Home > Risk > The IIA fails again on risk management

The IIA fails again on risk management

September 30, 2021 Leave a comment Go to comments

I have reached out to people at the IIA with a plea to come on board with the latest thinking about risk management: that it is not about managing or mitigating risk, but about taking the right level of the right risks to achieve your objectives.

No reply, unfortunately. (Even though they replied to other initiatives regarding the Standards.)

Now we have a new report from the IIA that cements their feet in the concrete of failure. Yes, failure. Risk management practices are not seen by executives as contributing to how they make decisions and run the business. As a result, they don’t participate with enthusiasm or provide the resources risk practitioners need.

The new IIA report is OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk.

The marketing blurb says that the report will “will change the way organizations view and understand risk”. Wrong!

The report says:

  • C-suite executives, and chief audit executives [are] the key players in risk management
    • Comment: this ignores any risk practitioners as well as the fact that operating management at multiple levels are the ones making decisions and taking risks every day.
  • The OnRisk approach is grounded in an innovative methodology that uniquely brings together the perspectives of the major stakeholders in organizational governance — the board, executive management, and chief audit executives. Alignment of these stakeholders’ views on personal knowledge, organizational capability, and risk relevance is a significant step toward achieving strong risk management in support of effective governance.
    • Comment: yes. Asking these people for a list of the higher risks is certainly innovative (not!).
  • One technology C-suite executive articulated a more sophisticated approach to risk management, which adds needed perspective: “We have a formal ERM process, with a person that leads annual reviews for the entire organization. Risks get rated, gaps get identified, and then the likelihood and significance as well as tolerance is determined. Two hundred risks are assessed and grouped together in different categories. I think because we have this process and our audit function is so tuned-in to risk, we have sufficient assurance.”
    • Comment: this is shockingly awful
  • “Some risk reports are maybe too detailed, which makes it difficult for extracting insights. Detail is good, but there should be summaries of relevant info for stakeholders, board members, etc.”
    • Comment: this is correct!!
  • [Internal audit should] perform organizational risk analysis, leveraging the OnRisk methodology.
    • Comment: this is a management responsibility! If management is not capable of anticipating what might happen and take necessary actions, the CAE should raise this to the audit committee as a very serious deficiency!
  • The OnRisk 2022 report continues The IIA’s groundbreaking approach in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success.
    • Comment: your feet are in the cement and you are not breaking anybody’s ground.
  • The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial impacts.
    • Comment: this hyperbole is not supported by facts. I have written frequently about this and will say no more here.

While I will again share this post with IIA leadership, I ask that everybody who agrees with me contact Anthony Pugliese (@AJPugliese1 on Twitter) and urge the IIA to challenge their old-fashioned thinking, lift their feet out of the cement (which will be hard – pun intended), and get on board with risk management that works – what I have described as risk management for success and Tim Leech refers to as objective-centric risk management.

This continued emphasis on managing risks instead of the business discredits this fine profession.

I welcome your comments.

  1. John Fraser
    September 30, 2021 at 5:32 PM

    Thanks Norman. Totally agree. It is very sad that they are still at this stage in thinking.

    • Norman Marks
      September 30, 2021 at 5:36 PM

      John, will you contact Pugliese?

      • John Fraser
        September 30, 2021 at 6:54 PM

        I would be happy to if I thought it would make a difference but I doubt it. Were you part of the group several years ago with Arnold Schanfield where we held a conference call with IIA management to educate them re risk management? Result = zero.

  2. September 30, 2021 at 6:16 PM

    Sad to see Norman’s ground-breaking approach get plowed under by medieval thinkers at The IIA.

    • Norman Marks
      September 30, 2021 at 6:28 PM

      Jay, will you contact Pugliese?

      • October 2, 2021 at 10:31 AM

        Absolutely. I invested years into IIA local and National leadership roles, publications, and thought leadership and am not willing now to see them cling so firmly to the past.

        • brucemccuaig1
          October 2, 2021 at 10:43 AM

          I became totally disenchanted years ago. I gave up all the designations CIA, CCSA etc. The IIA should be thought of as a special interest group (SIG) rather than a profession. It’s interests are not

  3. September 30, 2021 at 11:32 PM

    While I fully support (most of) Norman’s sentiments were I those in apparently concrete boots I think I might not wish to engage. While
    management of risk has changed so has management of change and I am not convinced publishing such aggressive posts is the best way to achieve that change.

    • Norman Marks
      October 1, 2021 at 6:47 AM

      Thank you, David. My frustrations have built up over a decade of trying to move them. Thus the rant,

  4. October 1, 2021 at 3:34 AM

    Norman, absolutely correct. For an organisation which keeps exalting its members to be innovative, it’s a shame that it doesn’t apply the same thinking to itself. I have tried to promote discussion through my comments on the IPPF (https://www.internalaudit.biz/webresources/page26.html) but I don’t hold much hope!
    I will contact Anthony Pugliese.
    Keep up the campaigning.

    • Norman Marks
      October 1, 2021 at 6:46 AM

      Thank you, David

  5. brucemccuaig1
    October 1, 2021 at 2:44 PM

    Norman, well said. I think the tone was appropriate and the message clears and urgent. I would add that the IIA should rethink how “controls” are managed as well as part of rethinking risk management.

  6. Norman Marks
    October 1, 2021 at 2:45 PM

    Thanks, Bruce

  7. Mike
    October 2, 2021 at 12:44 PM

    Norman, the IIA will eventually catch up as it becomes more mainstream thinking. More and more these days I meet peers who get it and have moved on. Determining the right level of risk to achieve your objectives is in itself not so straight forward, then implementing it can also be a challenge.

  8. October 2, 2021 at 7:12 PM

    Maybe the answer lies in also specific type of risks. Compliance and Financial reporting risks can’t be taken at right level. They have to be mitigated only.

    On the other hand Strategic and operational risks need to be taken at the right level. Views are welcome

  9. Lalit Dua
    October 3, 2021 at 12:15 AM

    No denial of the fact that risk assessment should be done while taking key operational and strategic decisions but C-suites take this as cumbersome exercise specifically when they are under tremendous pressure to achieve objectives set for them. Many a times leadership team overlook the attempts of deviating from standard processes to achieve annualised goals. IA can just report such deviations but doesn’t have any supporting role to play

  10. October 3, 2021 at 2:32 AM

    When I read articles and comments on LinkedIn, it does seem that many internal auditors haven’t moved on to supporting the business but continue to look inwards at the achievement of ‘internal audit’s objectives’.

  11. Paul Hicks
    October 4, 2021 at 4:00 AM

    I see the IIA OnRisk report as less about risk management and more about risk governance – taking the longer term strategic view. The risk model on page 26 describes four stages of risk knowledge and risk capability. Recognize, Explore, Develop and Maintain. I would say that risk management would be performed at stage four as it is here where the risk responses are to be implemented. And taking the right level of the right risks could be effectively determined.

  1. September 30, 2021 at 5:14 PM
  2. October 1, 2021 at 9:53 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: