How do we make decisions? Where does ERM fit?

How do you make decisions in your personal life?

How do you decide where to live, which car to buy, and where to go for lunch?

For many of us, the last is the most difficult decision to make in a day!

So let’s think about it.

 

It’s lunch time. Even if your watch didn’t tell you, your stomach is loud.

The first decision is whether you are going to eat at all.

Can you afford the time? Can you afford not to eat, given what lies ahead in your day?

What can you get done if you skip lunch? What will suffer if you don’t?

Did you bring your lunch to work? That would provide a compromise solution: eat while you work. Do you really want to do that and risk getting stains on your papers? Is it accepted behavior or will you be forced to leave your workspace for a lunch room or similar – in which case, time might be saved but the idea of eating and working may not be achieved.

If you have to get some lunch, where do you go?

Do you go where you love the food, or where you can get a quick bite of so-so flavor and be back at work promptly, or do you go somewhere where the food is just OK but at least is relatively quick?

Or, do you gather up some colleagues and have a lunch together? This may help with team spirit and other objectives but would take longer. Maybe your colleagues ‘expect’ you to go with them and failing to do so will affect your relationship with them.

Can you afford the time, given how much work you have and the deadlines given you by your boss?

 

There’s more to the lunch issue (such as how will you get to the restaurant and when you should leave), but let’s leave it there.

 

What we did was consider our current situation and determine whether it was acceptable or not. We decided that it was not, because we needed (and wanted) to eat. The value of eating outweighed the loss of time (sorry, boss).

We then considered all the options, the benefits and downsides of each.

We made a decision.

 

Where was the risk manager with his list of potential harms?

Did we have a separate analysis of the risks from any analysis of the benefits (getting more work done, satisfying the boss, enjoying our food, and being ready for the rest of the day)?

What would you say if one of your colleagues responded to every suggestion about a restaurant by pointing out what could go wrong (bad food, food poisoning, delays getting back, unpleasant service, and so on)?

Would you say he or she was doing their job well and look for a separate colleague to identify and assess all the good things that might happen by going to this or that restaurant?

 

Can risk practitioners continue to be the voice of gloom and expect to be asked to join the CEO for lunch at his or her club?

 

I welcome your thoughts.

Advertisement

Risk appetite in practice

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.

The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.

Margins in that business were not high, so the effective management of cost was very important indeed.

[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:

• Procure critical materials at the lowest possible cost to optimize margins
• Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
• Minimize supply chain disruption risk
• Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]

But, there were additional issues or ‘risks’ to consider:

• The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
• If we were dependent on a single vendor, that vendor could demand price increases.
• If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
• If the decision was made to select two vendors, the total cost would be likely to increase.
• If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
• If only two vendors were selected, there would still be significant supply-chain disruption risk.
• If more than two vendors were selected, additional agility would be obtained, but at a cost.
• If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.

Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.

The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.

They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.

The decision involved taking a higher level of some risks and lower levels of others.

Basing the decision on whether one risk was too high would not have led to the optimal overall result.

Now, how would a risk appetite statement have helped the VP of procurement?

I believe the answer is “not at all”.

What do you think?

I welcome your comments.

Cyber and reputation risk are dominoes

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

A case study:

• There is a possibility that the manager in HR that recruits IT specialists leaves.
• The position is open for three months before an individual is hired.
• An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
• A system vulnerability remains open because there is nobody to apply a vendor’s patch.
• A hacker obtains entry. CYBER RISK
• The hacker steals personal information on thousands of customers.
• The information is posted on the Internet.
• Customers are alarmed. REPUTATION RISK
• Sales drop.
• The company fails to meet analyst expectations for earnings.
• The price for the company’s shares drop 20%.
• The CEO decides to slash budgets and headcounts by 10% across the board.
• Individuals in Quality are laid off.
• Materials are not thoroughly inspected.
• Defective materials are used in production.
• Scrap rates rise, but not all defective products are detected and some are shipped to customers.
• Customers complain, return products and demand compensation. REPUTATION RISK
• Sales drop, earnings targets are missed again, and …….
• At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
• The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
• Multiple breaches are not detected. CYBER RISK
• Hackers steal the company’s trade secrets.
• Competitors acquire the trade secrets and are able to erode any edge the company may have.
• The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
• Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

When to audit business locations

One of the readers of my work sent me this message.

I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.

In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.

I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).

I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.

Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.

I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?

I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.

I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?

The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.

Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!

I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.

But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.

Down in the weeds, missing the big picture.

