I am pleased to confirm that Richard Anderson, the former chairman of the Institute of Risk Management, and I will be hosting a Risk Conversation in Chicago on November 10th.
Richard is one of the most thoughtful leaders in the profession and a dynamic speaker. I know you will enjoy his insights, and I always have an opinion to share!
Risk Reimagined will be an opportunity to join up to 50 fellow risk practitioners, board members, and interested executives (including internal audit leaders) as we discuss and debate what works and what doesn’t when it comes to the effective management of risk.
Among the topics we expect to cover are:
- What is risk anyway? Isn’t it all about decision-making?
- Is risk appetite a useful concept? Can it be made to work in practice?
- How does the board provide effective oversight of risk management?
- How does risk link to performance?
- Is the 3 lines of Defence a useful model?
More information about the event including how to register is at http://riskreimagined.com.
I hope you will be able to join us! If not in Chicago, we plan further sessions in 2016 in Orlando and across Europe if not around the world.
My thanks go to our Gold Sponsors, Resolver and McGladrey.
PS, if you have any difficulty registering, please let Richard (info on the web site) or me know. I am at nmarks2@yahoo,com.
A couple of friends have recently shared items they have seen. I think they are interesting enough to interrupt my vacation and share with you.
First, the disappointing.
The FERMA Forum 2015 is taking place right now in Europe. Strategic Risk sent along an article quoting three of this morning’s speakers. Here is what my friend read:
Thomas Hurlimann – Zurich
“The modern risk manager must manage many different complex country risks on a global scale. These risks are often interconnected and span the full spectrum, from property, liability and directors and officers liability (D&O) insurance to employee benefit risks. The risk manager’s role is thus a very challenging one.”
Alexander Mahnke – Siemens (insurance officer)
“Looking at the role from an evolutionary manner, some decades ago it was sufficient to be an expert in insurance technique. Now, depending on the size of the company, businesses need a good risk and insurance team, which encompasses resources in areas such as engineering, IT, law and, of course, insurance techniques. When I say team, this can also include support from external resources.
“In order to understand the risk, to make it underwritable and to understand where certain trends and claims come from, and then explain this to loss adjusters, you need the right expertise. “Companies need to combine insurance with the technical risk expertise. I keep telling my own team, we are not here because we need to be the best insurance experts in the world, but because we are the necessary link between our company’s risk exposures and whoever is underwriting and potentially taking the risk.”
“In insurance and risk management, we are competing with brokers and insurers to a certain degree. In the past, insurers and brokers educated talent for us. Traditionally, these professionals would consider a career in risk management after working as an insurer or broker for some years. But risk management should be among the first choices.”
Alexander Mahnke – Marsh
Mahnke describes the explosion of “cyber-risk” and the difficulty “risk managers” have in coping with it. That’s only natural as there is limited insurance available for cyber-risk and insurance seems to be the primary solution for this group.
Do these risk managers understand the effective management of risk? Are they leaders of the profession? Or are they hung up in the history of risk being something you insure against?
Now contrast that with what this Wharton professor has to say. I admit to being surprised as I am biased against academics: they tend to write unreadable and non-practical texts. But he is clear and I like much of what he has to say, especially towards the end of the piece.
Why getting directors on board with risk matters makes a couple of interesting points:
- Establishing a risk committee to provide oversight of the management of risk does not seem to have a positive effect on performance. Clearly, risk, strategy and performance need to be considered by the board as a whole – together, not in silos.
- It is only when the board considers both the positive and adverse potential effects of uncertainty that there is an improvement in performance! I was shocked and very pleased to hear this conclusion from the professor. An academic gets it when so many practitioners don’t.
Please listen to the video and let me know what you think.
In August, Jeanette Franzel, a member of the PCAOB Board (i.e., not a staff member) made an interesting presentation to the Annual Meeting of the American Accounting Association.
You can read the text of her speech on the PCAOB web site.
From my reading (and while she states for the record that it is her personal opinion, I would be shocked if PCAOB staff were not aligned), here are the two main concerns:
- The rate of deficiencies identified by the PCAOB Examiners in the audits of the financial statements and internal control over financial reporting (ICFR) continues at about the same high level as in prior years, although some improvements have been noted. The Examiners found deficiencies in the documentation by the auditors of how they determined, for example, the level of precision in management review controls, or why they believed that they had identified the ‘right’ key controls.
- The level of restatements outpaces the level of disclosed material weaknesses. Ms. Franzel believes this merits study. This is also an area of concern to the SEC.
Ms. Franzel also talked about whether PCAOB inspections are leading the audit firms to increase fees. She acknowledged that she is hearing (including from me) that some audit teams are performing work that is not necessary if a top-down and risk-based approach is taken. She said:
At the same time, I’ve heard anecdotal accounts about auditors adding work that is potentially not value-added, while driving up audit fees, in response to PCAOB inspection findings. We’ve also heard that constructive and productive communication is sometimes lacking between auditors and audit clients, with the engagement teams simply telling an audit client that certain work must be done in a particular way “because of PCAOB inspections.”
I believe that there probably are some cases out there where auditors are doing too much work or not the right kind of work in an attempt to respond to or avoid a PCAOB inspection finding, and that communication between the auditors and clients on these matters has not been productive.
To the extent that this is happening, “we” collectively, including the firms, audit teams, issuers, and the PCAOB, need to get a handle on this, so that valuable audit resources are not being diverted from areas that are high risk.
My comment on this is that these audit teams who are not communicating are often unable or unwilling to show the registrant exactly what the PCAOB Examiners have said that is driving the need to perform the work. Frankly, as Ms. Franzel has acknowledge in other remarks, the audit firm has said told management that the Examiners required specific actions when the Examiners don’t provide that kind of detail in their guidance.
Coming back to the issue of why the level of disclosed material weaknesses is less than the level of restatements.
Ms. Franzel comes close to at least a part of the answer in a footnote:
Depending on the timing of the discovery of a misstatement in the financial statements or the announcement of a restatement, in some cases the issuer may be able to effectively remediate any related material weaknesses that could result in a clean audit opinion on ICFR in the year of the announced restatement.
Here are some things for all of us, including the PCAOB and SEC, to consider:
- The assessment of the effectiveness of ICFR is as of the end of the year. However, not only may the deficiency that led to the misstatement driving the restatement have occurred earlier in the year and been corrected, but it may have occurred in a prior year! At Maxtor, where I was CAE and also ran the SOX program, our financial reporting manager (Wai Lim) identified an error in tax-related accounting from a prior year. While we needed to restate, the ICFR issue was in that prior year. Our current ICFR was excellent: it identified a prior period error that had escaped the external audit firm in both prior and current years.
- Internal control does not provide perfect assurance, only reasonable assurance. Errors will occur because controls are performed by humans. When these errors are infrequent, if it is possible to say that the material misstatement was due to a rare mistake and that there is less than a reasonable possibility of a recurrence; it is possible to assess ICFR as effective. AS5 may correctly indicate that a material error is an indicator of a material weakness, but it does not say that it is automatically a material weakness – which would be incorrect.
- Registrants rarely disclose material weaknesses in ICFR or disclosure controls in their quarterly filings with the SEC (although required by §302 of SOX) – even though they have identified deficiencies that, if not remediated, may represent material weaknesses at the end of the year. I believe this is a problem meriting significant attention by the SEC and PCAOB. (The PCAOB because even though the external audit firm does not audit the quarterly financials, they are aware of controls that have failed during the year and have an obligation to comment when the filing contains misstatements.)
By the way, I recommend Francine McKenna’s post, where she focuses on external auditor performance.
I welcome your comments.
Vernon Grose is a veteran of safety management and has received multiple awards in that capacity. Given that background, it is not surprising that he comes to risk management (in which he is recognized by some as an expert) from the loss prevention and insurance side – rather than the enterprise risk management side exemplified by advocates of ISO 31000 and COSO ERM.
In a recent post, Vernon asks these questions – all of which are good:
- How can you get the Board of Directors to take more interest in risk management?
- How can you convince both top management and front line employees to give it more credence and support?
But, I am afraid he gives very poor answers in the form of 4 steps that won’t work! I will let you read them, but note how he ends the piece: “If you cannot secure the desired level of buy-in with these 4 steps, consider whether the organization is deserving of your skills and dedication”.
Mr. Grose’s first is “Know your total cost of risk”. My reply to that is in an article published by CFO in 2012, Total cost of risk redefined. My good friend Carol Fox of RIMS is quoted:
“CFOs don’t think of total cost of risk as what we’re measuring.” While insurance remains important for transferring risk and protecting the balance sheet, Fox said, companies are trying to strengthen their overall risk-management capabilities with an eye to overcoming obstacles to reaching organizational goals. “They’re looking at what their strategic plans are and how those play into risk scenarios,” she said.
