Home > Risk > 10 Years of Progress

10 Years of Progress

December 17, 2019 Leave a comment Go to comments

Its 10 years since my first blog post in December, 2009; Is there value in talking about GRC? remains a relevant question especially as so many vendors put a GRC label on their software.  I’ve written about GRC 97 times since then.

But, thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC”. Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cyber, etc. Sometimes, but not always, one software solution will be the best choice for several areas; but almost never will it be the right choice for every area of GRC.

Of my 689 posts (not including this one), the most viewed is from 2011, Just what is risk appetite and how does it differ from risk tolerance?, which has been viewed a massive 69,617 times (10% of which were in 2019).

But I want to talk about progress in practices since that first post. These will just be highlights.

Risk management

While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number recognize that this is a failing practice and have moved on. They recognize that risk management should enable decision-makers to make informed and intelligent decisions that will enable them to take the right risks and achieve enterprise objectives.

Boards and top management teams are similarly starting to ask for more. They recognize that discussing a list of risks is not helping them run the organization for success. It only helps identify potential problems. The focus should be on having an acceptable likelihood of achieving objectives (a better way of thinking about ‘risk appetite’) instead of an acceptable level of risk.

Corporate governance codes and frameworks similarly talk about both risk and opportunity. However, there is little guidance on how to weigh all the pros and cons so you can make those informed and intelligent decisions.

The future is not clear, especially as regulators continue to press traditional practices that might help avoid failures (emphasis on might) but don’t contribute to success.

We need to stop the focus on the management of risk and replace it with a focus on the management of success.

That will take time.


Internal audit

I am pleased by the progress I have seen, especially the move away from a rigid annual plan that is out-of-date even before the first audit. Instead, there is a growing recognition that you need to audit at the speed of risk (or at the speed of the business, if you prefer). That requires a far more flexible audit plan. A majority of functions now update their plan at least quarterly, while leaders are using a continuous planning approach to ensure they address the risks of today and tomorrow rather than of the past.

Compared to 10 years ago, far more are providing their stakeholders with opinions. Most include opinions in their audit reports (micro opinions), while a growing number provide an overall assessment of how enterprise risks and related controls are managed (macro opinions).

But there is still work to be done.

Too few have limited their audits to issues or risks that matter to the success of the organization as a whole (defined by the achievement of enterprise objectives). They may start with an intention of auditing such enterprise-level risks, but then bloat their scope by including areas that, if the controls failed, would not require the attention of top management or the board; in other words, their scope includes issues that don’t matter to the success of the organization as a whole. That time, the time spent on issues that only matter to middle management, can be better spent on other enterprise-level risks.

If you want to be agile, which enables you to pivot promptly to new or changed risks, you can’t afford every audit to be a leviathan. Think of how long it takes to turn an oil tanker.

The other area that I see improving in the future is in communicating the results of the audit.

While executive summaries are getting shorter, they are still written in the language of the auditor and say what the auditor wants to say. Leading functions realize that they need to tell their stakeholders what they, the stakeholders, need to know. For example, what is the effect of any control deficiencies on the ability to execute successfully on business strategies to achieve enterprise objectives? Which objectives might be affected and by how much?

I believe the future is bright and salute the achievements of the past decade.

What do you think?

FYI, in 10 years those 689 posts have been viewed a total of 1,256,639 time!

  1. Bertrand
    December 17, 2019 at 9:08 AM

    I started collecting your blogs and your books (as well as those of Richard Chambers)aroud 2011 when I have been nominated CAE of a medium size European company. Without the support of an international group, you sometimes feel a little bit isolated (methodology, benchmarking, new approaches…). Thank you very much for sharing your experience over this time. This is collective intelligence at its best.

  2. December 17, 2019 at 12:58 PM

    Norman, many thanks for your blogs which i have found very thought-provoking. I think the future is bright for internal audit but I think it would be brighter if the IIA revised its standards to take account of your comments above, such as providing a periodic assessment of the likelihood that a company will achieve its objectives, based on the audits carried out. The standards don’t need a major revision but a change of emphasis and some reordering of paragraphs is required.

  3. December 17, 2019 at 3:14 PM

    Thanks for all your insights. Looking at the situation in Ireland and limited experience abroad I think one of the principles that needs to be shouted from the rooftops is Honesty. It is the one that is so often misplaced. I know there is so much more but this one is often forgotten.
    Seasons wishes and lets strive for honesty in the future.

  4. Gary Lim
    December 22, 2019 at 8:26 PM

    Norman, I learned lots of ideas from your blog. In Malaysia compliance is most important for Financial institutions but for Public Listed Companies I would think very low acceptance as they don’t think it would happen to them. I wonder how many Malaysians response to your blog, I think I am an active one from Malaysia. You probably heard of the IMDB case, makes Malaysia famous for the wrong reason.
    I take this opportunity to wish you and your family Merry Christmas and Happy New Year 2020, may it brings joy and happiness in the years ahead.

    • Norman Marks
      December 23, 2019 at 4:26 AM

      Thank you!

  1. December 19, 2019 at 5:04 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: