Archive

Archive for the ‘Compliance’ Category

Guidance for Directors on Disruptive Change

July 7, 2014 3 comments

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

  1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
  2. Who is responsible for the assessment process?
  3. Who determines whether existing strategies, objectives, or plans should be adjusted?
  4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
  5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
  6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
  7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.

Risk Management Challenge – The Answer

July 1, 2014 Leave a comment

The Question

In a recent blog, I said I had asked one of the leaders of a CPA firms’ ERM consulting practice this question:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

As Arnold Schanfield predicted, the individual did not provide an answer to the question – although he agreed with the premise in the blog post.

In that earlier blog, I asked:

“…what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?”

I shared another situation:

“Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?”

I asked “Which is the right risk to take? How can she know?”

A number of people provided their thoughts – and I thank them for sharing.

The Answer

I believe the answer can be obtained using risk management principles (using the guidance of your choice – mine is ISO 31000). You can also consider, as I do, that these are principles for effective management and decision-making. Here is my thought process:

  1. The owner of an objective is also the owner of any risks to those objectives
  2. Where the owner of a risk is not responsible for all the actions and activities that affect the risk, he needs to communicate his needs to all whose actions he is dependent upon. In other words, he needs to make sure they know how their actions will affect him
  3. But that responsibility is not one-way. Managers should take responsibility for the effects their actions will have on others
  4. In the first example, every organization whose objectives are dependent on the new service center should ensure that their needs and expectations are known and understood by the managers of the new service center
  5. The manager of the service center needs to know how any failure to meet those needs and expectations will affect the business
  6. The manager of the service center needs to work with HR and ensure they not only understand that he wants to hire for the new operation but how critical that need is to the business. For each position, he needs to agree on requirements such as timing, experience, location, and so on
  7. The HR manager must go beyond any paperwork (e.g., staffing requisition) to ensure he understands all expectations, including  the risk to the business should there be either delays or compromises in hiring
  8. The HR manager also needs to understand any legal, company policy (such as not discriminating based on gender, age, or race), or other requirement when deciding how, when, and where to hire the recruitment officer
  9. The HR manager should consult with other business managers, including the manager of the service center, before making any decision that could impact his service to them
  10. The manager of the service center should monitor progress in hiring the recruitment officer as a delay represents a risk to his and his customers’ objectives
  11. Any manager should be able to ask for assistance from the risk manager, such as facilitating a workshop to discuss the situation and agree on actions
  12. Each player should communicate any changes in the situation
  13. In the second example, the managers whose objectives are impacted by the procurement decision should ensure that the procurement manager fully understands their priorities (such as quality vs. cost vs. reliability, etc.)
  14. The procurement manager similarly needs to take responsibility for knowing his customers’ (within the business) priorities
  15. Where appropriate, in the opinion of the procurement manager or the managers of manufacturing or finance (for example), the decision should be made collaboratively
  16. The risk manager may be of value by facilitating a discussion

The bottom line is that in neither case should the decision-maker base their decision on their own objectives. They need to understand and consider the objectives of those affected by their decision.

Similarly, everyone whose objectives are “at risk” to decisions and actions made by another should seek out those others and work to ensure their and the organization’s objectives are known and considered.

Where possible, decisions should be made collaboratively with all those potentially affected.

Do you agree?

Board Oversight of Cyber-Risks

June 29, 2014 4 comments

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

A Risk Management Challenge for You

June 21, 2014 23 comments

I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right risks”.

They don’t provide the guidance people need when they make decisions as part of running the business on a daily basis.

I am in the middle of an email discussion with a leader of one of the Big 4 CPA firms’ risk management consulting practices. He is one of the few from the Big 4 that I have heard say the same thing I do – that risk is taken every time you make (or decide not to make) a decision, and that those making decisions need guidance on which are the right ones to take.

This gentleman has developed a somewhat complex process that takes the organizations’ objectives, identifies the type and general source of risks to each of those objectives, determines at a high level the aggregate level of risk to each objective that would be acceptable, and then drives this down to the decision-makers whose actions create or modify those risks – and finally determines what would constitute an acceptable level of risk at their level.

