Home > Audit, Compliance, COSO, Cyber, Governance, GRC, IT, Risk, Sarbanes, SOX, Technology > What they don’t know will probably hurt them

What they don’t know will probably hurt them

January 18, 2014 Leave a comment Go to comments

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.

  1. Sid Gale
    January 18, 2014 at 11:59 AM

    Imperfect Knowledge or Concerted Ignorance?

    I was introduced to the term ‘Concerted Ignorance’ early in my career by Professor Jack Katz, then a research associate with Yale Law School who was researching the sociology of fraud and management cover-up at the same time I was tasked with devising a corporate strategy for compliance with the Foreign Corrupt Practices Act of 1977. In 1973 the Equity Funding Corporation scandal mutilated a firmly held assumption in auditing: that a proper segregation of duties can minimize the risk of collusion that would undermine the integrity of internal control, based on the assumption that people are fundamentally honest, and are therefore unlikely to collude in most instances. Equity Funding broke new ground in illustrating the breakdown of the ethical environment. It has been dwarfed in subsequent decades; a testament to the power of organizational culture to bend individual integrity to its will.

    I have since come to appreciate how prevalent the paradigm is in group decision-making in circumstances that are by no means fraudulent, but invite duplicity of motivations where clear moral, ethical and professional boundaries of judgment should govern.

    But before we explore the realm of Concerted Ignorance, which I will abbreviate as CI for purposes of saving screen real estate and key strokes, let’s explore and distinguish its twin, Imperfect Knowledge, hereafter referred to as IK. IK, especially in the realm of management, is the inescapable truth that we NEVER, let me repeat that, NEVER know EVERYTHING we would like to know about ANYTHING, in order to make a correct decision in a specific situation. All decision-making entails a degree of risk resulting from imperfect or incomplete information, past, present or future.

    What distinguishes IK from CI is that IK is an ambient reality in the information ecosystem. CI is a directed choice in the social ecosystem. In the first case, we are the victims of circumstance. In the latter case, we are the perpetrators by choice. The intersect of the two occurs when the potential for IK gives CI the opportunity for cover of Plausible Deniability (PD), a get-out-of-jail card, so to speak, for executive management. (Generally, a few minions need to be sacrificed in the name of making Deniability plausible. It’s part of the theater. But I digress.)

    The issue of Concerted Ignorance echoed in a recent article by Jeremy Grantham surveying the near-term prospects of the markets in the wreckage of the past five years. (Don’t let the title fool you.) The following paragraph caught my attention:

    “As usual, it was easy to get excited about [the housing bubble] this too early, but how on earth could you miss it? (Famously, Greenspan, Bernanke, and Yellen, not only could not or would not see this 3½ sigma outlier, but they added words of encouragement that it was somehow a normal response to a decently strong economy.) Much stronger economies, including some with greater inflation, had somehow not had the same stimulating effect on housing.”

    In essence, Mr. Grantham is calling out the trio for exercising CI as accessories if not cheer leaders to a financial debacle they might have mitigated to some degree. Given the magnitude of the wreckage that followed, one might argue that the consequences of their actions (or inaction) vastly swamped the consequences of Equity Funding, or Enron, or a host of other true certifiable criminal frauds.

    I have considerable respect for Mr. Grantham’s insights on the economy, but I have some difficulty in equating Mr. Bernanke and Ms. Yellen with Alan Greenspan. Mr. Bernanke on a bad day cannot approach the lower depths of Mr. Greenspan’s mastery of obfuscation, except in the eyes of business media and Wall Street who choose to contort the most straight-forward pronouncement into implied babble in the perpetration of IK where CI is the intent.

    There are two problems with the rap on Mr. Bernanke, based on my IK of the inner workings of our monetary morass. First, he is burdened with responsibility to do far more for the economy than the authority and blunt instruments at his disposal would seem to support. Second, he is a player in a drama far bigger than himself in an improvised play with actors no less powerful and agendas nowhere near aligned. And within that play, everyone is crafting their lines in an IK environment, whether they acknowledge it or not. And some don’t worry too much about that.

