Treating cyber as a business problem

September 23, 2018 6 comments

This post is about wisdom on the one hand and thinking and practices that are less than wise on the other.

I was reading through a 2016 article in the online CSO magazine, CISOs bridge communication gap between technology and risk, when I found these:

Grant Thornton’s Chief Information Security Officer (CISO), said:

“…boards are starting to understand that security is another risk to an organization. It’s not really just an IT issue. The impact that cybersecurity incidents can have on the organization has put it in the same class as other risks to the organization because it can be just as damaging.”

The article also has:

“   at its core, security is an executive level business problem. [James Christensen, vice president of information risk management for Optiv says] “Five years ago that never would have been a part of the conversation, but now the more successful CSOs are doing this.”

Steven Grossman, vice president of strategy and enablement at Bay Dynamics says:

“The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos”.

He also says:

“I need to understand the business goals. I am speaking to them in terms that they are going to understand.”

 

This makes total sense to me.

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language. To me, that means talking about the potential effect on enterprise objectives.

How else does a CISO help leaders decide between investing in cyber protection, a new product, an acquisition, a marketing initiative, and so on?

 

Now let’s see what EY has to say in Understanding the cybersecurity threat, perspectives from the EY cybersecurity Board summit.

EY does well by citing the National Association of Corporate Directors’ five principles from their Cyber-Risk Oversight: Director’s Handbook series. The first principle is on the right lines:

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

I believe that it is not sufficient to talk about an “enterprise risk management issue”. We should be talking about managing the organization for success. Considering what might happen (risk) is part of how you set and then execute on objectives and strategies.

But apparently that this not how the delegates at the EY conference think.

The number two takeaway from the Summit is:

The board’s role is not cybersecurity risk management; it is cybersecurity risk oversight.

No.

The board’s role is to provide oversight of how management achieves objectives.

As I keep repeating:

It’s not about managing risk. It’s about managing the organization for success!

There will be times when the board should tell management to take the cyber risk because the monies it would take to reduce cyber risk further are better spent elsewhere, such as on new product development.

If we believe that cyber is a business risk, then let’s act like it is.

Find a way to assess and talk about cyber risk in a way that enables informed and intelligent decisions that weigh those and other business risks against the rewards for taking risk.

Work with operating management to understand how a breach might affect what they are doing and what they plan to do.

Help them make informed and intelligent strategic and tactical decisions.

I welcome your thoughts.

Advertisements

Practitioners in a box

September 14, 2018 11 comments

You know the expression, “think outside the box?”

Well, over the years I have met many risk and audit leaders who did just that.

They came into a new position and formed then led a function that was creative and well-received by top management and the board.

However, they fell in love with their creation.

They thought they had found the answer.

But the world is changing and so are the questions.

What might have been outstanding when established can become barely adequate, if that, over time.

That time may even be as short as a year or two!

What these leaders have done is build a new box around themselves: a box built with the ideas of the past.

Successful leaders are constantly challenging themselves and fixing things even if they are not broken – yet.

They listen to new ideas and techniques, not blindly but with an appropriate level of skepticism and openness.

As you know, I have written here and in my books that the practices of internal audit and risk management need to change.

The practices that worked well in the past don’t help our leaders and the organization to succeed.

The old style of creating and then managing a list of risks, or a static audit plan composed of audits of locations and processes instead of how enterprise risks are managed, needs to be vigorously discarded.

When I speak at conferences around the world, excited auditors and risk practitioners tell me they want to embrace the ideas in Auditing that Matters.

The trouble is their leader lived in a box of his past success.

Is that your world? It sounds claustrophobic to me.

I welcome your thoughts.

Deloitte Internal Audit 3.0 has major flaws

September 7, 2018 11 comments

Earlier this year, Deloitte published Internal Audit 3.0, The future of Internal Audit is now.

It’s great that they are encouraging internal audit departments to change so they can meet modern demands, but their presentation that they are offering something novel and disruptive is way off the mark.

As I read the report, I was almost immediately struck by errors of fact. For example, in Figure 1 on page 2, they show IT auditing as starting around 2010. This is absurd. I was running the IT audit function for a major US corporation in 1981! Indicating that data analytics is a current day development, when it’s a technique that has been used for over 30 years, makes me wonder.

In Figure 2, they show integrated audits and cyber risk starting around 2010 and 2012. Does Deloitte have an alternative set of historical facts?

