Why do so many practitioners misunderstand risk?

November 26, 2016 18 comments

My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.

We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.

We should address risk because of its potential effect on the achievement of enterprise objectives.

Think about a tree.


In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.

Unless the root cause is addressed, the malaise will continue.

In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.

Talking about cyber, or third party risk, is talking about a problem at an individual root level.

What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.

If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?

Now let’s extend the metaphor one more step.

This is a fruit tree in an orchard owned and operated by a fruit farmer.

If a problem is found with one tree, is there a problem with multiple trees?

How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?

Will the owner of the orchard be able to achieve his or her business objectives?

Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.

Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.

I remind you of the concepts in A revolution in risk management.

Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.

Is the anticipated level of achievement acceptable?

I welcome your thoughts.


A new front opens in the SOX battle

November 20, 2016 Leave a comment

One of the issues that I address in my SOX Master Classes (the next one is in February) has come of age.

I am talking about the certification signed by the CEO and CFO and included in the quarterly filing with the SEC – the one required by Section 302 of the Sarbanes-Oxley Act.

The issue is this:

  • The CEO and CFO are required by law to assess the state of internal control over financial reporting (and disclosure control) every quarter and report whether or not it is effective as of the date of the quarterly filing.
  • For their own as well as the company’s protection, they need to have a reasonable basis for that assessment.
  • Tests of internal control over financial reporting are typically spread over the year. Some perform tests in every quarter; some during at least a couple of quarters; and few limit their testing to the fourth quarter.
  • Deficiencies in the controls are identified during that testing.
  • Those deficiencies may be assessed as potential material weaknesses if not corrected and retested prior to the end of the year.
  • As a result, potential material weakness frequently not only exist but are known to exist at the time that the CEO and CFO are required to assess and certify internal control over financial reporting.
  • But, for whatever reason, these potential material weaknesses either are not reported to the CEO and CFO (which fails one of the Section 302 requirements: they have to certify that they know about control issues) or are ignored.
  • The CEO and CFO may certify that the systems of internal control and disclosure controls are adequate when they are not.

This is what I have to say in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:

In the past, most CEOs and chief financial officers (CFOs) have signed their annual and quarterly certifications—which are included in the financial statements filed with the SEC on Form 10-Q and required by Section 302 of Sarbanes-Oxley—without a rigorous examination of internal controls. Ideally, management has integrated the quarterly and annual assessment processes. Although management is not required to test all its key controls every quarter, it should perform some degree of testing each quarter to support the quarterly Section 302 certification. At a minimum, the Section 302 certification process should include a consideration of the status of the Sarbanes-Oxley project, the results of testing, the severity of any identified control deficiencies, and management’s corrective action plans.

When I was writing the book, I talked to the SEC about this issue. They said that they understood it but it was not a priority at that time.

Well “the times, they are a-changing”.

This recently appeared on the CFO magazine web site in an article on SEC Focuses on Internal Control by a former chief accountant of the SEC’s Division of Enforcement. In the middle of the article is this section:

Specific issues that investigators have been addressing include whether a material weakness: (1) existed in a reporting period before a restatement; (2) was adequately described as to scope; (3) existed, even if there was no material error; and (4) existed in connection with controls and procedures for disclosure, or in connection with 302 certification processes.

In the book and in the class, I recommend that management and the SOX PMO consider how the results of testing during earlier quarters are incorporated into the Section 302 certification process.

For example, is the SOX PMO (or equivalent) included in the disclosure review process?

When potential material weaknesses are discovered during SOX or internal audit testing, my suggestion is to review the issue with the legal function. They can advise the CEO and CFO whether this should be disclosed as part of the Section 302 certification.

This new front is clearly starting to open.

Don’t let it pull you under.

I welcome your comments.

Internal audit reports do the function a great disservice

November 12, 2016 9 comments

How do our stakeholders on the board and in top management assess the value of internal audit?

What do we give them? What do they have on which to base their assessment?

While they probably rely to a great deal on their direct interaction with the chief audit executive (CAE) and perhaps some of his team, the primary internal audit product is the audit report.

Let me state the problem as I see it.

The typical audit report is boring.

The typical audit does not provide the reader on the board or in top management with the information they need to run the organization.

The typical audit report is documentation of the work performed and results obtained. It conveys what we want to say rather than what the leaders of the organization need to know.

The Institute of Internal Auditors (IIA) provides us with mandatory guidance in the Standards. They build on that with recommended guidance in the form of Practice Guides and Advisories.

