Don’t forget to audit controls!

March 17, 2018 11 comments

There’s a lot of talk about auditing culture and other significant sources of risk.

I am all for focusing our audit plan on the risks that matter to the enterprise as a whole.

But, let’s not forget that we need to be providing assurance on whether management has the right controls to address those sources of risk and whether they are operating effectively.

A survey or other assessment of the current state, whether of culture or something else, seems to have value.

But it is transitory value. It is an assessment at a point in time. Time marches on and how do we know the conditions we found don’t change as well?

Similarly, there’s a lot of talk about using data analytics as an audit tool to identify potential problems. It also appears to have value. But does that value last?

Years ago, there was a healthy debate on how to audit environmental compliance (the debate may continue, I don’t know).

The two sides to the debate were:

  • Perform an audit that assesses the current state of compliance
  • Perform an audit that assesses whether management has a system of internal control that provides reasonable assurance of compliance

I was and remain very firmly in the second camp.

Not only does this avoid having to express an opinion as to whether the organization is in compliance or not (consider the problem if they are not in compliance), but our work has continuing value.

I feel the same way when it comes to auditing culture, cyber, governance, or any other source of enterprise risk.

Help management fish for a lifetime (we can but hope) rather than feed them fish for a day.

  • Does management understand the culture existing within and across the enterprise?
  • Do they know whether it is consistent with what they need (whether it be risk-taking, ethics, compliance, teamwork, customer orientation, or any other dimension)?
  • How do they know when it changes?
  • Do they have adequate controls to ensure the above and then to take actions as necessary?

The same concern applies to data analytics used by internal audit to find issues.

Unless it is part of a fraud investigation assigned by the board to internal audit, I would prefer to have management detect issues and audit assess whether those detective controls are adequate. Internal audit should not be performing controls. They should be auditing the controls.

What do you think?

Do you share my view that the drumbeat for internal audit to use analytics to find issues is taking us in the wrong direction?

Do you agree that internal audit should not directly assess culture but instead audit how management ensures an appropriate culture?

I welcome your comments.


An idea to help drive effective risk management

March 13, 2018 26 comments

I have been thinking about how an organization can obtain assurance that risk (what might happen) is appropriately considered in decision-making.

As I have been saying for quite a while now, decision-making is where risk is taken.

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment.

We want to know that the right level of the right risks is being taken.

Looking at whether the organization’s risk appetite (a concept that frankly doesn’t work well for all sources of risk) has been exceeded is, at best, an after-the-fact control. It should not be satisfactory to management to know only after-the-fact that a poor decision was made.

So I had what might be a novel idea.

Let’s drive risk management effectiveness by improving decision-making – and let’s drive effective decision-making through the performance appraisal process!

Let everybody know that the quality of each individual’s decision-making will be a significant factor in assessing their performance; it will therefore affect their compensation and career progression.

I don’t know how many already assess decision-making as part of the performance appraisal process. I can’t remember it being a factor in the assessments I made and received over the years.

I did find one sample performance appraisal form on the Internet that we can look at. It has a section on decision-making:


The ability to make decisions and the quality and timeliness of those decisions.

  1. Exceptional decision making abilities. Decisions are made in a timely manner.
  2. Above average decision making abilities. Usually makes sound and timely decisions.
  3. Above average decision making abilities. Usually makes sound and timely decisions.
  4. Needs to improve decision making and/or timeliness of decisions.
  5. Unacceptable decisions and/or timeliness.

We can build on this.

How about something like this?


Makes timely, intelligent, and informed decisions after obtaining reliable information and consulting with others (including the risk management function) as appropriate. Considers options and their consequences. Balances the potential for reward against potential harms and other negative consequences before making significant decisions. Complies with corporate risk and other policies and guidance and stays within established risk limits.

  1. Exceptional decision making abilities. Decisions are made in a timely manner.
  2. Above average decision making abilities. Usually makes sound and timely decisions.
  3. Above average decision making abilities. Usually makes sound and timely decisions.
  4. Needs to improve decision making and/or timeliness of decisions.
  5. Unacceptable decisions and/or timeliness.

What do you think?

I welcome your comments.

Is the goal of Risk Governance taking boards in the wrong direction?

March 9, 2018 7 comments

‘Risk governance’ or ‘risk oversight’ (I see the terms as synonymous) is a topic that comes up quite often in governance codes, regulator and investor group guidance, and (of course) in risk management frameworks.

But is it something that boards should be doing? Should they be providing oversight on risk?

Maybe they should, but perhaps not in the way that most have been doing it- and I would prefer a different description.