The authors seem very proud to have come up with the “triad of value that Internal Audit stakeholders now want and need”. That triad of “Assure, Advice, and Anticipate” is nothing new. In fact, the IIA’s Mission Statement (published in 2015) is:

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

The Core Principles of Effective Internal Auditing (also 2015) include:

  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

In three years, Deloitte has come up with new words that, in my opinion, are not as powerful as those the IIA came up with in 2015. (Full disclosure: I was a member of the task force that developed both the Mission and the Core Principles.)

They have replaced “insightful, proactive, and future-focused” (a wonderful set of words, each with great meaning) with “anticipate”.

This is not progress.

When they discuss Assurance, they say:

Assurance on core processes and the truly greatest risks is essential but so is assurance around decision governance, the appropriateness of behaviors within the organization, the effectiveness of the three lines of defense (LoD), and oversight of digital technologies.

I agree with them on assurance related to the risks that matter. I also like the emphasis on decision-making and organizational culture.

But oversight of technology is hardly new, and they don’t seem to understand that when you take an enterprise-risk based approach there is no need to provide separate assurance on individual processes. Audits of how management provides reasonable assurance that the risks that matter are identified, understood, and addressed fully encompass the controls within the processes that manage those risks.

I can’t say more than an emphasis on the 3LoD is absurd. Why call it out? Just focus on the risks that matter and provide proactive and future-focused assurance, advice, and insight.

They also say:

Anticipating risks and assisting the business in understanding risks, and in crafting preventative responses, transforms Internal Audit from being a predominantly backward-looking function that reports on what went wrong to a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens.

This is a management function. Internal Audit should assess whether management has the capability to identify, assess, and address new or changing risks. If they don’t, we can provide advice and insight that will help them upgrade their processes.

They miss the point that insight should refer to the internal auditor sharing more with management than the standard language of the internal audit report. For example, is the manager of the function audited competent and does he treat his employees well? Is there a morale problem?

Then there is this:

Now, what if – using digital assets – core assurance could be automated, significantly reducing the resources needed to cover these traditional, core processes on a more continual basis? Automated core assurance harnesses analytics, robotic process automation (RPA), and artificial intelligence (AI) to monitor controls and flag non-conformance in real time. Combine this with automated reporting, and Internal Audit can communicate non-conformance to the business so they can remediate immediately, rather than only being able to check the controls every few years under a rotational audit plan scenario.

Let me present a contrary view.

  • If digital assets can be deployed to detect non-conformance, they should be used by management as detective controls, not by internal audit (except in rare cases, such as fraud detection).
  • Internal Audit should assess whether management has effective preventative and detective controls in place, not be the control themselves.
  • When Internal Audit uses continuous auditing techniques (which have been advocated for decades), there is a danger that they are not assessing the controls management has in place and therefore are unable to provide an opinion on them.
  • It is quite possible for there to be no errors in the data even though the system of internal control is deficient.
  • This recommendation will support the view of Internal Audit as the corporate police rather than a business partner.

I know some of the Deloitte leaders and don’t understand how they could publish a document like this.

I suggest they read Auditing that Matters (2016).

 

Your thoughts?

Uniting risk management with strategic planning

September 4, 2018 7 comments

Who can argue that the consideration of what might happen (what some refer to as risk) should be part of the strategic planning process?

Objectives and strategies should be set only after thinking carefully about where you are, what is happening around you, and what may happen in the future. They should then be executed on, keeping an eye as you progress on what is happening that may affect the success of your journey.

I much prefer talking about ‘what might happen’ than ‘risk management’, because while the terms should be synonymous, the word ‘risk’ has a negative connotation. Indeed, the practice of risk management is far too often limited to identifying all and only the things that might go wrong and putting them in a list or heat map.

Neither of those (a list of risks or a heat map) helps executives make decisions, including deciding on objectives and strategies and then executing on them.

My good friend, Alex Sidorenko, tells a story I love. He worked with the senior executives to develop a list of the top risks facing a major organization where he was CRO and took it to the CEO for a discussion. The CEO turned his nose up and told Alex that the list wouldn’t change anything he was doing. It wouldn’t help him make decisions and run the company.

Alex returned from this with a resolution to stop focusing on a list of risks (except where required for compliance purposes, when he would do it as cheaply as possible) and focus on what I would call decision support. He works to help people make informed and intelligent decisions.

Now we have an interesting article on this topic by Mike Skorupski, corporate head of ERM at Siemens Games, a renewable energy company in Denmark.