A new Practice Guide (PG) was published very recently on the topic of Audit Reports: Communicating Assurance Engagement Results.

This post could well get me fired by the IIA. (In addition to posts on this site, I also write posts for the IIA’s own blog site. We take great care to make it clear that when I write I do not represent the IIA or its positions. My posts are my own thoughts. But posts like this one I would not place on the IIA site for obvious reasons.)

So let me say it: this new Practice Guide is not helpful.

The summary blurb (on the page where you download the PA) gets it right when it says:

As the demand for internal audit value shifts from a retrospective view to a forward-looking perspective, internal auditors are expected to adapt with innovative methods to assess and communicate internal audit results.

The trouble is that the model described in the PG has been out-of-date for at least a decade.

The PG describes a style of audit reports that does not provide our stakeholders with the information they need, when they need it, in a form that is actionable.

Over the last decade or two, a couple of people who write books and provide training on audit report writing have stood out (my apologies to the others I am not referencing).

One is Penni Fromm. On her web page, she says:

“Recipients of internal audit reports are busy people. If internal audit and compliance reports don’t tell the risk story quicklyaccurately, and efficiently, those reports will not succeed. They will not convey the critical message about risks that are well-managed and other risks that threaten the organization and demand action.”

Another is Angela Maniak. In her Quick Tips, she says:

  • Make your writing concise, correct, consistent, and inviting.

  • Get your message read, understood, and acted on quickly.

  • Establish your professionalism and credibility through your written words.

I could take the PG apart. But that is not constructive.

Instead, let me excerpt from my new book, Auditing that matters. I may not be objective, but I think the guidance in the book on audit reports alone (which is far more extensive than in the PG) justifies the purchase. You will judge for yourself.

  • It is critical not only to audit what matters, but to communicate what matters.

It is not about communicating what matters to the auditor.

It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).

Operating management need to know when anything beyond the trivial is not working the way they intend.

I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.

  • If there is no value in informing more senior management that there was an issue, then I typically won’t mention it – except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
  • Executive management doesn’t need all the details; they should be able to rely on their direct reports in operating management to take care of them.

I like to ask the question: “What do they need to know?” They need to know anything that (a) They need to act on; (b) They need to monitor; or, (c) Represents a significant and unacceptable risk to their or the organization’s objectives.

Anything beyond that is not just immaterial to them, but can actually degrade the quality of the report.

  • We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
  • I [want] the executives to be able to read just the first few paragraphs and obtain the most critical information and satisfy their needs.
  • I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.

I like, whenever possible, for the reader of the audit report to see that immediately.

It’s the most important piece of information we communicate, so it should be front and center.

  • If there are facts or issues that don’t require an executive’s attention, why do we need to tell him or her about them?

The executive is entitled to place reliance on operating management to address less significant issues – issues that we communicated in the Closing Meeting.

So, every item that the audit team wants to include in the report that goes beyond what I can see an executive needing to know will come into question from me.

  • Change is our final product.

A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.

These and other points are discussed in detail with examples.

To be fair to the IIA, guidance cannot be too far ahead of practice. As a member of the IIA committee that wrote PGs in the past, I can attest to the challenge of writing useful guidance that will be accepted by the majority but still lead the practice of internal auditing forward.

Unfortunately, I don’t think this PG is consistent with best practice today, let alone what is necessary going forward.

Effectively communicating our assurance, advice, and insights is critical to the success of the profession.

If we fail to do this, we fail to demonstrate the full value of the function.

That’s my opinion. What’s yours?

My new book on Auditing that Matters is available

November 9, 2016 2 comments

Auditing that matters captures my thinking, expressed here and elsewhere, about how an effective internal audit department can make a huge contribution to the success of an organization.

An internal audit department can provide leadership with the confidence it needs in the people, systems, and organization to lead the enterprise to success.