    The above premise brings us to the issue of CI and how it ferments and eventually goes viral in a culture– business, civic, social or otherwise. First, there is the example of The Born Conspiracy, as in Brooksley Born, head of the Commodity Futures Trading Commission during the Clinton administration. This was not a conspiracy by her, but rather against her by the boys club of Greenspan-Rubin-Summers to thwart her deep concerns about the growth and character of the derivatives market. She was significantly marginalized by their efforts.

    Then there is the case of General Shinseki who stood on principle during the Iraq war at the height of his career and expressed his professional judgment about the troop requirements necessary to successfully subdue Iraq and sustain a peaceful transition. Knee-capped by his superiors for his integrity, the personal damage done is probably not fully compensated by the vindication of history.

    Which brings us to what I will call ‘The Powell Dilemma’. This is different from ‘The Powell Doctrine’, so famously associated with the first Iraq invasion. ‘The Powell Dilemma’, as I imagine it from my armchair, is how one remains within an organization to do good when crooks and crazies seem to be at the head of the line for control? To what degree do you owe allegiance to a higher authority (by whatever definition) and continue to serve as a ‘loyal soldier’ for a greater good, at the risk of becoming an accessory to the very things you oppose by remaining a part of that system. General Powell, by most indications and based on IK, was the victim of CI perpetrated as IK. Others will contend that he knew it was CI and chose to ignore it. If so, was he seeking to avoid being ‘Shinseki-ed’ so that he could continue to serve as a counterweight to the Klingon Warriors within Bush-2′s war council? We cannot know; merely surmise.

    As for Mr. Bernanke, is there an arguable parallel to the Powell Dilemma in his tenure? Many who argue that he could have acted more forcefully and proactively ahead of the Great Repression most definitely do so with some level of IK, and possibly some CI, depending on their agenda. Prior to ascending to the Chair, Mr. Bernanke was in a comparable position to Mr. Powell in his service to Mr. Greenspan. Upon ascending to the Chair, he labored in the shadow of the Wiz, with thin political capital to buck the cultural inertia of the received wisdom of The Great One. Still, there was evidence of a concerted effort on his part to re-mold his institution with greater transparency (which was immediately punished by the press) and greater consensus-based policy development, which has added to the drama of the Fed, but has been better for the institution and, by extension, the rest of us.

    This suggests to me that he was in a position similar to many in management who are more committed to an institution than to their immediate boss. Hope to survive, and then revive. At some point in our careers and personal lives, we all live with The Powell Dilemma.

    * * *

    It is alleged that only God has perfect knowledge. My own limited surveillance of His realm suggests that the application of that knowledge is at best uneven in results, and the magnificent work of those initial six days have fallen into serious disrepair. But if we mere mortals must suffer the inevitability of imperfect knowledge, why do we up the ante by perpetrating or being a party to CI in so many critical instances?

    Not everyone who colludes in CI is guilty of fraud and doing it for money. Some seek to gain or sustain power or position or influence or acceptance or, in the most severe instances, survival. Some may do this for selfish interests. Others in pursuit of some selfless purpose in an environment that mitigates against integrity, in the belief that it is a necessary price to be paid in order to achieve a greater good. In almost all cases, CI is an individual choice, but within a group-defined context in which we are all contributing parties, if only by default.

    But here is the ugly, inconvenient truth: Concerted Ignorance is a form of moral, ethical and intellectual prostitution, and in ways big or small, virtually all of us are guilty of it in ways we would not wish to admit. It may not be criminal, but it diminishes us as individuals and societies. It often begins in small, seemingly inconsequential ways, but too often can become a modality of convenience, until it becomes a trap. And when we exercise Plausible Deniability in the guise of Imperfect Knowledge, we inevitably contribute to our own steady demise.

    Prostitution can take on many forms. Some people sell their bodies. Is a pro football quarterback with a great throwing arm any different from a porn star with other distinguishing physical attributes, or a lady of the night, except for return on investment? Some of us sell our intellect; some, reputation and influence; others, moral and ethical judgment that can impact the well-being of others.

    In the scheme of things in our modern, sophisticated society, the Oldest Profession may actually be the most honest in the transparency and full disclosure of what it sells and what it receives.

    That is by no means an endorsement. Merely an observation on the relative state of affairs.

    • Sam Demuth
      January 20, 2014 at 10:59 AM

      What a lovely essay. Thank you.
      I can only add that if the culture locally mitigates and is permissive of CI as a stable form then the Culture at large itself is deficient in terms of ethics, which would indicate that there is perceived to be a beneficial trade off pro CI. Alter the Culture so that aint so, and its stability may evaporate. Big Mountain, hmm CI might be here to stay.

  2. January 19, 2014 at 12:44 AM

    I can agree with you that directors some time may not be aware of the real status but Top executives will rarely be unaware. If that happens then we are definitely in a wrong company and it will be time to take a flight

    The best way to tackle such situation will be easy by involving external consultant to benchmark governance. Purely internal assessment will rarely be acceptable to directors

    Regards,
    Kushal
    http://www.InternalAuditExpert.in

  3. K Viswanathan
    January 19, 2014 at 8:51 AM

    In a developing world where SOX is not mandatory, it is a challenge for CRO/CAE, auditors and many a times the person feels co-sourcing is an option not because the CRO/CAE is not able to deliver, but because of a need to get an independent endorsement on such matters to the organization. It is to endorse what Kushal commented above. To begin with, we need to establish (if not existing) Governance tools such as Code of Conduct, Whistle blower policy and leverage the control assurance audit reports to develop/improve Policies and Procedures. It should also involve:
    a. conduct awareness sessions (including taking attendance of participants) on Policies, Procedures
    b. getting a confirmation of undetstanding signed off on these.
    c. Establishing formal forum such as Risk Management Committee, Management,Operations Committee
    d. Ensuring their periodical meetings and addressing discussion items for closure etc.

    K Viswanathan
    CIA, CRMA, FCMA

  4. Robert Crawford
    January 19, 2014 at 11:56 AM

    Sid, you have provided quite the response on Imperfect Knowledge and Concerted Ignorance. Unfortunately concerted ignorance and plausible denial are all reasons why our leaders in government and business are generally looked upon with contempt and scepticism. Until they exercise a degree of governance exhibiting honesty, transparency and ethical morals, it will take a long time to correct the workings of government and business.
    R Crawford CPA, CA, CIA, CRMA

  5. January 19, 2014 at 7:22 PM

    “It’s not what you say, it’s how you say it.” Infosec has consistently failed to communicate the cyber risk of threats to assets and their potential economic losses with fiscal sense the C-suite comprehends. When infosec learns to never spend a dollar to protect a dime heads may began to nod in the same direction…

  6. Brian Robb CA CIA CRMA
    January 20, 2014 at 12:05 PM

    This is possibly illustrating the consequences of top management loosing touch with the front line (and reality?) and believing their own spin and/or spin of the level of management underneath them and/or not fostering a culture where truth and knowledge is held in high esteem and is allowed to be communicated.

  7. Helen
    January 21, 2014 at 8:53 AM

    Turnover at the C level is generally higher than your general work force. Wasn’t that point of bringing in a new CEO…to bring in new ideals, and to break up the current political environment? So what value is there in knowing the current environment? After all they will be gone in 3-4 years, and a new CEO with a new direction will come in.

    As for the infosec comment above, your CISP is doing Quantitative Risk Analysis on cyber assets…but to make the assessment reflex real value, business needs to put a value on the data in its possession. And I’ve yet to see a business set the value of its data, until after its been stolen and it turns out it was valuable. Corporate needs to understand the value of its assets, and communicate that to the security group. That is the only way to get accurate numbers on what a company should be spending for security.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: