk, including analysis and decision-making (also see this article in The Atlantic). If that is not enough, the IMF has weighed in on the topic with a piece called Toil and Technology.

Is your organization open to the possibilities – the new universe of potential products and services, efficiencies in operations, and insights into the market? Or do you wait and follow the market leader, running the risk of being left in their dust?

Do you have the capabilities to understand and assess the risks as well as the opportunities?

Do your strategic planning and risk management processes allow you to identify, assess and evaluate all the effects of what might be around the corner? Or do you have one group of people assessing potential opportunity and another, totally separate, assessing downside risk?

How can isolated opportunity and downside risk processes get you where you need to go, making intelligent decisions and optimizing outcomes?

When you are looking forward, whether at the horizon or just a few feet in front of you, several situations and events are possible and each has a combination of positive and negative effects.

Intelligent decision-making means understanding all these possibilities and considering them together before making an informed decision. It is not sufficient to simply net off the positive and negative, as (a) they may occur at different times, and (b) their effects may be felt in different ways, such as a potentially positive effect on profits, but a negative potential effect on cash flow and liquidity; the negative effect may be outside acceptable ranges.

With these new technologies disrupting our world, every organization needs to question whether it has the capability to evaluate them and determine how and when to start deploying them.

COSO ERM and ISO 31000 are under review and updates are expected in the next year or so. I hope that they both move towards providing guidance on risk-intelligent and informed decision-making where all the potential effects of uncertainty are considered, rather than guiding us on the silo of risk management.

Are you ready?

I welcome your comments.


For more on this and related topics, please consider World-Class Risk Management.

Assessing the organization’s culture

August 1, 2015 6 comments

It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.

Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.

Now, a new report by the Institute of Business Ethics, Checking Culture:  new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.

The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):

“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”

In 2014, the UKIIA published Culture and the role of internal audit.

I strongly recommend reference to both papers.

As usual, I have some concerns.

  • While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
  • There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
  • Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
  • Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.

Does this mean that internal audit should not have a role? No. They should.

This is my preference:

  1. All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
  2. Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
  3. The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
  4. The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.

For a different spin, check these out:

What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?

The digital trends most likely to influence business strategy

July 29, 2015 Leave a comment

A new ISACA series of reports is available. Targeted at board members, the C-Suite, and those who influence them, ISACA Innovation Insights are a free download.

This is how ISACA describes the series:

Timely and authoritative information designed to help enterprise leaders be more agile in strategy-setting and execution by evaluating both the opportunities and risks of new technology.

ISACA has launched a new service to provide easy to use, timely, relevant, and unbiased information to organizational leaders at board and C-suite levels to help them more quickly adapt to changing information technology. This information includes insights into both the opportunities and risks of new technology and is designed to help enterprises be more agile in establishing or modifying strategy in a constantly changing world. These reports are designed to help governance teams understand — without technical jargon — what innovations matter to them, how those innovations change their competitive landscape, and how to engage their management teams relative to these new areas.

The Insights service is comprised of a periodic research report (the ISACA Innovation Insights report), within which the most important new emerging technology trends are objectively evaluated based on their ability to provide value to your organization. Supplemental “drill-down” reports (ISACA Trend Reports) provide executive and governance-focused guidance on individual trends.

I recommend downloading the Innovation Insights report first. It identifies the top ten digital trends, with more information available on each in individual reports that can be downloaded later.

ISACA will poll those who access the reports to get their assessment, but I am interested in any observations you are willing to share here.


Full disclosure: I am a member of the committee that provided oversight for the series.

An internal audit conversation between Paul Sobel and Norman Marks

July 28, 2015 3 comments

Please join Paul (immediate past chair, IIA Global) and me on August 6th for a free webinar hosted by OCEG. Here is the session description.


Join Norman Marks and Paul Sobel for a conversation about what it takes to have a world-class internal audit function. Paul is the Vice President/Chief Audit Executive of Georgia-Pacific LLC and a former Chairman of The Institute of Internal Auditors. Norman Marks, who is not only an OCEG Fellow but an Honorary Fellow of the Institute of Risk Management, led the internal audit activity at global corporations for about 20 years; he is the author of World-Class Internal Audit: Tales from my Journey and a new book, World Class Risk Management.

Paul and Norman will share their views on topics such as:

  • Our world is constantly changing and change is the order of the day. Has a gap been created between the value executives and boards need and what IA has traditionally delivered? Is it time for transformation?
  • In today’s world of rapidly changing risk profiles, how has risk-based internal auditing changed? Should we now call it enterprise risk-based auditing?
  • Is our primary mission assurance or consulting/advisory?
  • How often should the audit plan be updated?
  • Are audit reports the best way to communicate results?
  • Should the CAE issue a formal report on the adequacy of internal control? What about an opinion on the management of risk?
  • IT-related risks continue to grow; how should a CAE determine how many of his scarce resources should be devoted to technology?
  • Of the new Principles for Effective Internal Auditing, which is your favorite and why?
  • How do you build relationships with executive and operating management?
  • How do you get the best out of an internal audit team?
  • What does a savvy CAE do to win the war for talent?
  • Does IA need to educate the audit committee of IA’s potential so that it demands more?
  • What is world-class internal auditing?

This is a group internet-based event for NASBA authorized continuing education credit. Attendees who are premium individual or enterprise members of OCEG or who have an OCEG All Access Pass will receive a certificate of completion of this webcast indicating 1 hour of CPE.


Get every new post delivered to your Inbox.

Join 6,048 other followers