It’s a valiant attempt to deliver guidance to those taking or modifying risk every day.

But is it enough?

I asked him this question, to which he has not yet replied:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

We say that risk is the effect of uncertainty on objectives and that you have to assess each risk within the context of objectives.

But what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?

In practice, the HR manager has his own objectives, as does the HR department. For example, he probably believes that one of his primary objectives is staying within budget. Can he achieve that without adversely affecting another department’s objectives to an unacceptable extent?

It’s not only that delaying hiring or hiring somebody with insufficient experience may adversely affect the operation of the new service center, but problems at the new service center might result in failures to bill customers accurately, pay critical vendors on time, produce accurate financial and operational reporting, and more. The ripple effect could be substantial and affect multiple organizational objectives.

A (COSO) risk appetite statement or framework set by the top management team and approved by the board is of no help.

Are (ISO 31000) risk criteria any better?

Management decisions like this are made every day.

Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?

Which is the right risk to take? How can she know?

I welcome your comments.

Isn’t this the core, the heart of risk management?

How Good is your GRC? My book now available in paperback and soft copy

June 17, 2014 Leave a comment

Background

Anyone who has been reading my posts should know that I have concerns about the way people are misusing the term GRC. In my April post, I closed with:

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

So how do we move forward?

It is important to get each part of the business working well. But it is also important that they work together. We don’t want fragmented operations that operate in silos.

How can an organization’s board, executives, or internal auditors determine whether their different activities (such as strategy, performance, and risk management) are working together, in harmony, for the optimization of performance while acting with integrity?

 

The Book

I have a new e-book, How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners. It consolidates my thinking about what GRC means and the business problem it represents (the failure to have the various pieces work together in harmony). I include twelve questions, with discussion, that you can use within your organization in a discussion or assessment process.

 

How and Where is it Available?

If you want a soft copy to read on your PC, tablet, or eReader, a Kindle version is available from Amazon. If you want to read it on your PC, first download the free Kindle for PC app; for the iPad or iPhone, download the free Kindle app from the Apple App Store; and for an Android device, there is a free app on Google Play. Then go to Amazon to purchase the ebook.

A paperback version is now available from Amazon or (my preference) the CreatesSpace e-store.

Talking about Operational Risk

June 17, 2014 6 comments

My friends at MetricStream (I am doing some webinars and training classes with them), through their SVP of industry solutions, have shared some thoughts on levels of integration in operational risk management. This was published by the Global Association of Risk Professionals (GARP).

I have some problems putting labels on risk. Some like to categorize different sources of risk, from strategic risks to financial risks, credit risks, market risks, procurement risks, IT risks, operational risks, and so on.

I prefer to think about what you need to happen and what you need not to happen to be successful.

I prefer to think about the uncertainties between where you are and where you want to be.

But, let’s talk about operational risk.

Basel II and Solvency II define operational risk as (emphasis added by me):

“the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses.”

GARP’s definition is similar:

“Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”

Investopedia defines it as

“A form of risk that summarizes the risks a company or firm undertakes when it attempts to operate within a given field or industry. Operational risk is the risk that is not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems.”

The Risk Management Association (RMA) has some useful words on the topic:

“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions. Operational risk exists in every organization, regardless of size or complexity from the largest institutions to regional and community banks. Examples of operational risk include risks arising from hurricanes, computer hacking, internal and external fraud, the failure to adhere to internal policies, and others.”

The US Federal Reserve has a similar view:

“Operational risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. Although operational risk does not easily lend itself to quantitative measurement, it can result in substantial costs through error, fraud, or other performance problems. The growing dependence of banking organizations on information technology emphasizes one aspect of the need to identify and control this risk.”

In other words, simpler words, operational risk is when your people, processes, organization, and people don’t work the way you want.

In other words, operational risk is present every time somebody, or some system, has to act (or not act).

So the key to managing operational risk is through controls that will either prevent such failure to act as desired, or detect such a failure in sufficient time to prevent an undesired impact on objectives.