A 2012 article by Matteo Tonello of The Conference Board (based on an article by Tim Leech) references a National Association of Corporate Directors Blue Ribbon Commission report that talks about risk oversight in a traditional way:

While risk oversight objectives may vary from company to company, every board should be certain that:

  1. the risk appetite implicit in the company’s business model, strategy, and execution is appropriate

  2. 2. the expected risks are commensurate with the expected rewards

  3. 3. management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy

  4. 4. the risk management system informs the board of the major risks facing the company

  5. 5. an appropriate culture of risk-awareness exists throughout the organization

  6. 6. there is recognition that management of risk is essential to the successful execution of the company’s strategy

This reflects the common board practice of reviewing a list of (exclusively downside) risks and challenging management’s assessment and handling of those risks. There is a focus on approving a risk appetite statement and, if we are lucky, receiving a report from the internal audit head on the effectiveness of (downside) risk management.

I would far prefer the board to be concerned with whether management is taking the right level of the right risks. Even better is whether management is making informed and intelligent decisions.

Success doesn’t come with avoiding or minimizing (downside) risk – it comes from informed and intelligent risk-taking, balancing the potentials for harms and rewards.

Some frameworks and governance codes are slowly moving in the right direction: less of a focus on managing risk (“doom management”) and more on managing the achievement of objectives (“success management”).

For example, ISO 31000:2018 says:

Oversight bodies are often expected or required to:

— ensure that risks are adequately considered when setting the organization’s objectives;

— understand the risks facing the organization in pursuit of its objectives;

— ensure that systems to manage such risks are implemented and operating effectively;

— ensure that such risks are appropriate in the context of the organization’s objectives;

— ensure that information about such risks and their management is properly communicated.

This is not very good, as it doesn’t talk about decision-making or improving the extent and likelihood of success, but at least ISO recognizes that what might happen can include good as well as bad.

COSO ERM 2017 has a principle (#1): “Exercises Board Risk Oversight”. While the language in the following section and in Appendix C (where there is a table that lists, at a very high level, board oversight activities) is not at all specific on what ‘oversight means’, I give COSO credit for the sentence that details the principle:

The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

They don’t say that the board should oversee risk. They say the board should oversee the achievement of strategy and objectives.

The 2016 King IV Report on Corporate Governance for South Africa has some excellent language. It starts the section on risk governance with this:

Principle 11: The governing body should govern risk in a way that supports the organization in setting and achieving its objectives.

Recommended Practices

  1. The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and assessed within the organization. Risk governance should encompass both:

    1. The opportunities and associated [downside] risks to be considered when developing strategy; and
    2. The potential positive and negative effects of the same risks on the achievement of organizational objectives.
  2. The governing body should treat risk as integral to the way it makes decisions and executes its duties.

It references risk appetite and other [downside] risk management practices, but is not exclusively a doom management code. It also highlights the need to create value by seizing opportunities.

Perhaps we should discard the term ‘risk governance’ in favor of strategy and performance oversight. The board should be concerned with setting the most appropriate strategy and then executing on it.

My advice for board members is to integrate discussions of strategy, risk, and performance.

Rather than reviewing a list of risks and obtaining assurance that management knows how to identify, assess, and then address things that could go wrong, the board should obtain assurance that management:

  • Is doing a good job of thinking about what could happen in the future, both those with positive and negative effects on the achievement of objectives, and whether that is acceptable or needs attention in some way
  • Is involving the right people and obtaining reliable information about what might happen when making decisions
  • Is disciplined in its decision-making (rather than making off-the-cuff decisions based on ‘experience’ or gut feeling)
  • Is monitoring the situation, both within and outside the organization, so it can respond if conditions change

Assurance should come first from the executive team, preferably the CEO. The opinion of the CRO and the assessment of the CAE should follow.

This way, the board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection.

The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms.

Effective governance of an organization is limited if the board focuses on risks.

What do you think?


How do you manage culture?

March 2, 2018 8 comments

There’s a new ‘Good Practice Guide’ from Australia. The Ethics Centre, Governance Institute of Australia, Chartered Accountants Australia New Zealand, and IIA– Australia recently released Managing Culture – A Good Practice Guide.

This is a topic I have been writing about for several years. In addition to covering it in World-Class Risk Management, I have posted about a dozen times on the topic in the last 5 years, here and at

In my posts, I make the point that there are many aspects or dimensions to culture, just as there are many dimensions to the behavior you want it to drive.

They may include:

  • Acting with integrity
  • Working as a team towards shared goals
  • Putting the enterprise ahead of personal interests
  • Complying with corporate policies
  • Sharing and communicating
  • Listening and empowering
  • Treating all others with respect
  • Respect for authority
  • Tolerance for dissent
  • Considering risk (what might happen) in every decision
  • Being willing to try new ideas and think out of the box
  • Putting the customer first
  • A commitment to the community and the environment
  • Focusing on quality
  • Putting employee and others’ safety first
  • Coming forward to report suspected violations of corporate policies
  • Having a strong work ethic
  • A desire for the health, welfare, and growth of the employees and their families

I suspect that most organizations would embrace these values.