I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.

Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.

Where are you now and are you changing?

What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?

By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.

Are you ready for the new technology that will change our world, again?

It’s not that long since we were dismissing the Internet of Things as something very much ‘next generation’. But, as you will see from Deloitte’s collection of articles (Deloitte Review Issue 17), many organizations are already starting to deploy related technologies. I also like Wired magazine’s older piece.

Have a look at this article in the New York Times that provided some consumer-related examples. Texas Instruments has a web page with a broader view, mentioning building and home automation; smart cities; smart manufacturing; wearables; healthcare; and automotive. Talking of the latter, AT&T is connecting a host of new cars to the Internet through in-auto WiFi.

At the same time, technology referred to as Machine Learning (see this from the founder of Sun Microsystems) will be putting many jobs at risk, including analysis and decision-making (also see this article in The Atlantic). If that is not enough, the IMF has weighed in on the topic with a piece called Toil and Technology.

Is your organization open to the possibilities – the new universe of potential products and services, efficiencies in operations, and insights into the market? Or do you wait and follow the market leader, running the risk of being left in their dust?

Do you have the capabilities to understand and assess the risks as well as the opportunities?

Do your strategic planning and risk management processes allow you to identify, assess and evaluate all the effects of what might be around the corner? Or do you have one group of people assessing potential opportunity and another, totally separate, assessing downside risk?

How can isolated opportunity and downside risk processes get you where you need to go, making intelligent decisions and optimizing outcomes?

When you are looking forward, whether at the horizon or just a few feet in front of you, several situations and events are possible and each has a combination of positive and negative effects.

Intelligent decision-making means understanding all these possibilities and considering them together before making an informed decision. It is not sufficient to simply net off the positive and negative, as (a) they may occur at different times, and (b) their effects may be felt in different ways, such as a potentially positive effect on profits, but a negative potential effect on cash flow and liquidity; the negative effect may be outside acceptable ranges.

With these new technologies disrupting our world, every organization needs to question whether it has the capability to evaluate them and determine how and when to start deploying them.

COSO ERM and ISO 31000 are under review and updates are expected in the next year or so. I hope that they both move towards providing guidance on risk-intelligent and informed decision-making where all the potential effects of uncertainty are considered, rather than guiding us on the silo of risk management.

Are you ready?

I welcome your comments.

 

For more on this and related topics, please consider World-Class Risk Management.

Assessing the organization’s culture

It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.

Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.

Now, a new report by the Institute of Business Ethics, Checking Culture:  new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.

The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):

“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”

In 2014, the UKIIA published Culture and the role of internal audit.

I strongly recommend reference to both papers.

As usual, I have some concerns.

• While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
• There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
• Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
• Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.

Does this mean that internal audit should not have a role? No. They should.

This is my preference:

1. All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
2. Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
3. The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
4. The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.

For a different spin, check these out:

• What are the most common organizational culture problems?
• 3 Cultural Problems That Cause Good Employees to Go Bad
• 7 signs your organization has a toxic corporate culture
• Risk Culture (Institute of Risk Management)

What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?

Compliance and risk appetite

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations	$1,000,000
Loss in value of foreign currency due to exchange rate changes	$1,500,000
Quality in manufacturing leading to customer issues	$2,000,000
Employee safety	$1,500,000
Loss of intellectual property	$1,000,000
Competitor-driven price pressure affecting revenue	$2,000,000
Other	$1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

• “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
• “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

The value of heat maps in risk reporting

Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.

As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.

 

Heat Maps

Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.

A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.

But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.

1. It is a point-in-time report.

When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.

In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.

 

2. It is not a complete picture.

This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.

There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.

 

3. It doesn’t always identify the risks that need attention.

Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.

This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.

 

4. The assessment of impact and likelihood may not be reliable.

I discuss this further in chapter 12 on risk analysis.

 

5. It only shows impact and likelihood

As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.

 

6. It doesn’t show whether objectives are in jeopardy.

As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.

On the other hand, some risk sources[1] (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.

[1] As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”

Evaluating the external auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

• Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
• Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
• Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

CFOs can use risk management to create a competitive advantage

A recent article in CFO, How Risk Management Can Spawn Competitive Advantage, is on the right track.

However, its advice for CFOs is (in my opinion) short-sighted. It barely scratches the surface.

Its theme is that as long as your risk management program is better than your competitors’, you have a competitive advantage. That is correct, as far as it goes.

Certainly, “In the kingdom of the blind, the one-eyed man is king” (Erasmus).

