Which comes first, risk or control?

January 24, 2020 9 comments

I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.

Here’s my attempt to explain it.

  1. You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?

Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).

  1. You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For example, if you rely on analytics to identify emerging risks, you have controls over the development and use of the analytics. If you rely on workshops to debate and assess the potential effects of likely events, you have controls over workshop attendance, conduct, and actions taken. If you have a potential for bad debt, you rely on controls over credit approval.

You fool yourself if you believe risk is at desired levels if you have not assessed and obtained confidence in related internal controls.

Conclusion: any assessment of the effectiveness of risk management depends on the assessment of related controls.

Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.

What you can do is provide an overall assessment of the system of internal controls as it relates to the more significant risks that were addressed by completed audit engagements.

Can you assess risk management without considering related internal controls? I don’t think so.

What you can do is provide an overall assessment using a risk maturity model (such as I describe in World-Class Risk Management) or indicate that your assessment is subject to the system of internal control being effective.

In World-Class Risk Management, I describe a number of risks to the effective management of risk. For example, the wrong people might be assessing a risk, or individuals might be influenced by their cognitive bias when assessing and acting in response to a risk. If there aren’t effective internal controls to address those risks to the management of risk, how can you assert that risk management is effective?

I strongly encourage both management and risk and audit practitioners to assess both their systems of internal control and of risk management (including, especially, the quality of decision-making) formally, every year.

Boards should demand such assessments, both from executive management and the CAE and CRO.

But, such assessments should recognize their interplay and mutual inter-dependence.

I welcome your thoughts.

A new code sets back the status and practice of internal auditing

January 16, 2020 6 comments

The Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.

But their latest publication, Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors steps backwards from the progress made by the IIA in its Definition and Core Principles.

Here are my more significant criticisms:

  1. The first and most important failure (and I mean just that) is when they define the Role and Mandate on internal audit:

“The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organization.”

The IIA’s Definition of Internal Audit is right when it says that internal audit should help the organization achieve its objectives.

Internal audit should help an organization both create and protect value.

Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness. It implies that internal audit should not address whether:

    • Customers are billed the full price
    • The company takes full advantage of available vendor discounts
    • Management bids effectively for new business
    • Decision-makers are taking the right risks for success
  1. While risk management practitioners are beginning to recognize that effective risk management is far more than a review of a list of the more significant risks, the Code does not:

“It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management.”

  1. Quite disturbing is the fact that the antiquated notion of cyclical auditing is included in the guidance.
  1. The Code says that internal audit reports should focus on “significant control weaknesses”. The global IIA rightly explains that internal audit provides assurance; that is not the same as the Code’s emphasis on reporting weaknesses – it’s a great deal more! Internal audit reports should inform leadership whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well. Internal audit should explain which enterprise objectives might be affected by identified control weaknesses and by how much.

I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity.

I welcome your opinions and comments.

Risk and Consequences

January 11, 2020 11 comments

I like to think that effective risk management helps the managers of an organization, at all levels, make the informed and intelligent decisions necessary for success – reliably achieving enterprise objectives considering all the things that might happen, both positive and negative.

It’s not about managing the possibility of harmful events or situations.

It’s about managing the likelihood and extent of success.

The likelihood and effect of harmful events and situations, including the consequences of decisions, have to be weighed against the positive outcomes that may arise, and the right risks taken for success.

Let’s consider the things that might flow from a decision.

Imagine we are thinking of raising the sales price of our flagship product. A number of things might happen:

  • Revenue is likely to increase in the short term, especially until customers are willing to change suppliers because our competitors have not increased their price.
  • The additional revenue could fund further investment in our product line, with positive longer-term revenue increases.
  • But, customers might also be unwilling to pay the higher price, impacting revenue. The change might be immediate but it could also be longer-term.
  • There might be an impact on our reputation, with both short and, especially, longer-term consequences. Perhaps we are no longer seen as a low-cost provider. Perhaps we are seen as a company that takes advantage of its customers. The likelihood is greater that this will harm our reputation than benefit it. Revenue could be impaired, particularly in the longer-term.
  • On the other hand, our competitors might increase their prices right away. Any negative effect would likely disappear, leaving only the positive revenue and cash flow impacts.
  • But, they might seek to take advantage, perhaps with an aggressive marketing campaign, seeking to steal customers and revenue.

Multiple things might happen if we increase our prices.

The effects are not all immediate, with some potential longer-term and even permanent impacts on our business.

We can change their effect if the price increase is lower, raise them if the increase is greater.

But we need to look further and deeper.

Each of the scenarios that can be envisaged leaves us in a changed situation. Before we can decide whether and by how much to change our prices, we need to consider whether those situations would be acceptable. If not, what can and should we do?