Those controls include hiring the right people; training and continuing to develop them; providing sufficient supervision, information, resources, and authority to perform; guiding them in terms of desired ethical behavior and desired practices through policies, standards, and procedures; ensuring that risk is considered in decision-making; and monitoring operations and controls – and so much more.

When you think of operational risk as when the dynamic, constantly moving, enterprise fails to work as desired, I for one don’t think of managing it by performing periodic assessments. A point-in-time snapshot when everything is moving is not realistic.

Yet, organizations and consultants continue to focus on point-in-time assessments and reviews by management and the board.

MetricStream makes one good point in their GARP article: if you are going to assess risks periodically, recognize both the integration and aggregation of risk.

A failure in one area can affect the operations and success of another.

A single failure in, for example, information security can affect the achievement of objectives across the organization.

I understand that risk management solutions (such as those offered by MetricStream, SAP, Resolver, and others) help organizations integrate and aggregate risk assessment.

But, let’s not forget that operational risk arises when people or systems don’t do what you want – and that needs to be addressed in the field, where (as MetricStream correctly points out) the risk source lies.

When you are considering that every action and decision across the organization relies on humans (humans design and code computer systems), and humans are fallible and prone to error, the likelihood of someone doing something you don’t want is high.

How can you make any kind of list of operational risks, and assess and evaluate them, when everything and anything can fail? How can your list ever be complete?

Isn’t it better to provide managers and decision-makers with the tools and guidance they need to make intelligent decisions, controls that provide reasonable assurance that their mistakes will either be limited or caught quickly, management that hires and retains the best people, and a culture that not only celebrates mistakes but is resilient when it comes to human error?

I welcome your comments.

How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners

June 8, 2014 4 comments

Anyone who has been reading my posts should know that I have concerns about the way people are misusing the term GRC. In my April post, I closed with:

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

So how do we move forward?

It is important to get each part of the business working well. But it is also important that they work together. We don’t want fragmented operations that operate in silos.

How can an organization’s board, executives, or internal auditors determine whether their different activities (such as strategy, performance, and risk management) are working together, in harmony, for the optimization of performance while acting with integrity?

I have a new e-book, How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners. It consolidates my thinking about what GRC means and the business problem it represents (the failure to have the various pieces work together in harmony). I include twelve questions, with discussion, that you can use within your organization in a discussion or assessment process.

I welcome your thoughts and comments, and hope that you find the e-book useful.

By the way, if you don’t have a Kindle you can still read the e-book on your PC by downloading Amazon’s Kindle for PC.

The SOX State of the Nation

June 7, 2014 4 comments

Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014 Sarbanes-Oxley Compliance Report.

The Protiviti survey and analysis is interesting, useful, and valuable. If you contact them, they may be able to give you detail customized to your situation.

Not surprisingly, Protiviti has a major focus on how companies are adopting the 2013 update to the COSO Internal Controls – Integrated Framework.

I am surprised, as are the authors, that a large number of organizations “have yet to begin work on gaining an understanding of and implementing” COSO 2013. I join Protiviti in urging every organization subject to SOX to figure out their plan and discuss it with the external auditors a.s.a.p.

I am less surprised, even encouraged, that the majority of those who say they understand COSO 2013 are not anticipating a major increase in the level of work required for SOX compliance in 2014 and beyond. Here, I part ways with Protiviti who seem to believe that the external auditors will require organizations to do a lot more. That, in my opinion, would be a mistake.

Companies need to continue to take a top-down and risk-based approach to SOX, even in the face of COSO 2013, and this need not lead to an increase in the number of key controls included in scope (please see this post and the quotes from Jim DeLoach of Protiviti, Ray Purcell of Pfizer, and Marie Hollein of FEI).

For more on applying a top-down and risk-based approach (as required by PCAOB and SEC) to the COSO 2013 update, please see my May post on the topic. I cover it in detail in my SOX book for the IIA.

Protiviti reports that a large number of companies have, presumably with Audit Committee approval, asked the internal audit team to provide SOX project management and leadership. That is consistent with my reading of the market, from my SOX training classes and interactions on social media.