They will want the culture to encourage related behavior

The Good Practice Guide talks about many but not all of these dimensions.

In a 2014 blog post, Culture is a Business Issue, I suggested questions that might help an organization assess its culture and whether it is what they want it to be.

  1. Have the executive team and the board defined the culture they want?
  2. Has it been clearly communicated to employees?
  3. What measures are in place to measure whether the desired culture is achieved, and what actions are taken when it is not?
  4. What is the effect on the organization if behaviors are not aligned with the desired corporate culture? Which strategies and objectives are likely to be affected and how? Is this significant? Does it merit action?
  5. Does the management team reinforce the message about desired behavior when they meet employees and others? Are they credible?
  6. Does the management team walk the talk, setting the example they want others to follow?
  7. Do managers (and risk and audit professionals) pay attention to signs that the desired culture is not in place?
  8. Are indicators of deteriorating culture noticed and action taken (for example, employees failing to attend or arriving late at meetings; a high level of stressed managers and staff; loss of key employees and failures to hire talent when needed; a scarcity of smiles and laughter in the office; and so on)?
  9. When actions such as reorganizations and compensation decisions made, is the potential impact on culture considered?
  10. Are compensation and related programs based, at least in part, on whether employees’ behavior is consistent with the desired culture?

Today, I am suggesting a simple methodology.

  1. Select one or more dimensions of culture and desired behavior – but not all of them. That would not be practical.
  2. For each, what is the desired state? (That becomes the ‘objective’.)
  3. What can happen that would lead individuals or groups to diverge from the desired behavior?
  4. What are we doing to enable the culture we desire?
  5. What controls are in place that would either prevent inappropriate behavior or detect it so that appropriate and timely action can be taken?
  6. Do they provide reasonable assurance that the culture is as it should be and that individuals and groups will behave as desired?

What do you think?

I welcome your comments and suggestions.

The SEC is changing the rules for SOX s302 certifications to include cyber risks

February 25, 2018 1 comment

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity.

Here’s a report in the Journal of Accountancy.

But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

Have a look at the SEC guidance.

Here is an extract with the key points highlighted:

Cybersecurity risk management policies and procedures are key elements of enterprisewide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.

Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. These rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) “recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms,” and (2) “accumulated and communicated to the company’s management … as appropriate to allow timely decisions regarding required disclosure.”

A company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.  Information also must be evaluated in the context of the disclosure requirement of Exchange Act Rule 12b-20.54 When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

Exchange Act Rules 13a-14 and 15d-1455 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures,56 and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.

Are you ready for this?

Are your disclosure controls up to the task?

When your CEO and CFO sign the certifications and say that they have not only caused all material information to be made known to them but also assessed and found sufficient the company’s disclosure controls, do they have a reasonable and defensible basis for those assertions?

Love to hear where you are on this.

The updated ISO risk management standard merits our attention

February 24, 2018 16 comments

You can purchase the ISO 31000:2018 global risk management standard from a number of sources. I got my copy from the US standards organization, ANSI. The ISO press release includes a link to their Swiss site.

There are pluses and minuses, IMHO.

To start with, I like the first part of the Introduction:

This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance.

Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.

Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.

  1. It is not limited to protecting value, but helps organizations and their people create Traditional risk management is focused on the review of a list of risks – what I now refer to as ‘doom management’ and Jim DeLoach calls ‘enterprise list management’ – whereas effective risk management (if we retain that term) should help people take the right level of the right risks to objectives, make informed decisions, and increase the extent and likelihood of success: ‘success management’.
  2. Right from the start, it highlights the need to make quality decisions. By the way, setting an objective or selecting a strategy is a decision and is frankly little different in how it should be done than any other major decision (COSO, please take note).
  3. The second paragraph removes some of the confusion about the meaning of the word ‘uncertainty’ in the 2009 version (where it says “risk is the effect of uncertainty on objectives”, a definition retained in the 2018 update). We are concerned with what might happen (‘external and internal factors and influences’) as we strive to achieve our objectives – and we don’t and never will have a crystal ball so it is uncertain.
  4. Managing risk (a term I greatly prefer to risk management) is an essential part of effective management, and this is at least strongly inferred in the third paragraph.

I also like the brevity and simple (for the most part) language of the updated standard.