Uniting risk management with strategic planning urges risk practitioners to get more involved in and add more value to the strategy-setting process.

Skorupski sees more in the COSO ERM guidance than I do when it comes to strategy-setting. While I can see that COSO suggests that risks to strategies be identified after objectives and strategies have been established, he reads COSO ERM the way it should have been written: you consider where you are, what is happening, and what might happen before establishing enterprise objectives.

Where I differ from Skorupski is on the focus on the negative.

Objectives and strategies should be set and then managed with an eye on all the things that might happen, both the positive and the negative.

Expert practitioners have tools, like Monte Carlo simulations, that help assess the range of possible future situations and their effects on objectives, and the likelihood of those possible effects.

But, they are only used to using them on calamity management, not on the range of rewards and opportunities.

Do you make decisions by considering only what might go wrong? Or do you also consider what might go well?

Don’t you make decisions after thinking through all the possibilities?

What will management and the board think if the CRO is only telling them about the likelihood of the sky falling?

Chicken Little

Why not help management assess the possibilities of favorable trends in customer spending, an uptick in the economy, or improved pricing by major vendors – using the same methods as they do for potential harms?

 

I welcome your thoughts.

 

Good decisions take time and more

August 26, 2018 4 comments

I have just started Problem, Risk, and Opportunity Enterprise Management by Brian Hagen. (Thanks to Jay Taylor for sharing the good news about the book.)

I have already highlighted some nuggets of wisdom:

  • As Peter Drucker made clear in the 1950’s, “Whatever a manager does, he does through making decisions.” Decision making is the headwaters from which all value creation and protection flow.
  • For the highly complex and impactful decisions faced by corporations, there are good, proven decision analytical methods available: decision analysis, Monte Carlo methods, game theory, and real options. But those methods require experienced experts and significant time and effort to apply. As a result, these methods are consigned to the most complex situations and are not used for generalized decision making. Moreover, decisions have a shelf life. Delaying a decision can be beneficial or deleterious, but usually time is working against you as options begin to dissipate or the situation is redefined by events. Opportunities can become risks, and risks can become costly problems. Decision timeliness matters.
  • Every day, managers at every level within an organization are faced with the challenging question of how to allocate scarce organizational resources against a myriad of competing and usually worthwhile objectives. Of course, answering the question requires a method for sorting through, in an objective and practical manner, all the competing proposals as well as being able to demonstrate that some are better than others in allocating limited organizational resources.
  • A recent study of 500 managers and executives showed that “98% failed to apply best practices when making decisions[1].”

Let me repeat and stress some of those key points.

  • Decision making is the headwaters from which all value creation and protection flow.
  • …good, proven decision analytical methods… require experienced experts and significant time and effort…[and] are consigned to the most complex situations and are not used for generalized decision making.
  • Delaying a decision can be beneficial or deleterious, but usually time is working against you as options begin to dissipate or the situation is redefined by events. Opportunities can become risks, and risks can become costly problems. Decision timeliness matters.
  • Every day, managers at every level within an organization are faced with the challenging question of how to allocate scarce organizational resources against a myriad of competing and usually worthwhile objectives.
  • …answering the question requires a method for sorting through, in an objective and practical manner, all the competing proposals as well as being able to demonstrate that some are better than others in allocating limited organizational resources.
  • 98% [of managers and executives] failed to apply best practices when making decisions.

Achieving success and objectives requires informed and intelligent decisions.

Those decisions are where risk is taken or addressed.

Those decisions are being taken every day across the extended enterprise – not just at periodic executive and board meetings.

A poor decision by a middle manager can have devastating effects on enterprise performance. As I said in World Class Risk Management and Risk Management in Plain English, you can trace the roots of calamities such as the BP Deep Water Horizon spill to poor decisions made below executive levels.

Taking the time to gather information (that is trusted, complete, and up-to-date) and involve the right people is essential to making informed and intelligent decisions. Yet, the great majority of decisions are made quickly and without a great deal of thought.

That may be OK, if the consequences of those poor decisions are inconsequential – but so many are not.

 

Now let’s turn to one of my heroes, Tom Peters.

He recently shared this:

Tom Peters and Tim

I think Tom is, again, right on the money.

Decisions that can affect enterprise objectives should take time.

 

What do you think?

Do risk, governance, and audit practitioners consider the problem of decisions where insufficient time was taken to obtain the necessary information, consult with all affected parties, and THINK about the options?

