While many (including me) talk about the need to integrate the setting and execution of strategy, the management of risk, decision-making, and performance monitoring, reporting, and management, there isn’t a great deal of useful guidance on how to do it well.
A recent article in CGMA Magazine, 8 best practices for aligning strategy, planning, and risk, describes a methodology used by Mass Mutual they call the “Pinwheel”.
There are a number of points in the article that I like:
- “Success in business is influenced by many factors: effective strategy and execution; deep understanding of the business environment, including its risks; the ability to innovate and adapt; and the ability to align strategy throughout the organisation.”
- “….the CEO gathers senior corporate and business unit leaders off-site three times a year. As well as fostering transparency, teamwork, and alignment, this ensures that the resulting information reaches the board of directors in time for its meetings…..The result: The leadership team is more engaged in what the company’s businesses are doing, not just divisional priorities. This makes them more collaborative and informed leaders. This helps foster a more unified brand and culture across the organisation.”
- “A sound understanding of global business conditions and trends is fundamental to effective governance and planning.”
- Comment: understanding the external context is critical if optimal objectives and strategies are to be set, with an adequate understanding of the risks inherent in each strategy and the relative merits of every option.
- “Strategy and planning is a dynamic process, and disruptive innovation is essential for cultural change and strategic agility. Management and the board must continually consider new initiatives that may contribute to achieving the organisation’s long-term vision and aspirations.”
- Key risk indicators are established for strategies, plans, projects, and so on.
- “Evaluation and monitoring to manage risks and the overall impact on the organisation is an ongoing process…..monitoring is a continuous, multi-layered process. In addition to quarterly monitoring of progress against the three-year operating plan and one-year budget, the company has initiated bottom-up “huddle boards” that provide critical information across all levels of the organisation.
- “Effective governance requires a tailored information strategy for the executive leadership team and the board of directors…. This should include:
- Essential information needed to monitor and evaluate strategic execution of the organisation.
- Risks to the achievement of long-term objectives.
- Risks related to conforming to compliance and reporting requirements.”
- “….integrating the ERM, FP&A, and budget functions can help to manage risks effectively and to allocate limited capital more quickly and efficiently.”
I am not familiar with the company and its methodology, but based on the limited information in the article, I think there are some areas for improvement:
- Rather than selecting strategies and objectives and only then considering risk, the consideration of risk should be a critical element in the strategy-selection process.
- The article talks about providing performance and risk information separately to the corporate development and risk functions. Surely, this should be integrated and used primarily by operating management to adjust course as needed.
- I am always nervous when the CFO and his team set the budget and there is no mention of how operating management participates in the process. However, it is interesting that the risk function at Mass Mutual is involved.
What do you think? I welcome your comments.
Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.
As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.
Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.
A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.
But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.
- It is a point-in-time report.
When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.
In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.
- It is not a complete picture.
This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.
There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.
- It doesn’t always identify the risks that need attention.
Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.
This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.
- The assessment of impact and likelihood may not be reliable.
I discuss this further in chapter 12 on risk analysis.
- It only shows impact and likelihood
As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.
- It doesn’t show whether objectives are in jeopardy.
As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.
On the other hand, some risk sources (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.
 As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”
I have been asked to post excerpts from my new book. It devotes a lot of space to the discussion of risk analysis, including risk appetite, tolerance, and criteria (including why I acknowledge the need to understand risk appetite, while definition of risk criteria is crucial to intelligent decisions).
These are from the chapter on risk analysis:
A single number for level of loss does not enable effective decision-making when one of the possibilities is unacceptable but the calculated overall level appears ok.
A [more complex] example is when there is the potential for (net) gain as well as (net) loss. Consider a situation where management is considering bringing a new product to market. Let’s say that break-even will be achieved if sales reach 10,000 units in the first quarter and the likelihood of different outcomes is estimated as follows.
- 10% likelihood of 5,000 or fewer sales – net loss of $300,000 or more
- 25% likelihood of 5,000 to 10,000 sales – net loss of $100,000
- 20% likelihood of 10,000 sales – break-even
- 20% likelihood of 10,000 to 15,000 sales – net profit of $100,000
- 25% likelihood of more than 15,000 sales – net profit of $200,000 or more
You can use models ….. to help calculate the likelihood of each of these results. Some (especially for financial risk) might use a model to put a single value on the range of potential consequences.
But, does it make sense for management to look at a single number (+$15,000 if you take the sum of the P X I calculations) when deciding whether to go ahead with the launch? I believe a world-class organization would make its decision by considering all the possibilities. Is management willing to take the risk of a $300,000 loss because of the potential for a $200,000 gain? Does it have the liquidity to sustain such a loss? Does the potential for reward justify taking the risk of a loss? That decision can only be made intelligently when all possible outcomes and their likelihood are understood.
