A revolution in risk management

October 22, 2016 33 comments

The management of risk, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives.

All the standards, frameworks, and guidelines[1] talk about risk in terms of its ability to affect the achievement of the organization’s objectives.

Some things might happen that will help[2] and some that will interfere with our progress[3].

Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful.

This allows the consideration of risks, but not really how they might affect the achievement of objectives and which ones might be “at risk”.

Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?

Then we can answer these questions.

  • Considering all the things that we have identified might happen, how confident are we that we will meet the objective (within an acceptable level of variation[4])?
  • What is the possibility that we can exceed it?
  • What is the possibility that we will fall short?

That assessment will not only provide valuable insight but enable decisions to be made that will increase the likelihood and extent of success.

The report might look something like this.

Projected  Achievement
Fall Short Achieve Exceed
Business Objective YTD Performance <6.48% 6.48%-6.52% >6.52%
Improve revenue by 6.5% 6.52%% 15% 80% 5%

What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)

Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?

Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?

A report like this moves the conversation from focusing on failure to focusing on success.

It changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.

This is a revolution in a couple of ways:

  • It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
  • It demonstrates how the management of risk is of huge value to the organization.

I welcome your comments.

Is this an approach that COSO and ISO should adopt as they upgrade their guidance?

[1] This includes the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000:2009 global risk management standard.

[2] COSO refers to these as opportunities.

[3] COSO refers to these as risks.

[4] COSO refers to this as risk tolerance.

Why do people commit fraud?

October 14, 2016 10 comments

An interesting interview with Eugene Soltes, the Jakurski Family Associate Professor of Business Administration at Harvard Business School, appeared in the Harvard Business School’s Working Knowledge publication. According to the school, “his research focuses on how individuals and organizations confront and overcome challenging situations”.

Why White-Collar Criminals Commit Their Crimes is an ‘author interview’, Soltes having written Why they do it: Inside the mind of the white-collar criminal. I have not read the book, but suggest that those with continuing responsibility for detecting and/or investigating fraud might want to do so.

Soltes makes some interesting points in the interview.

  • …corporate criminals … often lived comfortable, if not extravagant lives before deciding to break the law. So why didthey do it?
  • The book dispels the idea that most corporate crooks are masterminds who carefully calculated their illegal acts, weighing the risks and rewards before embarking on their nefarious plans. ……. More often than not, they didn’t think things through at all.
  • I hope readers can take away a sense that these errors in judgment are much more failures of managerial intuitions and gut instincts, rather than failures of thoughtful reasoning
  • ……..many of the subjects in the book … exhibit an overwhelming lack of remorse for what they’ve done. In part, this is because these men are especially good at rationalization. …. it’s also because the harmful effects of a white-collar crime are less viscerally obvious to perpetrators than, say, the effects of an assault with a deadly weapon. Hit someone with a bat and you’ll undoubtedly realize the physical harm you’ve caused. But if you engage in insider trading, you likely won’t see the reaction of victims or know the specific damage you caused to many people. So while many of the men in the book are capable of feeling sorry for themselves and their families, there’s little emotional concern for their victims.

At this point in the interview, Soltes makes a critical observation.

Many of the book’s subjects seem to view their crimes as solutions to a problem at work, rather than moral failings.

He continues with a quote from Ponzi schemer Steven Hoffenberg:

Morals go out the window when the pressure is on. When the responsibility is there and you have to meet budgetary numbers, you can forget about morals….When you’re a CEO doing a Ponzi, you have to put your life into different boxes. You don’t have a choice. You have to put your family life into one box, your business in a box, your emotions in another. You’ve got no choice.

Over my decades as a chief audit executive (CAE), I performed or oversaw many investigations around the world.

These last two points ring true for several but not all the culprits.

In probably the majority of cases, the fraudster was acting in his own, personal interests. He wanted and thought he needed the money.

But, very often the individual had persuaded him or herself that they were acting in the best interests of the organization (whether that was the organization as a whole or their part of the organization).

For example:

  • One controller in South East Asia managed his reserves so that he could respond to calls from the corporate office for additional profits. His own unit was doing well, so there was no direct benefit for the controller. But, he thought he was supporting corporate interest.
  • A controller in the South of the USA created journal entries to record fictitious revenue. The intent was to prevent the business unit from reporting losses that might lead corporate management to close it down. (My team found multiple business units who had engaged in this form of fraud with the same rationalization.)
  • A senior executive in Asia directed local management to use a warehouse that he owned in partnership with executives of other organizations (who similarly directed their local management to the warehouse). The senior executive was wealthy and highly placed in the company. He didn’t need the money. But, he rationalized that this deal was good for the company.