Protiviti did not address how many internal audit departments are performing SOX testing on behalf of management. My reading is that the majority of organizations is doing this, but in contrast with the early years of SOX now have sufficient resources to do both SOX testing and their normal internal audit work.

Protiviti also did not address the extent of external auditor reliance on management testing, especially where performed by internal audit. They pointed out that the PCAOB, in their October 2013 report, criticized the external audit firms for failing to document their reasons for assessing management testing to be sufficiently competent and objective for them to place reliance. Protiviti seems to assume that as the firms address this issue they will tend to reduce reliance on management testing. I fail to follow their logic.

I am pleased to report that I am now finding a number of companies where the external auditors are placing reliance on management testing for as much as 80% of the key controls work.

Another area where I tend to disagree with Protiviti is in the value of automating controls. Protiviti sees this as a significant opportunity, presumably because automated controls only need to be tested once instead of the multiple tests required of manual controls. But, this argument overlooks both the high cost of testing automated controls and the fact that they bring into scope more IT general controls risks.

However, overall Protiviti has continued to provide valuable insights into the state of SOX compliance and their report is a useful read.

I welcome your comments.

My tolerance for risk appetite is fading

June 2, 2014 11 comments

It is amazing to me that one of my most popular blog posts every month is “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!

In that and several subsequent posts (notably “What is your risk appetite?” from September 2013, “The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?” from August 2012, “COSO Contributes to Thought Leadership on Risk Appetite” from January 2012,and “New guidance on risk appetite and tolerance” from September 2011) I have expressed my preference for the concept of “risk criteria” used by the ISO 31000:2009 global risk management standard.

I have also said, over and over again, that unless and until any statement of overall organizational risk appetite is linked to guidance that enables decision-makers across the organization to take desired levels of risk, that this idea is not working.

In fact, making people believe they have effective risk management because they discuss a point-in-time list of so-called “top risks” and set limits for those few risks is making them believe in fairies.

It is setting them up to be surprised and for a failure to deliver success.

Now PwC has published a piece, “Board oversight of risk: defining risk appetite in plain English”.

I was hoping to see new thinking that would help organizations and their boards manage risk effectively.

Instead, while PwC says that risk appetite “is not a new concept but one that can be confusing”, I don’t believe they have succeeded in removing any of that confusion.

For example, while the piece talks about understanding an organization’s “exposure” and reducing “risk to an acceptable level”, it also points out (correctly) that organizations need to take care that they don’t take too little risk! (I am not going to bring into this discussion whether risk is the effect of uncertainty, positive and/or negative, on objectives. For purposes of this post, I am going to use the term ‘risk’ the way COSO does, as a negative with opportunity as the positive effect of uncertainty.)

I am not going to dwell on the PwC piece in detail, but instead want to bring out a few major points:

  • It is important for the board, as recommended by PwC, to understand and debate which risks the management team assess as being the most important to monitor and address.
  • It is also important for the board, as expressed in the paper, to understand and agree with management how they will determine the type and level of risks they should and should not be taking. (You can call this risk appetite; I prefer to call it risk criteria.)
  • Even more important, and not mentioned as far as I can tell in the paper, is for the board to obtain assurance (from internal audit, preferably) that the management team has effective processes for identifying, assessing, evaluating, and treating risk as an integral part of running the business. Risk is not limited to what is included in a point-in-time list presented to the board. Risk is created and modified by every business decision, and the potential effects of uncertainty need to be integrated into every decision-making process, from the setting and monitoring of strategy and performance, to the decisions made by front-line employees every day. (By the way, I do not support in any way an internal audit of a point-in-time list of risks; that provides little assurance that management’s continuing processes for managing uncertainty across the organization are what they need to be for the organization to succeed.)
  • If all the board is doing is reviewing a static, point-in-time list of risks and determining what are acceptable levels for those risks, it is reviewing a small subset of risks that is most likely already out of date. Furthermore, its focus may be on the horizon just as the organization is about to step off a cliff. Relatively minor decisions, such as the outsourcing of maintenance and operations of an oil rig in the Gulf, will never rise to the level of board attention but can be sources of massive damage.
  • A risk appetite statement (some use other expressions, such as a risk appetite framework) has limited value if the people making decisions are not guided as to how much risk to take. All it does is create a target for a level of risk that can be compared (after the fact) to the levels of risk actually taken, but doesn’t stop people taking more risk (or less risk) than the board and top management desire.  A risk appetite statement will not tell a procurement manager whether to accept a bid from a vendor that has the lowest price but not the highest reputation for quality and reliability, whether to allocate purchases among several vendors (at collectively higher cost but increased reliability), whether to implement additional quality control measures (at a cost) to address potential quality issues, or take another approach. A risk appetite statement will not tell a hiring manager whether to select the highest cost but most experienced employee, or to take the inexperienced individual who will help him stay within budget.
  • Risk appetite is not a single number. Every area is different and may well need different criteria to establish what is acceptable, from employee safety to cash flow, exchange rate exposure, customer credit risk, investment risk, the loss of key employees and customer relationships, supply chain disruption, quality manufacturing issues, data center disruption, vendor price increases, theft of intellectual property, litigation, brand and corporate reputation, capital project completion, and more.
  • Risk criteria used to evaluate and determine how to respond to risk include but are not limited to values for risk appetite and tolerance. (COSO ERM says this as well.) For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept (a) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain, (b) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $500 gain, or (c) a 20% likelihood of a $50 loss with an 80% likelihood of a $5 gain?
  • Risk criteria should include not only values for risk, but other attributes. For example, COSO’s ERM Framework says “Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.” It continues with “an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.” However, in my experience managers might well be willing to accept a 2% chance that performance levels fall below 88% if there is an 80% chance that customer satisfaction might exceed 95%. Risk criteria should reflect both impact and likelihood, not just one or the other.
  • Other attributes that should be considered include the speed of onset of the adverse effect (a negative impact that hits the organization faster than it is able to respond and cushion the impact is less acceptable than one that comes at a pace that enables a considered response), the duration of the negative effect, the corporate culture and social environment, and more.
  • Risk appetite is not, or at least should not be set in stone. For example, as the economy thrives, a company may be willing to take a higher level of customer credit risk.
  • Those responsible for making decisions – and decisions are where risks are ‘taken’ – need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
  • The consideration and discussion of risk by the board has to be integrated with its discussion of strategy. The choice of strategies should be based, in part, on an understanding and appreciation of risk. Performance and the execution of strategy is only successful when those risks, and new ones that may appear, are understood and addressed. Further, the organization should be prepared to shift strategies as risks change.
  • You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.

This is, indeed, a complex topic and boards must be extremely careful not to oversimplify.

Believing that you have effective risk management because you agree with management’s point-in-time list of so-called “top risks” and have agreed on the organization’s appetite for those risks is believing in fairy tales.

My advice is for the board to understand and become comfortable with management’s ongoing process rather than spend much time reviewing a point-in-time list of risks.

Challenge management on the points I list above. Are you satisfied, not just with the list of risks that management chooses to share with you, but that management addresses the potential effects of uncertainty as it manages the business – at all levels – every day?

Will it step off a cliff as it looks only at the horizon, the few risks on that list?

Separately, I understand that COSO is considering a project to update its COSO ERM Framework, now that it has updated the Internal Control – Integrated Framework. I support such an endeavor and suggest that they consider:

  • How managers can be guided to make risk-intelligent decisions every day.
  • Moving from risk appetite to risk criteria, so that other issues (such as speed of onset, duration of effect, and so on) are considered when evaluating risks
  • Moving towards convergence with the ISO 31000:2009 global risk management standard. One step would be to redefine risk and uncertainty as the potential effects of uncertainty on objectives – a compromise definition I propose between that in ISO and that in COSO today.

I welcome your comments. My tolerance for risk appetite statements without guidance to enable risk-intelligent decisions is fading to black. How is yours?

Protiviti provides insights into COSO 2013

May 3, 2014 11 comments

The latest publication from Protiviti with answers to Frequently Asked Questions about the Updated COSO Internal Control Framework has some excellent content.

Protiviti emphasizes the continuing need to embrace the top-down and risk-based approach in determining the scope of the SOX program. I like that and congratulate them for emphasizing that point.

However, they have also suggested (as has pretty much everybody else) that companies should map controls to the 17 COSO Principles.

I have expressed my disagreement with the idea of identifying controls to include in the SOX scope before determining whether there is a risk (at least a reasonable possibility of a material error or omission in the financial statements filed with the SEC) that needs to be addressed.

However, it is useful on general principles to consider all the Principles and discuss them with senior management and then with the Board (or audit committee).

The Principles are important, if not essential, to a system of internal control that addresses risks to the more significant objectives of the organization. It is very difficult to argue that they don’t represent good business practices.

But when it comes to the SOX scope, the regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.

How do you reconcile that with the commandments in COSO 2013 that the system of internal control is effective when:

(a) It provides reasonable assurance that risks to objectives are at acceptable levels. (Unfortunately, many consultants, trainers, and commentators have overlooked the COSO text that puts this requirement first, before talking about components and principles),

(b) The components are present and functioning and working together, and

(c)  All relevant principles are present and functioning?

A couple of observations:

(a) You can assess the components as present and functioning if you have assessed the principles as present and functioning

(b) You can assess the principles as present and functioning if any deficiencies are less than “major” (i.e., represent less than a significant risk to the achievement of the objective). In other words, if you don’t have a deficiency relating to the principle that would be assessed (using traditional SOX control deficiency methods) as a material weakness, you can consider the principle as present and functioning.

In one section, Protiviti suggests that if you have a deficiency such that you assess the principle as other than present and functioning, you have a material weakness. I think that is circular thinking. You don’t assess the principle as less than present and functioning unless there is a deficiency that you assess as (in SOX terms) a material weakness. So it’s not the fact that the principle is defective that leads to the material weakness; it’s the material weakness that leads to the principle being defective.

Many of the controls required to address the principles are of the type discussed by the regulators as “indirect entity-level controls”. When these fail, their effect is not to create risk to the financial statements directly; their effect is to increase the level of risk that other controls will fail.

If there is less than a reasonable possibility that, as a result of the indirect control failing, one or more direct controls will fail and lead to a material error or omission, then the failure of the indirect control should not be considered a material weakness.

So, you need to know your direct control population before you can assess potential indirect control deficiencies. Let’s take an example and consider two of the Principles:

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

Any company generates and communicates a massive volume of information. However, what we are concerned about for SOX (in fact for any objective) is whether the individuals performing key controls have the information they need to perform those controls reliably. In order to assess whether this Principle is present and functioning, you need to assess it in relation to your key controls – and for that you need to know what they are.

The same thing applies to Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” Here, we are concerned about the competency of the individuals performing and responsible for our key controls. We all know that even a world-class HR department doesn’t mean that every employee is world class, so I for one would have difficulty placing reliance on HR processes. I need to assess competency as part of assessing each key control.

By the way, Protiviti (and PwC) suggest that there are multiple objectives when it comes to SOX. I have one: “the financial statements that are filed with the SEC are free of material error or omission”. This single objective covers all the objectives they have suggested. For example, compliance with accounting standards is necessary to have the financials free of material error.

I have previously shared my approach to this issue of integrating the COSO 2013 Principles into the top-down and risk-based approach. It is explained in more detail, principle by principle, in my SOX book (available from the IIA Bookstore and Amazon).

The more I talk about my approach with regulators, firm partners, COSO leaders, and senior practitioners, the more I think it is common sense and practical.

So here’s a refinement for those who have already mapped controls to the principles.

Take each of the controls that have been determined as necessary to address the principles and ask this question:

“If this control failed, would it represent at least a reasonable possibility that a material error or omission in the financial statements filed with the SEC would not be prevented or detected on a timely basis?”

If the answer is no, then you may at your discretion remove this control from the SOX scope. If it failed it would not cause the principle to fail; there would be no material weakness.

Remember that the SEC and PCAOB have directed that the scope only needs to address the risk of a material misstatement. Going further is a choice.

Should your external auditor, consultant, or other advisor ask that you include a control “because it is necessary to meet COSO requirements” or because “it is necessary to meet our firm requirements”, ask them this:

“Why? Where is the risk? If it failed, would it lead to a material weakness?”

I welcome your comments.

A Rant about the GRC Pundit’s Rant

April 18, 2014 24 comments

Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.

Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.

My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.

Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:

  • The term ‘GRC’ is one that is interpreted in many ways.
    • When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
    • When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
    • When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
    • When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
    • When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
  • GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
  • The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
  • No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
  • The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.

Where I believe we differ is that I do not advocate the use of the term ‘GRC’.

As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.

I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.

For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.

Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.

Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.

Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.

Good Riddance grC.

I welcome your comments.

The Practitioner Leader

April 6, 2014 5 comments

Being a leader means taking risks. Nobody leads if they sit in their office reviewing files and talking to their staff on the phone.

No, true leaders are people who are followed.

Who is followed? The leader that inspires you to grow and be fulfilled; the individual that people listen to and who is able to motivate change; the manager that listens to you more than he talks to you; the one that other leaders and people you respect look up to.

Any practitioner, whether staff or management, can be a leader.

But it takes being willing to take some risks.

Acknowledge what you don’t know and find ways to learn what you need to know.

Keep your mouth shut when you need to listen (which is the majority of the time) and only open it when you have something useful to say.

It means being willing to share your professional opinion based on business grounds without hiding behind professional standards or firm policies.

It means being willing to share both the bad and the good news, even when that will be unpopular or meet resistance from executives. (Why are we so reluctant to say things are done well?)

Everybody should be able to see the elephant in the room after we have given our report.

It means taking a new approach when that is better than what is “customary”, and showing the path to others.

Leaders don’t keep knowledge to themselves. They are open and willing, without bragging, to share and enable the whole team to grow.

A leader puts the priorities of others alongside or even ahead of others. Your problem is their problem.

Leaders not only care about others but are known to care.

Are you a leader? Do you know how to improve your leadership skills?

I welcome your comments.

Missing the boat on IT and technology

March 29, 2014 8 comments

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

  •          What are you doing to become a pioneer of technological innovation?
  •          Do you have a strategy for the digital age? And the skills to deliver it?
  •          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

March 22, 2014 12 comments

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

New Paper on Risk Assessment and the Audit Plan

March 15, 2014 14 comments

One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.

Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.

Unfortunately, it fails to deliver on that promise.

While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.

I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”

The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”

Here are the two main problems with that last sentence:

  1. The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
  2. While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.

My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)

Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?

Risk Officers on the Front Lines of the Big Data Analytics Revolution

March 8, 2014 4 comments

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

New book on risk management for government decision makers

March 4, 2014 2 comments

The authors of “Managing Risk and Performance: A Guide for Government Decision Makers” were kind enough to send me a copy for my review and comment here. (The above link is to the Kindle edition, but it is also available in hardcover).

Intended for those charged with oversight or performance of the risk management function in government, Stanton and Webster have provided us with a great deal of material to ponder. In addition to their own work, the book has chapters from a number of others – including my good friend, John Fraser.

I confess to being let down by the book. I don’t think it spends enough time talking about the need for decision-makers at all levels to consider the potential effects of uncertainty (both upside and downside), or the need for risk-adjusted performance management. It focuses almost exclusively on the narrow definition of risk as being something bad, rather than including opportunities for success.

But it does have some good information, including how enterprise risk management was implemented in one government agency, and always useful information about Hydro One’s program.

If you are in government and charged with either oversight or execution of the risk management program, this book has value that justifies buying it. Just be aware that there is more to mature risk management than is covered in these 284 pages.

McKinsey talks about a forward-looking board of directors

March 1, 2014 4 comments

The latest edition of McKinsey Quarterly is on the topic of “Building a forward-looking board”.

