An internal audit conversation between Paul Sobel and Norman Marks

July 28, 2015 Leave a comment

Please join Paul (immediate past chair, IIA Global) and me on August 6th for a free webinar hosted by OCEG. Here is the session description.


Join Norman Marks and Paul Sobel for a conversation about what it takes to have a world-class internal audit function. Paul is the Vice President/Chief Audit Executive of Georgia-Pacific LLC and a former Chairman of The Institute of Internal Auditors. Norman Marks, who is not only an OCEG Fellow but an Honorary Fellow of the Institute of Risk Management, led the internal audit activity at global corporations for about 20 years; he is the author of World-Class Internal Audit: Tales from my Journey and a new book, World Class Risk Management.

Paul and Norman will share their views on topics such as:

  • Our world is constantly changing and change is the order of the day. Has a gap been created between the value executives and boards need and what IA has traditionally delivered? Is it time for transformation?
  • In today’s world of rapidly changing risk profiles, how has risk-based internal auditing changed? Should we now call it enterprise risk-based auditing?
  • Is our primary mission assurance or consulting/advisory?
  • How often should the audit plan be updated?
  • Are audit reports the best way to communicate results?
  • Should the CAE issue a formal report on the adequacy of internal control? What about an opinion on the management of risk?
  • IT-related risks continue to grow; how should a CAE determine how many of his scarce resources should be devoted to technology?
  • Of the new Principles for Effective Internal Auditing, which is your favorite and why?
  • How do you build relationships with executive and operating management?
  • How do you get the best out of an internal audit team?
  • What does a savvy CAE do to win the war for talent?
  • Does IA need to educate the audit committee of IA’s potential so that it demands more?
  • What is world-class internal auditing?

This is a group internet-based event for NASBA authorized continuing education credit. Attendees who are premium individual or enterprise members of OCEG or who have an OCEG All Access Pass will receive a certificate of completion of this webcast indicating 1 hour of CPE.

Core Principles for Effective Internal Audit

July 24, 2015 2 comments

The IIA released an update to its standards (specifically, the International Professional Practices Framework, or IPPF) at its recent International Conference, in Vancouver. They now include new Core Principles for the Professional Practice of Internal Auditing, as well as a Mission of Internal Audit statement.

This is how the principles are described:

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission (see Mission of Internal Audit[1]).

  • Demonstrates integrity.
  • Demonstrates competence and due professional care.
  • Is objective and free from undue influence (independent).
  • Aligns with the strategies, objectives, and risks of the organization.
  • Is appropriately positioned and adequately resourced.
  • Demonstrates quality and continuous improvement.
  • Communicates effectively.
  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I was privileged to be a member of the task force (RTF), composed of leading internal audit practitioners from across the globe, which recommended that the IIA leave the definition of internal audit unchanged but add core principles and a mission statement. Taking the last item first, we recognize that each IA department will probably have its own mission statement, customized to its organization and charter. However, including a generalized mission statement in IIA guidance would be useful.

The RTF debated whether the IIA standards are rules-based or principles-based. We all felt that they are principles-based, so somebody asked what those principles are. After a lot of discussion, we developed ten that after minor word changes are the Core Principles listed above.

In August, I am joining with Paul Sobel in a free OCEG webinar to discuss World-Class Internal Auditing (based, in part, on my book of the same name). One of the questions we will each answer is which of the principles is our favorite. My choice will probably be “is insightful, proactive, and future focused”. I explained why in a post last year, Auditing Forward.

But, I might also choose “communicates effectively”. Here are a few excerpts from the book:

It is revealing that the IIA Standards do not require an audit report! Standard 2400, Communicating Results, simply says “Internal auditors must communicate the results of engagements.”

The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.

Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board need to know about the results of our work.

The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.


I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.

I heard them say that they wanted to know the answers to two questions:

  1. Is there anything they need to worry about?
  2. Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?

In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn’t want to waste their time (my expression; they didn’t actually use those words) on matters that didn’t merit their attention.


The traditional way to express an opinion in an audit report is through a rating scale, such as one that uses a three point scale of Satisfactory, Needs Improvement, and Unsatisfactory.

I don’t believe that a rating scale conveys to the executive reader what they need to know.