People violate their organization’s code of ethics for all kinds of reasons.

While there are some board members and top executives who believe that if you pay people well they won’t steal, that is totally false.

Some people, as Soltes says, are capable of rationalizing anything and don’t see the harm in what they do. They have no remorse as they cannot see how any innocents are damaged.

Soltes makes a further point, that when those around you are taking advantage of opportunities, it is easy to do the same.


I found this interesting. What do you think?


What could go wrong with strategy and its execution?

October 6, 2016 6 comments

In its latest CFO Insights, Deloitte has a piece on Strategy execution: What could possibly go wrong?

The article is worth reading and discusses three ways in which organizations fail – three root causes.

But, are they the most common?

How about these?

  • It’s the wrong strategy! For example, insufficient attention is placed on the actions of competitors and regulators, changes in the market, and so on. In particular, the strategy-setting process does not include all the critical players (such as compliance, risk, and leaders of business units or geographies) and insufficient attention is placed on what might happen, both good and bad.
  • The strategy is not shared across the organization, with incentives tied carefully and closely to the actions necessary to achieve enterprise (and not just personal or team) objectives.
  • Insufficient attention is paid to changing internal and external conditions (which lead to changes in risk, both adverse and positive). As a result, changes to strategies are not made and it’s full steam ahead into the iceberg.
  • Failures in leadership. I was with one company where the majority of employees had lost faith in both the organization’s leadership and their vision.
  • While the overall intent and direction are fine, goals are set that are either beyond what can be achieved (so people give up) or are too easily achieved (so people stop when they are reached and focus on personal objectives).

I am sure there are more.

I welcome your comments.


Is a new maturity model for GRC the right model?

September 25, 2016 4 comments

I have been a proponent and supporter of the OCEG[1] view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).

I remain an advocate of their definition of GRC as well as their focus on Principled Performance.

Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.

This paragraph from the Introduction to the paper explains both GRC and Principled Performance.

As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.

GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”

What I like about their definition is:

  • It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
  • It describes a capability that is more than the sum of its parts. It is more than governance[2], which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
  • It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.

This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:

“A system of people, processes and technology that enables an organization to:

    • Understand and prioritize stakeholder expectations
    • Set business objectives that are congruent with values and risks
    • Achieve objectives while optimizing risk profile and protecting value
    • Operate within legal, contractual, internal, social and ethical boundaries
    • Provide relevant, reliable and timely information to appropriate stakeholders
    • Enable the measurement of the performance and effectiveness of the system”

The question for me as I review the maturity model is whether it truly describes a GRC capability.

I believe it is a valuable piece of work, but only if you are concerned about the R and the C.

I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.

The ‘G’ in GRC is silent.

Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?

Don’t expect harmony when people do not see the songsheet.

Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.

Where is the integration of performance management and risk management? Sadly, it is not here either.

This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?

Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.

I welcome your views.


[1] OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at www.oceg.org with many valuable resources for members. Membership is free for individuals.

[2] I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

The Wells Fargo “Staff Scam”: More questions and fewer answers

September 16, 2016 18 comments

Since I wrote about the astonishing Wells Fargo fraud, I have been waiting for additional news to shed some light on what happened – and didn’t happen.

By ‘didn’t happen’, I am referring to the actions that should have taken place to detect the frauds, identify their causes, stop further fraud, and report all of this to the board.

I am not talking about 2016, I am talking about 2011, 2012, 2013, 2014, and 2015.

But, the news has been scarce and little has been revealed.

….Except for interviews with Wells Fargo’s CEO John Stumpf, discussed in a Huffington Post article entitled Wells Fargo CEO Blames Multimillion-Dollar Fraud On The Lowest-Level Employees.

Let’s examine the few facts we know:

  • He does blame some number of rogue employees.
  • He does say that the 5,300 employees that were fired included “some” branch managers and a number of “managers of managers”.
  • He says that neither his nor any other “named person’s” compensation (as I understand it that would include the CEO, CFO, and other highly-compensated individuals) was based on the number of accounts opened.
  • As far as we know, no senior executive has been disciplined.
  • He has not acknowledged any wrongdoing, even blindness, on his part or by any other senior executive. In fact, he presents an optimistic figure that should be retained to lead the company forward.
  • Under gentle pressure from his friend Cramer in the Mad Money interview, Stumpf acknowledged that he was accountable – but showed no remorse to my eyes. He apologized but was clearly coached – as were many of his answers to Cramer’s questions about holding senior managers to account.

On balance, maybe it is a fair headline. You will decide for yourself.