The options facing us to treat unacceptable situations flowing from our initial price decision will themselves have a range of effects, often a combination of potential and negative consequences. They will lead to another set of situations where we might have to make decisions and act.

For example, a price change now might change our perception in the marketplace as a low-cost supplier of quality products. If that will have a negative effect on revenue, what are we going to do about it? Can we modify our own marketing campaigns? Can we justify it based on quality or other factors like customer service or warranty periods? Can we take advantage of it to reach premium customers?

Let’s say we decide to increase our marketing budget to counter any reputation impact. That money has to come from somewhere. Perhaps our budget for marketing our other products and services will be impaired.

Where am I going with this?

A so-called risk assessment that only focuses on shorter-term effects (even if it includes both positive and negative effects) is limited in its value. Some effects occur later. We may need to act either to address those negative effects or take advantage of opportunities. All of that needs to be considered before an intelligent and fully informed business decision can be made.

There’s a domino sequence of situations that flow from any potential decision. Making a decision now without considering longer-term consequences can have disastrous results.

Consider the US invasion of Iraq. If we were to use all the benefits of hindsight to see what might happen, a series of situations and responses to them, we would probably question the initial decision.

A gives rise to B (after consideration of options), which gives rise to C (again, after considering options), which gives rise to D – and so on.

Are decision-makers thinking through the full range of potential consequences, including those over time and the responses and effects of the responses to them – and so on, for a long period of time?

Is the risk manager helping people make these considered decisions, not only with information and analyses but with quality decision-making processes?

If there is a lack of quality in decision-making, shouldn’t internal audit be drawing attention to it?

Which is the greater risk or threat to an organization, a data breach by outsiders or an inability to make quality decisions?

I welcome your thoughts.

10 Years of Progress

December 17, 2019 6 comments

Its 10 years since my first blog post in December, 2009; Is there value in talking about GRC? remains a relevant question especially as so many vendors put a GRC label on their software.  I’ve written about GRC 97 times since then.

But, thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC”. Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cyber, etc. Sometimes, but not always, one software solution will be the best choice for several areas; but almost never will it be the right choice for every area of GRC.

Of my 689 posts (not including this one), the most viewed is from 2011, Just what is risk appetite and how does it differ from risk tolerance?, which has been viewed a massive 69,617 times (10% of which were in 2019).

But I want to talk about progress in practices since that first post. These will just be highlights.

Risk management

While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number recognize that this is a failing practice and have moved on. They recognize that risk management should enable decision-makers to make informed and intelligent decisions that will enable them to take the right risks and achieve enterprise objectives.

Boards and top management teams are similarly starting to ask for more. They recognize that discussing a list of risks is not helping them run the organization for success. It only helps identify potential problems. The focus should be on having an acceptable likelihood of achieving objectives (a better way of thinking about ‘risk appetite’) instead of an acceptable level of risk.

Corporate governance codes and frameworks similarly talk about both risk and opportunity. However, there is little guidance on how to weigh all the pros and cons so you can make those informed and intelligent decisions.

The future is not clear, especially as regulators continue to press traditional practices that might help avoid failures (emphasis on might) but don’t contribute to success.

We need to stop the focus on the management of risk and replace it with a focus on the management of success.

That will take time.


Internal audit

I am pleased by the progress I have seen, especially the move away from a rigid annual plan that is out-of-date even before the first audit. Instead, there is a growing recognition that you need to audit at the speed of risk (or at the speed of the business, if you prefer). That requires a far more flexible audit plan. A majority of functions now update their plan at least quarterly, while leaders are using a continuous planning approach to ensure they address the risks of today and tomorrow rather than of the past.

Compared to 10 years ago, far more are providing their stakeholders with opinions. Most include opinions in their audit reports (micro opinions), while a growing number provide an overall assessment of how enterprise risks and related controls are managed (macro opinions).

But there is still work to be done.

Too few have limited their audits to issues or risks that matter to the success of the organization as a whole (defined by the achievement of enterprise objectives). They may start with an intention of auditing such enterprise-level risks, but then bloat their scope by including areas that, if the controls failed, would not require the attention of top management or the board; in other words, their scope includes issues that don’t matter to the success of the organization as a whole. That time, the time spent on issues that only matter to middle management, can be better spent on other enterprise-level risks.

If you want to be agile, which enables you to pivot promptly to new or changed risks, you can’t afford every audit to be a leviathan. Think of how long it takes to turn an oil tanker.

The other area that I see improving in the future is in communicating the results of the audit.

While executive summaries are getting shorter, they are still written in the language of the auditor and say what the auditor wants to say. Leading functions realize that they need to tell their stakeholders what they, the stakeholders, need to know. For example, what is the effect of any control deficiencies on the ability to execute successfully on business strategies to achieve enterprise objectives? Which objectives might be affected and by how much?

I believe the future is bright and salute the achievements of the past decade.

What do you think?

FYI, in 10 years those 689 posts have been viewed a total of 1,256,639 time!

New guidance for risk committees

December 10, 2019 5 comments

A new publication by the Risk Coalition (a group of organizations in the UK that includes their Institute of Directors, a couple of risk management associations, and the organizations for internal and external auditors) merits our attention.

Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services Sector has some interesting content. For example, it says:

  • In financial services the real risk is to take no risks. We are in the business of managing financial risks.
  • While the concept of the Three Lines of Defence continues to provoke much academic and professional debate, the Risk Coalition believes the basic principle of requiring independent oversight and challenge of management risk-taking remains sound.

In addition, I like that the guidance talks about ‘risk taking’ instead of simply managing risk. It also defines risk as not purely a negative effect on objectives:

The possibility that events will occur that affect the likely achievement of an organisation’s corporate strategy or strategic objectives. Commonly considered as negative events (downside risk), there may be occasions where risks may be exploited to an organisation’s advantage (upside risk).

Its definition of risk culture is also useful:

The combination of an organisation’s desired ethics, values, behaviours and understanding about risk, both positive and negative, that influences decision-making and risk-taking.

There are some key phrases in its definition of a risk appetite framework (which I highlight):

A key, board-approved framework designed to aid effective management decision-making, risk monitoring and reporting, and through which aggregate risk appetite is translated and cascaded into meaningful, calibrated risk thresholds, limits, metrics and indicators aligned to strategic objectives, and embedded throughout the organisation.

I highlighted these sections because in my experience very few risk appetite statements or frameworks are developed in such a way that they influence risk-taking and decision-making at all levels of the organization. For example, how does an HR manager know how his or her decision on which candidates to present might affect enterprise strategic objectives? How does saying that the organization has no tolerance for compliance or safety failures affect decisions on investments in those areas?

The guidance says is it “evolutionary, not revolutionary” and I must agree.

It provides more clarity to traditional thinking about risk management, but doesn’t suggest how to step up to real value-add activities.

In other words, there’s quite a lot missing!

I set up a risk committee when I was CAE and CRO at Business Objects. The first question that had to be addressed was:

Why do we need a risk committee?

If the answer is that we need one to comply with the expectations of the regulators, then we are unlikely to get the full and enthusiastic support of the management team. The team is focused, as should be the board, on achieving the strategic objectives for the organization – in other words, they are focused on the success of the organization, not just its compliance obligations.

I vividly remember a conversation I had many years ago with a senior executive. He was responsible for the company’s trading desk and told me that he couldn’t spend much time answering my questions because he had to get back to running the business and making money.

We get the executives’ attention and support when they appreciate how what we are doing helps them do both – make money and run the business for success. In time, this executive learned how my team and I could help him do both and he became a huge supporter.

The answer to the question should be that the committee helps the board be assured that management is taking the right risks, seizing opportunities wisely, as a result of informed and intelligent decisions.

The answer should not be limited to any form of blinkered focus on managing the possibility of downside events and situations that ignores the need to weigh ALL the potential things that might happen. In other words, is management weighing ALL the pros and cons before making decisions, or is simply looking at the cons out of context? Even the COSO ERM framework explicitly recognizes that when justified by the opportunity, risk appetites should be exceeded.

So the next question is:

How does the risk committee contribute to success?

I struggle with this myself, in particular the next question:

Why do I need a separate risk committee when strategy and performance are discussed elsewhere?

Separating risk and strategy, or risk and performance management, makes little sense to me – unless your risk committee is there as window-dressing for compliance, rather than helping the organization both protect and create value in its pursuit and achievement of objectives.

I recall a panel discussion at an event years ago in Canada. The CEO of the Hudson Bay Company told us that his board had a Risk and Strategy Committee. I think this is a world-class practice.

So, what do you think? Does it make sense to have a committee that only focuses on the downside? If it is charged with assuring the board that due consideration is given to all the things that might happen during decision-making and risk-taking, how does that work?

I welcome your thoughts.

Guiding Principles of Corporate Governance

December 6, 2019 2 comments

The IIA should be congratulated for its recent publication, prepared in collaboration with the Neel Corporate Governance Center at the University of Tennessee, Knoxville, of Guiding Principles of Corporate Governance.

I still prefer the King Code IV from the Institute of Directors, Southern Africa, because it is more thorough. But the IIA document is definitely worth reading.

One area that I think is weaker than I would like is in defining requirements for the information provided so that the board can monitor performance. Principle 6 doesn’t go nearly far enough for me. The board needs to know promptly when there is an obstacle in reality or likelihood to achieving objectives. It should know about significant events or situations that could affect the interests of stakeholders, whether it be a reputation or perception issue, activities by competitors, and so on.

A report like this would benefit significantly from a study of the incidence and severity of governance failures. Has anybody seen something reliable and recent?

I welcome your thoughts.

What do you like in the IIA guidance? How could it be improved?

Is it sufficient to use as a foundation for a model of governance practices?

A risk case study

December 2, 2019 7 comments

I returned this week from a vacation in Mexico, including a day at the Copper Canyon.

Our tour guide took about 20 of us down the mountain side to see some Tarahumara Indian homes. I decided that I wanted to come back ahead of the group, finding my way back up the path and steps to our hotel at the top.

Let’s walk this through.

My objectives were:

  • Get back to the hotel ahead of the group. Many of the members were slow and I would find it frustrating keeping to their pace instead of mine.
  • Do so safely. While the path was not bad, it also was uneven and unpaved with a lot of rocks and steps to climb. The likelihood of a severe injury was very low indeed and I could accept a slight stumble. But if I moved too quickly, I could fall and bruise myself or worse.

What might happen along the way? In other words, what would a risk manager put on a list or heat map?

  • I might fall. The range of pain and injury went from slight (perhaps 5%) to severe (less than 1%).
  • I might get lost. There were multiple paths and I could easily take the wrong one. If I did that, I was confident (>90%) I could either find my way back and take the right path, continue on the (well-worn) path that would eventually take me back to the hotel, even if the arrival would be delayed, or ask one of the other people that I could see on the paths.

But there was also an opportunity: the chance to enjoy the walk back more than if I were in the middle of a muddling-along group.

I assessed the overall picture and decided that the opportunity outweighed the possibilities for harm.

I started walking, enjoying the faster pace and the fresh air.

But soon I caught up with another member of the party who, unbeknown to me, had also decided to head back early. He was older, with a walking stick, and I was faced with my first decision.

Do I try to pass or do I slow down and follow?

If I tried to pass, the possibility of injury would go up quite a lot. I didn’t try to calculate it, just decided quickly that it was not a ‘risk’ I wanted to take. At the same time, the possibility of getting to the hotel before the crowd was receding. I had to accept that, while looking for an opportunity to pass safely.

The opportunity came a few minutes later when the gentleman stopped to take a rest. I stepped past him with care, but was then presented with a dilemma.

There’s a saying that when you come to a fork in the road, you should take it. That’s what I saw: a fork.

To my right, the path went steeply up the hill. It looked a bit rough, while the path on the left continued straight and level and was clearly well used. There was no sign indicating which way led to the hotel, and the older guy remarked that he had no idea which was the right path to take.

I flipped a mental coin and decided to go left. I was swayed by the fact that the path up the hill presented a greater possibility of falling. It seemed steeper and more uneven than my memory of how we came down. I doubted that was the right way.

The path continued straight and level for a while. Soon, I was wondering whether it was the right path because I couldn’t see where it would start going up the mountainside.

An Indian lady approached. My Spanish is not very good, but I pointed ahead and asked whether it went to the hotel. She said it did. Si!

But after a few more minutes I was starting to believe it was the wrong way. I didn’t think I was lost, because all I had to do was retrace my steps back to the fork.

The foliage cleared and I was able to look up the mountain and see the hotel – which was behind and above me. Now I knew I had gone wrong.

I had to make another decision. Do I continue to where this path might find its way up the mountain (I hoped), or should I turn around? I considered the likelihoods of harm and opportunity and decided that, on balance, it was better to go back.

A few minutes later, I was a second path leading up. Decision time! This was definitely not the way we came down, but it looked like it should work. Do I take the new option or continue to retrace my stapes back to the fork? I weighed the possibilities of getting lost or delayed and the opportunity to get back faster than going all the way back. In addition, the path looked less steep that the way we had come down, so it should be somewhat safer (if my guess was right, since I couldn’t see all the way up the path to the top).

I decided to take the path up. Soon, I saw a path joining mine – with the rest of the group climbing it.

I got to the top, where my wife was waiting for me and asking where I had gone.

What can we learn from this?

  1. The levels of ‘risk and opportunity’, or the effects of uncertainty on my objectives, changed often and without warning. Relying on a list of risks at the start of the journey back would not have been useful.
  2. My ‘risk management’ was iterative and continuous. A periodic assessment, even every few 10 minutes, would not have been of great value.
  3. To make my (hopefully informed and intelligent) decisions, I needed to consider all the things that might happen and see which way the scales were tipped.
  4. Trying to assess likelihood and impact with any level or precision was unnecessary. Common sense was sufficient. Many practitioners may have a problem with that, but in real life it’s very often quite clear when the possibility of severe harm is unacceptable.
  5. We do this all the time. ‘Risk management’ is neither new nor a separate process from running our business, making as intelligent and informed decisions as reasonably possible.

I welcome your comments.