If we are tasked with assessing controls over risks, we should not only be telling management whether the risks are being managed effectively but explain, in business language, the effect on corporate objectives.


My focus is always on providing each stakeholder with the information they need to run the business, when they need it, in a clear and easy-to-consume fashion.


Which are your favorite principles?

Do you agree with my thoughts on auditing forward and effective communications?

How does your internal audit department measure up to these principles?

[1] To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Compliance and risk appetite

July 18, 2015 6 comments

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations $1,000,000
Loss in value of foreign currency due to exchange rate changes $1,500,000
Quality in manufacturing leading to customer issues $2,000,000
Employee safety $1,500,000
Loss of intellectual property $1,000,000
Competitor-driven price pressure affecting revenue $2,000,000
Other $1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

  • “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
  • “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

Integrating strategy, risk, and performance

July 3, 2015 4 comments

While many (including me) talk about the need to integrate the setting and execution of strategy, the management of risk, decision-making, and performance monitoring, reporting, and management, there isn’t a great deal of useful guidance on how to do it well.

A recent article in CGMA Magazine, 8 best practices for aligning strategy, planning, and risk, describes a methodology used by Mass Mutual they call the “Pinwheel”.

There are a number of points in the article that I like:

  • “Success in business is influenced by many factors: effective strategy and execution; deep understanding of the business environment, including its risks; the ability to innovate and adapt; and the ability to align strategy throughout the organisation.”
  • “….the CEO gathers senior corporate and business unit leaders off-site three times a year. As well as fostering transparency, teamwork, and alignment, this ensures that the resulting information reaches the board of directors in time for its meetings…..The result: The leadership team is more engaged in what the company’s businesses are doing, not just divisional priorities. This makes them more collaborative and informed leaders. This helps foster a more unified brand and culture across the organisation.”
  • “A sound understanding of global business conditions and trends is fundamental to effective governance and planning.”
    • Comment: understanding the external context is critical if optimal objectives and strategies are to be set, with an adequate understanding of the risks inherent in each strategy and the relative merits of every option.
  • “Strategy and planning is a dynamic process, and disruptive innovation is essential for cultural change and strategic agility. Management and the board must continually consider new initiatives that may contribute to achieving the organisation’s long-term vision and aspirations.”
  • Key risk indicators are established for strategies, plans, projects, and so on.
  • “Evaluation and monitoring to manage risks and the overall impact on the organisation is an ongoing process…..monitoring is a continuous, multi-layered process. In addition to quarterly monitoring of progress against the three-year operating plan and one-year budget, the company has initiated bottom-up “huddle boards” that provide critical information across all levels of the organisation.
  • “Effective governance requires a tailored information strategy for the executive leadership team and the board of directors…. This should include:
  • Essential information needed to monitor and evaluate strategic execution of the organisation.
  • Risks to the achievement of long-term objectives.
  • Risks related to conforming to compliance and reporting requirements.”
  • “….integrating the ERM, FP&A, and budget functions can help to manage risks effectively and to allocate limited capital more quickly and efficiently.”

I am not familiar with the company and its methodology, but based on the limited information in the article, I think there are some areas for improvement:

  1. Rather than selecting strategies and objectives and only then considering risk, the consideration of risk should be a critical element in the strategy-selection process.
  2. The article talks about providing performance and risk information separately to the corporate development and risk functions. Surely, this should be integrated and used primarily by operating management to adjust course as needed.
  3. I am always nervous when the CFO and his team set the budget and there is no mention of how operating management participates in the process. However, it is interesting that the risk function at Mass Mutual is involved.

What do you think? I welcome your comments.

The value of heat maps in risk reporting

June 27, 2015 10 comments

Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.

As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.


Heat Maps

Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.

A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.

But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.

  1. It is a point-in-time report.

When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.

In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.


  1. It is not a complete picture.

This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.

There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.


  1. It doesn’t always identify the risks that need attention.

Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.

This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.


  1. The assessment of impact and likelihood may not be reliable.

I discuss this further in chapter 12 on risk analysis.


  1. It only shows impact and likelihood

As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.


  1. It doesn’t show whether objectives are in jeopardy.

As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.

On the other hand, some risk sources[1] (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.

[1] As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”

Thoughts about risk analysis

June 19, 2015 7 comments

I have been asked to post excerpts from my new book. It devotes a lot of space to the discussion of risk analysis, including risk appetite, tolerance, and criteria (including why I acknowledge the need to understand risk appetite, while definition of risk criteria is crucial to intelligent decisions).

These are from the chapter on risk analysis:

A single number for level of loss does not enable effective decision-making when one of the possibilities is unacceptable but the calculated overall level appears ok.

A [more complex] example is when there is the potential for (net) gain as well as (net) loss. Consider a situation where management is considering bringing a new product to market. Let’s say that break-even will be achieved if sales reach 10,000 units in the first quarter and the likelihood of different outcomes is estimated as follows.

  • 10% likelihood of 5,000 or fewer sales – net loss of $300,000 or more
  • 25% likelihood of 5,000 to 10,000 sales – net loss of $100,000
  • 20% likelihood of 10,000 sales – break-even
  • 20% likelihood of 10,000 to 15,000 sales – net profit of $100,000
  • 25% likelihood of more than 15,000 sales – net profit of $200,000 or more

You can use models ….. to help calculate the likelihood of each of these results. Some (especially for financial risk) might use a model to put a single value on the range of potential consequences.

But, does it make sense for management to look at a single number[1] (+$15,000 if you take the sum of the P X I calculations) when deciding whether to go ahead with the launch? I believe a world-class organization would make its decision by considering all the possibilities. Is management willing to take the risk of a $300,000 loss because of the potential for a $200,000 gain? Does it have the liquidity to sustain such a loss? Does the potential for reward justify taking the risk of a loss? That decision can only be made intelligently when all possible outcomes and their likelihood are understood.

By the way, ‘traditional’ risk management only considers the downside. That is not helping management make intelligent decisions, as is readily seen in this example.

Another problem with trying to put a single number on the level of risk is that the calculation of P X I ignores other attributes of the risk, such as the speed of onset, duration, and so on.


World-class organizations understand that if they are to make intelligent decisions, all relevant information about a risk needs to be obtained in the analysis phase and considered in the risk evaluation phase. The level of risk is not a single number; it is the composite of all information necessary to make an intelligent decision about whether to accept the risk and, if not, what action to take.

I always welcome your comments.

[1] Martin Davies of Causal Capital has an interesting perspective. He says that “Risk practitioners who evaluate risk as a single number will miss the shape of uncertainty”. A December 2014 post,, explains.

Are you interested in a conversation about risk?

June 19, 2015 36 comments

Richard Anderson is one of the more prominent global leaders in risk management. Until recently the chairman of the Institute of Risk Management (IRM) and still a director of that professional association, Richard previously led the risk management practices at several firms including PwC.

Among the thought leadership papers where Richard led development are the IRM’s two papers (one for boards and one for practitioners) on risk appetite and tolerance.

I am working with Richard to see if there is interest in spending a day with him (possibly the two of us) in November, 2015 and/or February, 2016. Attendance would be limited so we can have a discussion rather than lecture.

Topics will probably include:

  • Why do we engage with risk? What is it that makes us humans interested in risk, and why do so many of us take different views of exactly the same risks?
  • How do we balance our inherent risk aversion with our inherent need to take risks? And what about the incentives and the ethical demands placed on us – how do they impact our risk taking?
  • What makes companies engage with risk better? Carrot or stick? Long-term sustainability or short-term regulatory compliance?
  • What is the difference between the “risk” culture and the organizational culture? And how are we going to analyze it?
  • What is risk appetite? A useful concept or an overly complicated piece of mumbo jumbo?
  • Whose views matter on a risk? Yours? Your Customers? Your colleagues?
  • Where is the weakest link in your risk management? Inside the company? Or amongst your suppliers? Or your outsource providers?
  • Do you REALLY care about the three lines of defense? Have you reviewed your second line? And what do the first and third lines know about it?
  • What should the board be thinking about when they are discussing risk?

If this is of interest to you, please let me know in the comments. Please include any preference for location.


Get every new post delivered to your Inbox.

Join 5,953 other followers