 

 

[1] E. Larson, “Don’t fail at decision making like 98% of managers do,” Forbes, May 2017

Why are SOX compliance costs increasing so much?

August 22, 2018 2 comments

This is a question answered, to a degree, by Protiviti in their latest annual Sarbanes-Oxley Compliance Survey: Benchmarking SOX Costs, Hours and Controls.

Let me first thank Brian Christensen and Protiviti for their continued annual reporting. They have upgraded it each year to provide additional information (partly, perhaps, in response to my and others’ feedback).

As expected, Protiviti reports a continued rise in SOX costs. This is consistent with what I am hearing from companies, especially those attending my SOX Masters courses[1]. I will expand on that later.

The report provides some interesting numbers on costs, including the average cost by number of unique locations (presumably, although this is not clear in the report, those are “in-scope” locations); by size (based on revenue); and by industry.

Protiviti tell us that if we want more detailed information related to our company size and industry, we can contact them directly.

The Protiviti report shares additional, useful information. I especially like the chart (page 11) that shows the average time per control to update documentation, evaluate control design, test for operating effectiveness, and so on[2]. However, the charts on number of entity or process-level controls and the percentage of them classified as key controls make little sense. They would have done better by telling us the percentage of key controls that were at each level. Note, however, that controls exist at multiple levels within an organization, not just at corporate or process level.

The information on how many organizations had to issue a cyber-security disclosure (as mandated by the SEC) is interesting. I had not seen this before. Apparently, this generally resulted in an increase on SOX compliance hours – although the reason for a significant increase is not clear to me.

As in prior years, the report tells us that most organizations have their internal audit team supporting control testing (78%). A surprisingly large number (66%) help with updating documentation, and 36% are involved in SOX project management.

Protiviti also shares statistics on the level of reliance by the external auditors on management testing. This obviously can be higher when performed by internal audit. A fair number of companies report reliance in the 76% or higher level. I achieved 80% and I have heard from others at that level. Unfortunately, Protiviti did not break either this range (76%-100%) or the 51%-75% level down.

This is how Protiviti explains the reasons for cost increases:

As we have observed in results from the prior few years of our study, hours required for SOX compliance continue to increase for many organizations. And in a majority of companies, hours appear to have risen by 10 percent or more.

Similar to our findings on costs reported earlier, there are many factors at play that are contributing to these increases. These include changing organizational structures resulting from digital transformation and greater demands from external auditors as a result of increased scrutiny from the PCAOB.

Another contributing factor is revenue recognition. After implementing the new ASC 606 Revenue Recognition Standard, companies were required to document their transition controls.

In addition, a growing number of organizations are outsourcing software and business processes. While this offers numerous advantages, there are assurance activities that need to take place around the SOC reports these vendors provide, along with the related management review controls that are required.

Based on what I hear from attendees at my training and so on, there are more important reasons:

  1. The scoping is not really top-down and risk-based. For example:
    1. The scoping for ITGC and even automated controls may be performed by a separate group from that covering business processes.
    2. Controls are being added because they seem important.
    3. Applications are added to the scope because they are ‘involved’ in financial reporting (see the IIA’s GAIT methodology or the SEC’s Interpretive Guidance – they should only be included in scope if they contain functionality relied upon for key business process or entity-level controls).
  2. Because it is not top-down and risk-based, the scope includes far more controls in scope than are necessary. Only those relied upon to prevent or detect a material misstatement that is at least reasonably possible need to be included in scope.
  3. For the same reason, the external auditors are insisting that management include in scope controls where there is no reasonable likelihood of a material error or misstatement should they fail. Management is too timid to challenge!
  4. The external auditors continuously quote the PCAOB Examiners as requiring this or that to be done when that simply is not the case. Unfortunately, management does not ask where the PCAOB is requiring this.
  5. There is no annual reperformance of the top-down and risk-based scoping process to trim out excess fat.
  6. The external auditors are not relying sufficiently on internal audit testing. Management and the board need to exert more pressure.

Here are recommendations, based on a blog from last year (on the IIA site):

  1. Make sure you are focused on financial reporting risk! The scope should include controls required to provide reasonable assurance that material errors or omissions will be either prevented or detected. That means that the likelihood is more than a reasonable possibility. That means more than simply a theoretical possibility and the error or omission has to be material to the consolidated financial statements.
  2. Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.
  3. Apply the risk-based, top-down approach to the whole program, including ITGC and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are present and functioning (as defined by COSO, a defect would not be a major deficiency).
  4. Be experts not only in the PCAOB Standards (including AS10 and so on) but also in the SEC’s Interpretive Guidance and SEC/PCAOB Staff guidance – especially Staff Alert Number 11.
  5. Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.
  6. Read the IIA’s updated guidance (my book): Management’s Guide to Sarbanes-Oxley Section 404, 4th Edition. (FYI, I receive no income from sales of this book: it al goes to the IIA Reseach Foundation.)
  7. Have the CFO, CEO, and the audit committee press the external auditors to rely as much as possible on internal audit testing

 

I welcome your comments.