This book is about:

  • Providing the assurance, advice, and insight that the leaders of the organization need
  • Focusing on the risks and issues that matter to the executive management team and the board
  • Practicing enterprise risk-based auditing
  • Communicating effectively to management and the board what they need to know, when they need to know, in a useful and actionable form
  • Building the team and processes necessary to deliver world-class internal audit services

I have been extraordinarily lucky to have a review panel of leading practitioners. This is what they have to say:

  • This is a timely book for internal auditors who want to accelerate their careers. Norman provides powerful career advice and lessons learned for delivering outstanding customer service in a profession where the performance bar is rising daily as are stakeholder expectations….   I would make it a must read for my team members. – Larry Harrington, CAE at Raytheon and former Chairman of the Board of the IIA
  • “For auditors looking for a book on “Value-added auditing”; this is the edition for you! Norman’s clearly describes the how-to methods for auditing that matters, and this is a must read book for all auditing leaders! – Steve Goepfert, retired CAE of United Airlines and former Chairman of the Board of the IIA


  • Norman has pulled clear, insightful and useful recommendations from his years of experience leading top notch internal audit programs.  This book will prove valuable for new and experienced internal audit professionals. – Patty Miller, retired Deloitte partner and former Chairman of the Board of the Institute of Internal Auditors (IIA)


  • This book is packed with lessons for the internal auditor.  A first class opportunity to learn from the experience of others. – Michael Parkinson, Audit Committee member and member of the IIA’s International Internal Auditing Standards Board


  • This is the best book on the real world of internal auditing that I have read, because it gives numerous examples of practical problems and how best to approach and resolve them. Norman has captured his many years of executive audit experience into an easy to read and highly informative addition to the education of the next generation of internal auditors. – John Fraser, retired CAE and CRO with Hydro One


  • Whenever I felt that I was making progress in this profession it was because of other Internal Audit professionals embracing fully our profession’s motto “progress through sharing” and being generous with their experience, know-how and lessons learned from failures and successes. Norman’s book is a wonderful act of generosity with multiple experiences and ideas shared in thoughtful way for us all to reflect upon and build our own progress. – Dominique Vincenti, CAE at Nordstrom, formerly Chief Officer – Global Internal Audit Practices with the IIA


  • Internal Audit, as explained by one of the world’s leading practitioners, reminds us all of the central importance and function that proper governance plays in a well-run organisation. – Tom McLeod, former CAE at Rio Tinto Group and member of the Board of the IIA (Australia)


The book is available now in most locations on Amazon (I recommend the paperback version rather than the Kindle e-book).

Time for a leap change in risk management guidance

November 5, 2016 15 comments

Even though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-making and the setting and execution of strategy, the practice of managing risk continues to lag.

I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward.

When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.

Nothing recent exemplifies the scale of the problem as A Practical Approach to Institutional Risk Management.

This paper was developed through over 100,000 interviews by the staff of the Education Advisory Board and insights and advice from around 120 practitioners and consultants. (I recognize a number of names in the list of advisors. This may reflect their 2012 rather than 2016 thinking, and it is possible that their advice and insight was not heard.)

So does this paper reflect existing practice?

If so, it is clear why risk management is seen as incidental at best to organizational success.

The authors are focused entirely on risk registers – a list of risks. A list of things that might go wrong.

The issues they discuss are making the list of risks manageable and being able to “treat” those risks.

You will not find a single reference to decision-making.

The only reference to decisions is when the authors point out that the consequences of decisions, risks that are created or modified, are frequently not considered.

As EY points out, using a term I love, the management of risk has to be part of the rhythm of the business.

It has to be integral to how we make decisions, every hour of the day, at all levels across the extended enterprise.

Enterprise list management (to quote Jim DeLoach) is scratching the surface. While those scratches may be sufficient to fool some that risk management is in place, a periodic review of a limited list of risks is like driving down the freeway at speed and only looking at the traffic around you every 15 minutes.

COSO and ISO: it is time for a dramatic move in guidance and standards. You have to lead the way out of the pit of enterprise list management towards the goal of effective enterprise management.

Yes, enterprise management, because the management of risk is not a separate activity. You only succeed if you can anticipate (my new favorite word) what might happen as you journey towards your objectives, and make informed and intelligent decisions as you run the business.

COSO and ISO, are you listening?

Practitioners, please join me in demanding a leap forward.


Cyber security and the board

October 29, 2016 7 comments

In December, I will be presenting on the topic of how much an organization should spend to address its cyber risk.

So, every publication on the topic is getting a little more attention from me than usual.

A software vendor (a new one for me), Delta Risk, recently published a white paper aimed at helping boards address the issue of cyber.

Cyber Security and the Board of Directors (registration required) focuses on financial services organizations.

That is an important point to make because the risk of damage from a cyber breach is generally high for financial services organizations. It is not always as high when it comes to manufacturing, for example.

While I respect the professionals who wrote this paper, I don’t agree with all their points.