By the way, ‘traditional’ risk management only considers the downside. That is not helping management make intelligent decisions, as is readily seen in this example.
Another problem with trying to put a single number on the level of risk is that the calculation of P X I ignores other attributes of the risk, such as the speed of onset, duration, and so on.
World-class organizations understand that if they are to make intelligent decisions, all relevant information about a risk needs to be obtained in the analysis phase and considered in the risk evaluation phase. The level of risk is not a single number; it is the composite of all information necessary to make an intelligent decision about whether to accept the risk and, if not, what action to take.
I always welcome your comments.
 Martin Davies of Causal Capital has an interesting perspective. He says that “Risk practitioners who evaluate risk as a single number will miss the shape of uncertainty”. A December 2014 post, http://causalcapital.blogspot.sg/2014/12/the-shape-of-risk.html, explains.
Richard Anderson is one of the more prominent global leaders in risk management. Until recently the chairman of the Institute of Risk Management (IRM) and still a director of that professional association, Richard previously led the risk management practices at several firms including PwC.
Among the thought leadership papers where Richard led development are the IRM’s two papers (one for boards and one for practitioners) on risk appetite and tolerance.
I am working with Richard to see if there is interest in spending a day with him (possibly the two of us) in November, 2015 and/or February, 2016. Attendance would be limited so we can have a discussion rather than lecture.
Topics will probably include:
- Why do we engage with risk? What is it that makes us humans interested in risk, and why do so many of us take different views of exactly the same risks?
- How do we balance our inherent risk aversion with our inherent need to take risks? And what about the incentives and the ethical demands placed on us – how do they impact our risk taking?
- What makes companies engage with risk better? Carrot or stick? Long-term sustainability or short-term regulatory compliance?
- What is the difference between the “risk” culture and the organizational culture? And how are we going to analyze it?
- What is risk appetite? A useful concept or an overly complicated piece of mumbo jumbo?
- Whose views matter on a risk? Yours? Your Customers? Your colleagues?
- Where is the weakest link in your risk management? Inside the company? Or amongst your suppliers? Or your outsource providers?
- Do you REALLY care about the three lines of defense? Have you reviewed your second line? And what do the first and third lines know about it?
- What should the board be thinking about when they are discussing risk?
If this is of interest to you, please let me know in the comments. Please include any preference for location.
The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.
It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).
The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.
However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.
Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.
Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.
The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.
The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.
However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.
If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.
I addressed this in a prior post, when I said the audit committee should consider:
- Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
- Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
- Whether issues are addressed with common sense rather than a desire to prove themselves
Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?
I welcome your comments.
For several years now, I have been writing, speaking, and networking with people around the world to discuss risk management. I have reviewed hundreds of articles, surveys, and other publications on the topic, and written about them in my two blogs (on the IIA site and on my personal site).
Writing makes you think, especially when you find something lacking in what you are reading and want to understand what it is – and then convey that to your readers.
All of this has helped me grow in my understanding of risk management – especially when I have an opportunity to debate and discuss the topic with world-class practitioners. I started in 1990 as the leader of an internal audit function taking a true enterprise risk-based approach and helping management understand and address the risks that matter, added the responsibility of building a risk-management function nearly 10 years ago, and today I am a semi-retired and self-styled evangelist for better-run business. This means that I try to help people run their business better through the effective management of risk, oversight and governance of the organization, world-class internal audit, and the wise deployment of technology.
I had fun writing my book on World-Class Internal Auditing,. So much so that I decided to write one on World-Class Risk Management (with the advice and support of luminaries such as Grant Purdy, John Fraser, Martin Davies, Jim DeLoach, Alex Dali, Felix Kloman, Arnold Schanfield, Richard Anderson, and more).
Grant Purdy was kind enough to write a challenging foreword.
What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?
These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.
The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.
Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view:
Not everybody will agree with the ideas and suggestions in the book. My hope is that through open minds and discussion, it will spark a debate that will move the practice of risk management forward.
Expert reviews include:
- “Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy
- “I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach
- “In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali
 My earlier book, Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, is available from the IIA Bookstore or on Amazon. I also have a short book, How Good is your GRC?: Twelve Questions to Guide Executives, Boards, and Practitioners.
The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.
It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.
Here are some of the points in the discussion worth emphasizing:
“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”
“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”
“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”
“Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”
“Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”
“Cybersecurity is a business issue, it’s not just a technology issue.”
This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.
For example, there are some more points that I would emphasize to boards:
- It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
- Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
- Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
- The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.
I welcome your comments and observations on the article and my points, above.