[1] For information on these classes, the next one of which is on September 20-21 in Chicago, please contact Emily@marcusevansch.com

[2] Protiviti can improve this in their next report by breaking down the statistics further, telling us the average time to document, test, etc. manual vs automated controls vs ITGC controls

Emerging risks: who is watching?

August 17, 2018 8 comments

It seems that “emerging risks” are a topic du jour.

  • “Emerging risks can be new and unforeseen risks whose potential for harm or loss is not fully known.” – Marsh & McLennan
  • “Emerging risks are those risks an organization has not yet recognized or those which are known to exist, but are not well understood. To quote Donald Rumsfeld, former US Secretary of Defense, ‘There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.’ An ERM program that does not address the potential challenges created by the existence and development of emerging risks will not meet its goal of protecting, and generating opportunity for, the organization.” – RIMS
  • “Emerging risks are ‘newly developing or changing risks that are generally characterized by major uncertainty’. This uncertainty is ‘partly derived from the lack of historical data that characterizes them, but also from scientific-technological, socio-political or regulatory changes that can create discontinuities in their evolution’”. – AXA

I have no problem with any of these definitions.

I do find it interesting that each of the sources say that assessing emerging risks is more difficult than previously identified risks, generally because there is less historical data.

But who should be alert and watching for emerging risks: things that might happen (a better expression than the ‘R’ word, ‘risk’, because of its negative impression) that might affect the achievement of enterprise objectives?

 

It’s always interesting to listen to and read the thoughts of Richard Chambers, CEO and President of the IIA.

Richard recently shared Internal Audit and Emerging Risks: From Hilltops to Desktops.

I like the distinction he draws between hindsight, insight, and foresight – although those of us who chose ‘insight’ as an important word to include in the IIA’s Mission for Internal Auditing and in the Core Principles for Effective Internal Auditing might assert that it is forward looking.

I also like this turn of phrase (with a word or two added by me).

Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of today and tomorrow if we are to not only protect but enhance value for our organizations.

Where Richard and I disagree is in the role of internal audit in identifying or responding to emerging risks. He says:

“…stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.”

It is NOT internal audit’s responsibility to identify, assess, or respond to risk.

It is a MANAGEMENT responsibility.

As you can see, I want to shout that from the rooftops.

If I were a board member or CEO, I would be aghast (such a good word) if an executive told me that he or she relied on internal audit to identify, assess, or respond to risks, whether existing or emerging.

That’s his or her job.

If they are not up to doing it, they should be fired.

So what is internal audit’s role[1]?

  1. Provide assurance on management’s ability to understand and address what might happen on the path to achieving the enterprise’s objectives
  2. Provide additional advice and insight that will help stakeholders understand the current situation and take actions as appropriate
  3. Act as evangelists across the organization for risk management (or the ability to make informed and intelligent decisions, which is a more advanced expression and a tougher challenge)
  4. Provide assurance, advice, and insight on the internal controls relied upon to manage risks to enterprise objectives
  5. Be agile in their planning and execution so they can shift their focus as ‘risks’ change
  6. If internal audit sees a new or growing risk that appears to have been missed by management, find out why – help them improve their process, teaching them to fish for new or changing risks

 

What about the risk practitioner? What is their role?

Richard references an interview with a vice president of internal audit and risk management. Reading the transcript of the interview, the vice president appears to own the responsibility for identifying emerging risk at his organization.

Again, I think that is totally the wrong approach.

The risk function can help, but it is a management (and by that I mean operating) management responsibility to keep their eyes open and on the road ahead.

When I was CAE at Business Objects, the board with the concurrence of the CEO asked me to act as CRO as well. I was willing to do so, but made sure that I was only the facilitator and not the one identifying and assessing risks.

No CAE or CRO can ever know as much about the business as those running it day in and day out. (If they do, there’s a problem.)

That’s my strong opinion.

What is yours?

[1] For a more complete discussion, see Auditing that matters