Let me see if I can come up with four better steps:
- Show how risk management enables more informed, more intelligent, and therefore better decisions that provide a higher likelihood of success
- Show how risk management helps executives be successful personally as well as enabling the organization to improve the odds and extent of achieving objectives
- Stop talking about losses and start talking about success
- Stop using the techno-babble of risk management, insurance, or loss prevention, and start talking in terms that the executives and the board can relate to – the achievement of objectives, attainment of increased revenue or profits, and the delivery of value to stakeholders
In other words, let’s focus on better decisions and increasing the likelihood and extent of success. Talk to the board and executive management about seizing opportunities as well as avoiding banana skins.
They will listen and pay attention (and contribute resources) to success when they won’t necessarily to simply avoiding failure.
Then act in accordance with those principles. Partner with operating management and help them make better decisions that optimize the results of uncertainty, instead of acting as the corporate police that stops them from taking the risk they believe necessary for success – and inhibits their innovation, entrepreneurship, and speed of decisions.
For those interested in discussing standards and frameworks, which is better in explaining risk management to executives and the board, COSO ERM or ISO 31000? Or, are they only suitable for practitioners? (This is a trick question to a degree – every board member and executive is a risk practitioner.)
I have been writing for a while now, both here and at Marks on Governance, about the need for internal audit to (among others):
- Move to enterprise risk-based auditing
- Audit at the speed of the business
- Communicate the results of its work, including its insights and advice, when they are needed – enabling informed and more effective decisions by management and the board, and
- Work with and for other committees of the board, not just the audit committee
When I wrote about the need for transformation in an article that will be published shortly in the IIA’s magazine, some reviewers expressed the opinion that most internal audit departments have already made that transformation.
I don’t believe that to be true, although if it is then it’s great news!
I believe that most internal audit functions are in the process of transforming. Some have made the move, at least in part, to a more flexible and dynamic audit plan that is updated quarterly or (better) monthly instead of relying on an annual plan. (Because the annual plan leaves you auditing what used to be a risk).
Some departments have moved from full scope and lengthy audits to more nimble, shorter, and focused audits that let them complete their work and share their assessments and advice faster.
A very few departments have realized that a formal audit report, in the traditional manner, takes time and delays communication of results to those who need the information to drive action and decisions. IIA Standards do not require a formal report, only that IA communicate the results of its work. If we are to help the board and executives manage the business at speed, we have to provide significant information at speed. That means that we supplement or even replace the traditional audit report with other forms of communication – from phone calls and meetings, to integrating audit results into management dashboards.
Some CAEs now share their insights, assessments, and advice with a risk committee as well as the audit committee. But few, in my experience, provide reports on strategic risk to the full board, compliance risk to the compliance committee, or governance-related risks to the governance committee of the board.
So while some have transformed their internal audit departments to a degree, I don’t believe many have addressed all of these transforming actions.
In August, Paul Sobel (former chair of IIA and a highly-respected CAE) and I held an OCEG webinar on world-class internal auditing, the subject of my 2014 book. (It followed an OCEG webinar with Richard Steinberg on world-class risk management, the subject of my 2015 book).
In that webinar, I asked the attendees some polling questions. Here are the results:
|Is this a time for internal audit transformation?|
|We have already made the change||19%|
|Is your audit plan based on enterprise-level risks, or on an assessment of risks within process/locations/business units?|
|Risks within processes, business units, etc.||17%|
|A combination of the above||69%|
|It is not risk-based||3%|
|How often is your audit plan updated?|
|As risks change||33%|
The results seem to support my assessment of whether internal audit departments have completed their transformation or are in the process.
Paul and I were pleased to see the recognition that there is a need for transformation. 19% believe they have already transformed. My hats off to them!
We were also pleased to see that relatively few remain wedded to the traditional risk assessment process, where the audit universe is risk-ranked and risks within elements of the audit universe (business units, processes and so on) are included in the audit plan. While only 11% have moved to enterprise risk-based audit plans, the majority build the audit plan based on a combination of top-down and bottom-up risk assessments. I interpret that as their being in transition, because risks that matter to the organization as a whole should take precedence over those that matter to a department or leader of a business unit.
About half of the audit departments represented still rely on an annual plan and only 33% have a dynamic plan that is updated as risks change.
So where is your audit department?
Is there a need for transformation?
By the way, I enjoyed this article about internal audit becoming an organization’s “tiger team”, helping to solve problems.
My thanks go to Deborah Ritchie, editor of Continuity and Risk magazine, for reviewing and commenting on World-Class Risk Management. My thanks also to James Stevenson for letting me know about it (it was a pleasant surprise!)