For example, they say that the board and its members should be educated on cyber.

That sounds logical, but is it?

Should the board have a greater level of technical knowledge when it comes to cyber than the CEO, CFO, or COO?

Can the board, even if a member has cyber expertise and experience, possibly stay up-to-date?

Isn’t it better by far to obtain assurance that the issues surrounding cyber are being addressed?

  • The top executives are engaged and have a sufficient understanding to make sensible business decisions around cyber
  • Those responsible for information security have the experience, tools, resources, and so on they need to manage the risk at acceptable levels

Delta then suggests that cyber security be incorporated into the Risk Appetite Framework. They get it mostly right when they say:

The [Risk Appetite] Statement should broadly identify the information that is most valuable to the organization based on business considerations; legal and compliance requirements; the financial impact of denial, disclosure, loss, or other exploitation of that information; and other factors.

Risk needs to be expressed in terms of the potential for a breach to affect the achievement of the enterprise’s objectives. Understanding the information assets necessary to support the achievement of objectives is part of the journey, but not the entire journey.

Delta fails when they continue:

Corollary to identifying the information with the most business value is clarifying expectations on how this data is to be protected. Broad statements can be applied here such as “This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight.”

That statement says and means nothing.

Is management willing to spend every penny of revenue on security controls and operational insight? Of course not!

The next paragraph is:

The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., “…On-line banking is available to our customers 99.9 percent of time throughout the year.”) or other business services may be appropriate.

Risk practitioners know that the statement is missing an expression of likelihood.

The statement as shown is an objective. How much risk to that objective is acceptable?

In this environment, where we know for a fact that we cannot provide 100% assurance that a breach can be prevented let alone detected on a timely basis, are we willing to accept a 5% likelihood that a hacker will disrupt the business? How about a 10% likelihood?

Delta is not the only firm that talks about establishing cyber metrics. While it can be useful to monitor completion of policies and procedures, training and so on, how do you measure the ability to detect a breach?

You can have world-class cyber programs and suffer a breach while the negligent competitor down the road escapes.

I don’t find this section useful.

I think it would be better to ask management:

How do you know whether your information security program is effective? How do you measure it?”

The paper has a section on the very important topic of integrating cyber into enterprise risk management.

But I would do it differently.

We are talking about risks to objectives so we need to consider the effect of all risks on each objective.

Integration is not simply adding cyber to the risk register.

Integration is achieved when business decisions are made with due consideration of all risks, including cyber.

So, how much should an organization spend on cyber?

My general theme will be:

  • This is a business decision
  • Understand the level of risk to the enterprise and its business objectives
  • What is an acceptable level of business risk? Consider compliance requirements and the cost of non-compliance
  • What are the options?
  • How much will spending affect the level of risk? Is there a return on additional investment?
  • Is there an option that makes more sense than others?
  • Act
  • Monitor and review very frequently, as risks change at blazing speed

Your thoughts?


By the way, a recent piece in SC Magazine included a useful quote about organizations that seek only to meet regulatory requirements:

Think about [cybersecurity] divorced from the regulatory landscape,” said David Glockner, regional director at the U.S. Securities and Exchange Commission’s Chicago Regional Office, which has its own set of guidelines for publicly traded companies. Rather, “Think about it from a business perspective: What is your most sensitive information? What are your most sensitive operations and what vulnerabilities do you have? And thinking about how you protect what’s critical to your business operation in most instances is going to get you most, if not all of the way, toward being… compliant.”

The biggest obstacle to effective risk management

October 28, 2016 19 comments

A very quick post today.

In an interview, Fiona Davidge, head of the British Standards Institute and a 15-year risk manager, said this – with which I wholeheartedly agree.

She was asked: “What are the biggest obstacles for integrating risk management in all organizational activities for managers in the UK?”

Her answer:

The biggest obstacle is that risk management is often seen as a separate activity which needs specialist risk professionals in order to succeed. Many organizations feel they cannot afford to do this. In fact most organizations do not have, and will never have, a risk professional working for them. We need to encourage organizations to see that everyone in the business owns and manages risk and in acknowledging that fact integrate risk management into their normal business management processes. We already do this in many ways – such as delegated authority for payment sign off, procurement rules and project risk assessments. That these activities are at the heart of risk management for an organization needs to be understood and promoted; it needs to be viewed from that paradigm. Risk understanding and management needs to sit at the centre of all decision making.