The Mad Money interview revealed one disturbing ‘fact’.

Stumpf said that the 5,300 employees were fired over a period of 5 years – a rate of about 1,000 each year.

He is not saying that the 1,000 per year was an average with 100 in the first year and thousands towards the end of the five year period. (Apparently, the fraudulent activity was first discovered in 2011.) He implies that the number was about the same each year for 5 years.

He told Cramer that the branch system has about 100,000 employees, so only 1% were involved – as if that was acceptable and even predictable.

So we have to understand that for five years there was a steady stream of 1,000 being fired each year.

We know nothing about those who were subject to less stringent discipline – and of course nothing about anybody who was not found out or where the manager looked the other way.

Given this new information, I have more questions:

  • If about 1,000 people were fired in 2011 for their fraudulent activities, opening accounts for customers that they had not authorized, why wasn’t action taken in 2011 to prevent this fraudulent activity continuing?
  • If another 1,000 were discovered in 2012 and then in 2013, who did nothing? What about 2014 and 2015?
  • Who discovered the frauds, when, and what did they do? Neither Wells Fargo nor the regulators (in the Consent Decree) have identified a whistleblower, internal audit action, or other source.
  • When was this reported to the Compliance Officer, senior and executive management, the board, and internal audit? Were the risk officers ever informed?
  • Was there a concentration of these frauds in a particular region or was it widespread?
  • Who should have known? Are they being held to account?
  • Who should have been watching? Are they being held to account?
  • What happened when a customer complained?
  • Did anybody check customer signatures?
  • Is there a culture of not coming forward?
  • Who set these targets, knowing that many if not most new accounts did not involve ‘new money’, but were funded by transfers from existing accounts? Since they did not influence income, they seem to be silly targets. Wells is refunding just $2.6 million in fees – which is probably less than all the bonuses awarded for opening the 2 million unauthorized accounts.

Internal audit is referenced in the CFPB Consent Decree, but only in a requirement to perform an audit to confirm agreed-upon actions have been taken.

There is no indication that internal audit did in the past or would in the future look at:

  • The setting of compensation targets (for example to confirm they will drive desired behavior and are consistent with the achievement of corporate goals, not just that they deter undesirable behavior as referenced by the regulator)
  • The culture of the organization, how whistleblowers are treated and whether employees are willing to come forward
  • The design and operation of controls over the opening of customer accounts
  • The design and operation of controls around customer complaints, for example to identify trends

We still know very little.

All we can do is hope the board is asking these and other questions – and being more skeptical than Cramer in his interview!!!



The astonishing Wells Fargo fraud

September 10, 2016 43 comments

The news about the staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling.

It’s not just that staff at Wells Fargo “opened an estimated 1.5 million deposit accounts and applied for roughly 565,000 credit card accounts according to the Consumer Financial Protection Bureau (CFPB). Once the accounts were opened the employees transferred money to temporarily fund the new accounts which allowed them to meet sales goals and earn extra compensation.”

It’s not just that Wells Fargo was fined $185 million (including the largest ever fine by the CFPB).

It’s not even that the scam lasted 5 years.

What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees.

In time, I am sure more details will surface.

But I have a problem with this statement from the bank’s CEO:

“Our entire culture is centered on doing what is right for our customers.”

How can he say that when 2% of the total Wells Fargo workforce was fired as a result, presumably, of being involved?

When 2% of employees were fired, you have to assume that more people knew or should have know. The prevailing Wells culture in reality was to do what was right for the staff, not the customers!

According to an article in the NY Times, “Wells said that the employees who were fired included managers and other workers. A bank spokesman declined to say whether any senior executives had been reprimanded or fired in the scandal.”

The lack of information implies, in my mind, that senior executives have not been held to account. Can that be right? I hope that will change.

The CFPB says, “Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges.”

The Director of the CFPB adds, “Unchecked incentives can lead to serious consumer harm, and that is what happened here.”

It’s so easy to say that “unchecked incentives can lead to serious harm”. That’s so obvious. It applies to every organization.

It’s also easy to say, as they do, that internal controls failed.

But this incident raises so many questions!

  1. The culture was clearly massively flawed, despite what the CEO says. In fact, his statement reveals a lack of understanding not only of the word ‘culture’ but also of the real problem. I am not sure how the board can have confidence in his ability to change the culture. The surviving employees will be in shock and so risk-averse that the bank will suffer enormously.
  2. The PCAOB and others love to use the word ‘pervasive’. But here is an example of something that is truly pervasive. I believe senior executives either knew or should have known of the problem. Did no employees come forward? Did nobody see a trend in customer queries and complaints about accounts being opened they had not requested? Where was the Chief Compliance Officer?
  3. Was top management asleep or did they just have their eyes and ears closed?
  4. Should risk management have done something?
  5. Where was internal audit?
  6. Where was the board?