I like the general theme, that “directors should spend a greater share of their time shaping an agenda for the future”. This is consistent with board surveys that indicate board members would prefer to spend more time on strategy and less on routine compliance and other matters.

The author, a director emeritus of the Zurich office and member of several European company boards, makes a number of good points but leaves me less than completely satisfied.

The good quotes first:

Governance arguably suffers most, though, when boards spend too much time looking in the rear-view mirror and not enough scanning the road ahead.

Today’s board agendas, indeed, are surprisingly similar to those of a century ago, when the second Industrial Revolution was at its peak. Directors still spend the bulk of their time on quarterly reports, audit reviews, budgets, and compliance—70 percent is not atypical—instead of on matters crucial to the future prosperity and direction of the business

“Boards need to look further out than anyone else in the company,” commented the chairman of a leading energy company. “There are times when CEOs are the last ones to see changes coming.”

Many rational management groups will be tempted to adopt a short-term view; in a lot of cases, only the board can consistently take the longer-term perspective.

Distracted by the details of compliance and new regulations, however, many directors we meet simply don’t know enough about the fundamentals and long-term strategies of their companies to add value and avoid trouble.

Rather than seeing the job as supporting the CEO at all times, the directors of these companies [with prudent, farsighted, and independent-minded boards] engage in strategic discussions, form independent opinions, and work closely with the executive team to make sure long-term goals are well formulated and subsequently met.

Boards seeking to play a constructive, forward-looking role must have real knowledge of their companies’ operations, markets, and competitors.

The best boards act as effective coaches and sparring partners for the top team.

The central role of the board is to cocreate and ultimately agree on the company’s strategy. In many corporations, however, CEOs present their strategic vision once a year, the directors discuss and tweak it at a single meeting, and the plan is then adopted. The board’s input is minimal, and there’s not enough time for debate or enough in-depth information to underpin proper consideration of the alternatives.

While I agree with the forward-looking theme and some of the ideas around such issues as getting the most from the talent within the organization, I am troubled in a few areas:

  1. The detailed discussion on strategy still has a shorter horizon, one year, than I believe optimal. While it is difficult if not impossible to plan further ahead, the organization should have a shared understanding between the board and top executives about how it will create value for its stakeholders over the longer period. There should be more discussions around strategic and other developments (risks and opportunities) that should shape not only long-term but short-term actions.
  2. There is insufficient discussion of the fact that you cannot have a fruitful discussion about strategy without understanding the risks (adverse and potentially positive) in the business environment. What are they today and how will they change tomorrow? How able (agile) is the organization and able not only to withstand potentially negative effects (the focus of McKinsey in this piece) but to take advantage of market opportunities? Is it now and will it in the future be able to change or adapt strategies established in different conditions?
  3. Many companies are less than agile because they have stuck-in-the-mud executives, unable to pull themselves out due to a lack of vision, legacy systems, and poor information. The boards need to understand this and question management on how they plan to address it – with urgency!
  4. Finally, while the piece discusses the need for effective board and director evaluations, surveys show that it is hard to fire under-performing directors. How can a board succeed in that environment? I think this needs to be on the board agenda if it is to remain forward-looking.

Do you agree? I welcome your comments.

COSO Checklists – Is your audit firm using one?

February 27, 2014 3 comments

If your audit firm is asking you to complete a COSO checklist with the 17 Principles, please let me know a.s.a.p. I am talking to a regulator who would like to know.

Thanks!

Interesting new paper on risk culture

February 22, 2014 18 comments

The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.

Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!

One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:

“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance.  The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”

And….

“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.

While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”

I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”

In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).

Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.

I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.

I particularly enjoyed some of the quotes the authors included, such as:

“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”

“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”

“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”

“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”

“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”

“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”

“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”

Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.

“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”

This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.

KEY POINTS

In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.

  • Are the positive influencers, like policies and related training, effective?
  • Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?

This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.

Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!

By the way, the Bibliography is excellent and the publication is worth downloading just to get it!

I welcome your views and comments.