But the update shares some less positive features with the COSO ERM update:

  1. It still focuses on and talks about “managing risk” when we should be talking about improving the extent and likelihood of success. The common vernacular treats the word ‘risk’ as something negative and ‘managing risk’ as limiting risk – when often we should be taking more! So continuing to talk about risk management and using the ‘r’ word is talking in a language that only ISO devotees are likely to understand the way ISO intends. We should be talking about helping people make informed decisions that take the right level (not too little and not too much) of the right risks!
  2. There really isn’t much help on how you should make informed decisions and take the right level of the right risks, balancing the upside and potential downside consequences of your decision. (See more in my books.)
  3. It still talks about how you identify, assess, and address risk as a one-by-one activity – but in real life there are multiple potential effects. There is no guidance on how to assess the combination of risks, some of which might have positive while others have potential adverse effects.
  4. There is no recognition that the level of risk is not a point. There is no single value for the magnitude of the effect, nor of the likelihood of that level of effect. It’s a range of values and their likelihoods. (Again, see my books.)
  5. The regulators are driving organizations, especially in financial services, to have a risk appetite statement. While I believe this is a concept that does not have practical value for every source of risk, the pressure to have one and measure your levels of risk against it has to be addressed. ISO ignores this reality and the guidance in COSO is poor.
  6. I am starting to dislike the idea of ‘risk oversight’ (mentioned in passing by ISO in the update and more prominent in COSO) or ‘risk governance’. Again, we should be looking at how management assures the board that it is making informed and intelligent decisions that result in taking the desired level (not too much and not too little) of the right risks. ‘Risk governance’ implies oversight of doom management.
  7. It no longer provides useful principles for assessing the effectiveness of what we are doing (risk management, if you like). The COSO principles are too many and include items I would omit, and the ISO principles are a downgrade from those in the 2009 edition. The former ISO principles were crisp and pretty much stood on their own. The update’s principles are more like chapter headings.

Overall, neither the ISO nor the COSO updates will, in my opinion, move the understanding and practice of ‘risk management’ to where they need to be. The updates are small steps when leaps were required.

As I wrote in my earlier post, I see no need to update World-Class Risk Management and instead am trying to stimulate discussion with leadership through Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking.

What do you think?

I welcome your comments.

Risk Management in Plain English: A Guide for Executives

February 18, 2018 18 comments

When COSO published its updated ERM Framework last year, I thought about what it would mean for my popular 2015 book, World-Class Risk Management.

Unfortunately, I didn’t see anything in the COSO update, nor in the recently published update of the ISO 31000 global risk management standard, that merited changing anything in the book. (Sad but true.) Frankly, setting aside all pretense of modesty, I think the concepts and guidance in my book are superior.

Instead, I decided to write a totally new book.

Risk Management in Plain English: A Guide for Executives (available from Amazon in hard copy and e-reader formats) has the sub-title, Enabling Success through Intelligent and Informed Risk-Taking.

It is based on a number of principles for effective risk management, which I have shared here many times. They include:

  • It’s not about avoiding harm (“doom management”), it’s about achieving success.
  • It’s about understanding what might happen, determining whether that’s OK, and then acting as needed.
  • To be successful, you need to be making informed and intelligent decisions. Those are where risks are taken. That is how you optimize the likelihood and extent of success: achieving objectives.
  • We should avoid techno-babble and use the language of the business.
  • Risk management can be considered effective when leaders of the organization and decision-makers at all levels assert that it is helping them be successful.
  • The periodic review of a list of risks is a small part of risk management.
  • It’s about helping leaders understand the likelihood of achieving objectives, not the out-of-context size of risks.
  • Risk management is effective management!

I have not tried, in the new book, to change my guidance for risk practitioners. I continue to look to World-Class Risk Management for that.

Risk Management in Plain English focuses much more on guidance for leaders of the organization. I have tried to explain to them, in business English, what effective risk management is – and what their role and responsibilities should be. It is deliberately concise and readily consumed by them.

My hope is that risk practitioners will find the new book useful, would consider sharing it with their leaders, and have a conversation about risk management after everybody has read the book.

Here is the table of contents:


Introduction. 3

I. Executive Summary. 4

II. Are we taking too much or too little risk?. 10

The possibility for gain as well as loss. 11

The level of risk is not a single point 12

III.     Risk and the CEO.. 14

Asking the right question. 14

Cognitive bias. 16

Leading by example. 17

The CEO and the CRO.. 17

IV. Risk and the Executive Leadership Team.. 19

Working to the same objectives. 20

V. Risk and the Executive. 21

The executive and the CRO.. 22

The extended enterprise. 23

Cross-functional decision-making. 24

VI. Risk Reporting, Review, and Appetite. 26

A recommended risk report 27

A list of risks or a heat map. 28

Reviewing a list of risks. 29

The risk du jour 30

How effective is your risk management program?. 32

VII.   Risk Management and the Board. 34

Is risk management effective?. 34

When the board takes risk. 34

Risk and the board’s agenda. 35

Should the board ensure the CRO is independent of management?. 36

VIII.  Risk Management and the Risk Office. 38

IX. Risk Appetite. 40

X. Converting Risk Management into Action. 46


I hope you will find it useful.