We have insufficient information with which to answer these questions.

I don’t know that risk management could or should have done anything. I doubt this kind of scam would be identified as a risk.

I do have to ask whether risk management:

  • had satisfied themselves that the fraud risk assessment (assuming one was done) was complete;
  • were monitoring the level or type of consumer queries and complaints, which should have been a leading risk indicator;
  • had effective monitoring of customer satisfaction, which should have been a risk to assess and watch; and
  • had done sufficient work relating to the organization’s culture.

The same questions apply to internal audit.

But, I would expect internal audit to be more aware of customer complaints and customer satisfaction than risk management. Controls over customer satisfaction risk, and especially responses to complaints, should have at least been considered in building the audit plan.

They should also be more skeptical than risk management can afford to be (for political reasons) of organizational culture, and I have to question whether any warning signals were picked up by auditors in the course of their work. Were they so focused on completing the audit program that they were not watching and listening to what was happening around them? Were they ‘auditing by walking around’? Did they listen to customers at all?

I don’t expect that the board had any reason to believe this was going on. They have to rely on management, risk management, and internal audit for information on culture, the management of fraud and other risks, and the performance of controls.

But I do expect the board to take swift and decisive action once a problem like this appears.

That includes educating the CEO that his comment about Wells’ culture is absurd and that the culture needs to be fixed.

It also includes holding senior management to account. Hopefully we will hear more about that in time.

What do you think?

Do you agree with my comments?

What would you expect from the board, risk management, and internal audit?

Leading an effective information security capability

September 4, 2016 3 comments

With all the press and concern about cyber at all levels of the organization, with the regulators, and among the public, it is a worthwhile exercise to consider what this should mean for the Chief Information Security Officer (CISO) or equivalent.

Some point to the need to elevate the position of CISO to report directly to a senior executive, even to the CEO.

Elevating the position, in my opinion, will not necessarily do more than elevate the voice of cyber in the executive suite. It won’t necessarily drive the resources necessary for an effective cyber program, nor will it necessarily change the minds and attitudes of people from the executives on down.

In fact, elevating the position carries the risk that the CISO will get caught up in organizational politics instead of focusing on cyber risk itself.

Deloitte tackles this and other opportunities in a new piece, The new CISO: Leading the strategic security organization.

Of course, they are using words intended to induce people to read: ‘new’ and ‘strategic’. I think we can easily disregard them and focus on the problem at hand.

First, let’s acknowledge that the role of the CISO (or other individual responsible for information security) should never be considered as simply a compliance function.

Deloitte talks about “the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise”.

But even when I had information security reporting to me 30 years ago, it was about protecting the organization and not just about compliance.

It is foolish to believe that executives or the board will invest if the only return is compliance. Yes, it is necessary but a compliance function will never receive the attention of a function that contributes to the success of the organization. Executives will commit resources to the level they think prudent, but not necessarily what it will take to enable success – because they don’t understand how cyber relates to their personal and corporate success.

If they don’t know that it matters to success, it won’t matter to them.

The successful CISO helps everybody appreciate how cyber contributes to and enables success.

Buried in the Deloitte material are two sections of great importance:

  • While the CISO may think in terms of reducing risks, business leaders take risks every day, whether introducing an existing product to a new market, taking on an external partner to pursue a new line of business, or engaging in a merger or acquisition. In fact, the ability to accept more risk can increase business opportunities, while ruling it out may lead to their loss. From this perspective, the role of the CISO becomes one of helping leadership and employees be aware of and understand cyber risks, and equipping them to make decisions based on that understanding. In some cases, the organization’s innovation agenda may necessitate a more lenient view of security controls.
  • …… CISOs [need] to pivot the conversation—both in terms of their mind-set as well as language—from security and compliance to focus more on risk strategy and management. Going beyond the negative aspect of how much damage or loss can result from risk, CISOs need to understand risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.

These are, in my opinion, the keys to an effective cyber program.

If the CISO is going to influence not only the resources he or she is given but the attitude and actions of the organization, it is necessary not only to understand how the business is run, but to talk to executives in the language of the business.

Talk about how the achievement of objectives may be affected by a cyber breach. Talking about specific objectives is the best way to influence hearts and minds.

Help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.

Talk business risk, not technobabble.

Do you agree?

Are there other points of value in the Deloitte paper?