This is what she said in the September issue (see page 9).
While the principles of risk management are well established, there are numerous hurdles to be overcome in creating and maintaining a long term, effective and valued programme that truly supports the business. Focusing on this challenge, this book sets about tackling the lofty goal of achieving world class risk management – something that author Norman Marks, having spent his entire career leading audit, risk and compliance programmes for a variety of firms, is well positioned to advise on.
In this his fourth book, Marks ultimately proposes that world class risk management can support better decision making – not a new idea in itself, but by dissecting the two common standards used for risk management (COSO and ISO 31000) he offers us a new angle through a critique of the steps involved, along with his own recommendations for improving them.
Marks argues that the risk management apparatus we put in place can often develop a life of its own and may be detached from day-to-day management decision making. To help combat this, one simple recommendation is to simply ask the executives about how they make decisions, and to use their response to evaluate and inform how effective and embedded risk management activity actually is. World Class Risk Management offers a pragmatic, practical and yet sophisticated guide to risk management. It will be useful to professionals seeking to improve their risk management programmes and those involved in considering the practical issues associated with COSO or ISO 31000 implementation.
There are some areas where the author’s recommendations may be difficult to implement in full – perhaps no surprise given that truly ‘world class’ risk management is never going to be an easy ask. As Marks himself admits, achieving world class risk management is not easy and very few (if any) have done so, but hopefully the advice in this book will help many business leaders take practical steps to improve and establish a clearer vision of what it might actually look like.
A text book, dear readers, this is not – neither is it suitable for newcomers to risk management; instead offering a useful and practical commentary to challenge and advance effective risk management at the executive level.
If you have read the book, I would love to hear what you think about it – both whether you obtained any benefit and whether you have substantial disagreement. As my friend Jim DeLoach has said about the book (paraphrased), “if you are wedded to traditional risk management practices, this is not for you. Norman challenges traditional ideas and makes you think”.
People talk all the time about “IT risk”.
But, is this a useful term? Or can it lead people astray?
As my good friend Jay Taylor has said, I believe that “there is no such thing as IT risk, only [IT-related] business risk”.
Why the distinction?
What matters is the effect of a potential situation or event on the achievement of organizational objectives – not the effect on the IT function’s objectives (ok, it may matter to IT’s management, but how much should it matter to the board and executives?)
The investment that should be made by in addressing so-called IT risks should depend on its significance to the achievement of organizational objectives. Any “IT risk” should be assessed in those terms.
That is why I prefer to talk about IT-related business risks (although I am amending that, as explained later).
ISACA got it right in their RiskIT methodology (now consolidated into COBIT): “IT Risk is Business risk associated with the use, ownership, operation involvement, influence and adoption of IT within an enterprise. It consists of IT related events that could potentially impact the business.”
A few reasons why this is important:
- A technology-related risk may be only one of several that could affect the achievement of a corporate objective. All risks related to an objective need to be considered as, when considered together, they may, in aggregate but not individually, indicate a need for action. IT management may consider the risk acceptable, but when considered in combination with other risks to an objective, it is not acceptable to the organization as a whole.
- Some technology-related risks may seem significant to IT and other technical staff, but when considered within the context of business objectives pale in comparison to other risks. Executives and boards have limited capital and resources and they cannot afford to invest them based on the assessment by a silo within the organization.
- There is only too often a disconnect between those in technical functions and those in the executive suite and on the board – due to the technical people talking in technical terms and not being able to explain an issue in business terms. Talking about technology-related business risk forces the discussion to address how the business will be affected.
I have amended my thinking on this in the last year or so. Instead of talking about “IT-related business risk”, I now talk about “technology-related risk”.
- Technology is no longer the sole domain of the IT function. For years, other parts of some organizations (such as the engineering function or similar) have owned specialized technologies. Now, the advent of cloud has enabled every organization to acquire software, often without the need for IT support or capital. I am not sure that the IT department even knows about all the technology deployed across their organization.
- It’s about the use, deployment, etc. of technology broadly across the extended enterprise, which is a clear business issue, not just an IT issue. In addition, many risks are affected by actions and decisions made by the business.
- Not all technology is information technology. While I know some disagree, I don’t consider robots, process control systems or the like “information technologies”.
A recent report from the IIA talks about technology risks. That’s better, but not as good or clear as “technology-related business risks”.
Do you agree? Is there a risk (pun intended) of assessing (and of auditing) risk in silos?