The dangers of complacent success: don’t stop when you are finished
I try to listen to and learn from every person I meet, whether at a conference, an internal or customer meeting, or even a social gathering. Some executives (and I talk primarily about audit and risk executives) are receptive, as you might expect, to the potential that new practices and technology offer. Some are open to the possibilities offered of continuous controls monitoring (not just transaction monitoring, but monitoring that actually confirms the operation of controls), business intelligence, providing assurance on governance and risk management, and so on. Our discussions are fruitful and I continually refine my thinking from what I hear.
But some are less open and receptive. True, some can see real obstacles – such as the diversity of their technology infrastructure. However, others seem to be quite happy where they are and aren’t really interested in change.
For a while, I struggled to understand this – and then it clicked.
Do you know the expression: “think out of the box”? For some time, I have been extending the metaphor to “get out of the box” and then “stay out of the box”. The latter is necessary because once you have fixed what was broken and created a new, much more efficient and effective situation, you can fashion that into the fabric of a new “box”.
The people I am talking to who are happy where they are have, as a rule, been successful creating their current set of processes, their organization. They have been recognized and rewarded. But, they have fallen in love with their situation and created a “box” for themselves – one they find it hard to get out of, let alone think out of. This will, in time, catch up with them.
Years ago, I took a position as the head of internal audit for an oil company. I asked what happened to the previous gentleman, whom I had met and knew had been at the company for many years. I was told that while he had been successful and satisfied both the audit committee and top management, he had a “run-in” with the new CEO. Apparently, the CEO came in with new ideas and expectations – including for internal audit. My predecessor was so in love with the box he had crafted that his eyes and ears were closed and he could not hear the CEO’s new ideas. His box was, in fact, now an old box – and his thinking was old thinking.
The lesson for me is quite clear.
When you set about fixing your function and realizing a vision for it, don’t stop when you are finished. While what you have created may be leading-edge and ahead of every competitor and peer, it won’t stay that way for long.
Make sure your new function has the agile ability to continue to change, develop, and grow. Don’t build a new box to stifle your ability to embrace change.
Recent Posts on this Blog
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Have your provided comments on the COSO ERM draft? August 31, 2016
- How to do your internal audit risk assessment August 27, 2016
- Do techies really understand cyber risk? August 20, 2016
- Continuing to learn about culture from Toyota August 13, 2016
- The danger of an arrogant board August 7, 2016
- The Board and Technology: Questions to ask the management team July 31, 2016
- IIA Insights on Internal Audit Effectiveness July 22, 2016
- Deloitte predicts change for Internal Audit July 20, 2016
- Risk and Opportunity Management July 2, 2016
- Risk reporting to the Board June 26, 2016
- We need to review and provide feedback on the COSO ERM Exposure Draft June 19, 2016
- Fraud, Abuse, and Corruption September 26, 2016
- Reconsidering the Board: Its Composition and Oversight of Management September 19, 2016
- Time for the Board to Take a Deep Dive Into Risk Management and Risks September 12, 2016
- Oversight of the External Auditor September 6, 2016
- Signs of a Failing Board August 29, 2016
- Contrasting Comments on Internal Audit From a CAE and a Consultant August 23, 2016
- Asking the Tough Questions About Internal Audit August 15, 2016
- When Risk Management Fails August 8, 2016
- An Internal Audit Ambition Model August 1, 2016
- Understanding and Assessing Governance Risk July 25, 2016