But, is having one eye open and working sufficient when the enterprise is driving at high speed with risks around every corner, with competitors lurking beside you to potentially cut you off from your way ahead, or when you may be able to use a high-speed lane if you can only move into the lane to your left?

No.

A smart CFO is not satisfied with being able to outrun the competitors he can see. He wants to achieve and then maintain a lead.

He wants a risk management program that helps every decision-maker make more intelligent and informed decisions.

Such a capability provides the board and the executive management team with the confidence to drive at speed along the congested highway of our world. They have confidence that when faced with the need to make decisions at speed, managers will take the desired level of the desired risks.

I welcome your comments.

A huge problem with risk appetite and risk levels

COSO’s ERM Framework defines risk appetite in a way that many have adopted:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”

The problem I want to discuss is whether there is such a thing as an “amount of risk”.

The traditional way of assessing a risk is to establish values for its potential impact (or consequences) and their likelihood. The assessment might also include qualitative attributes of the risk, such as the speed of impact and so on.

But, for many risks there is more than one possible impact, with varying levels of likelihood.

Take the example of an organization that wants to expand and sell its products in a new country. It has set a sales target of 10,000 units in the first year, but recognizes not only that the target may not be reached but that, if things work well, it might be exceeded.

If the sales target is not reached, the initiative will result in a loss of as much as 500 units of currency. The likelihood of that loss is estimated at 5% and is considered unacceptable. There is also a 10% likelihood of a 250 loss, also unacceptable.

Management decides to treat the risk through a number of actions, including advertising and the use of in-country agents, which should reduce the likelihood and extent of losses. However, the cost of these actions will reduce the profits achieved when sales reach or exceed target.

The chart below shows the distribution of possible P&L results, both before and after treating the risk.

So there is no single “amount of risk”. There are many possible outcomes.

It is not sufficient to place a value on the distribution of all possible outcomes and compare that to some other value established as the acceptable level – because some of the points may individually be unacceptable and require treatment.

In this example, management has decided that the likelihood of the greatest levels of loss is unacceptable. If they had reduced the array of possibilities to a calculated number (perhaps based on the area under the curve), they probably would not have considered whether each possibility was acceptable and would not have taken the appropriate action.

Knowing whether the possibilities are acceptable or not, and making appropriate actions to treat them, is critical. A single “amount of risk” fails that test.

We could take this discussion a lot further, but I will stop here. What do you think?

Important new IFAC paper on risk management

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.

This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.

The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!

I encourage everybody to download and read the paper for themselves.

The theme is captured in this:

In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.

The paragraph makes some essential points:

• Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
• The overall purpose is to set and then achieve the right objectives
• A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance

IFAC continues the theme:

This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.

Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.

This is stressed:

Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.

Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:

Risk management assists organizations in making informed decisions about:

• objectives they want to achieve;
• the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
• the controls required to support achieving their objectives.

IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.

The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.

In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)

I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:

As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.

Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.

There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:

• “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
• “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”

Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:

As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.

Let me close this post with a quote from Unilever that is included in the IFAC document:

“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”

What do you think? I welcome your comments.

By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!

Lessons Learned from the Transition to COSO 2013

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013.

I especially like this section:

It is presumed that everyone understands that a top-down, risk-based approach remains applicable to Section 404 compliance, and the transition to the 2013 updated Framework does not affect this. While we don’t list this as a lesson, we could have, because some companies either forgot or neglected to apply this approach when setting the scope and objectives for using the Framework. As a result, they went overboard with their controls documentation and testing. We can’t stress enough that the COSO 2013 Framework did not change the essence of, and the need for, a top-down, risk-based approach in complying with SOX Section 404.

The report has a number of excellent pieces of advice. However, I wouldn’t be me if I didn’t have points of disagreement.

The first is on mapping. It is NOT necessary to map all your controls to the principles. If we take principle 10, for example, it states “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels”. Rather than map all your control activities to this principle (or to principle 11, which is the same – just for IT general controls), the organization needs to identify the control(s) it relies on for its assessment that the principles are present and functioning[1]. For principles 10 and 11, that will be the SOX scoping exercise. For the principle on fraud, the control that should be identified is the fraud risk assessment, not every control relied on to detect or prevent fraud.

Then there is the assertion that indirect controls are the same as entity-level controls. COSO (both 1992 and 2013) tell us, correctly, that activities in each of its components may operate at any level within the organization. For example, let’s say that an account analysis is prepared by Corporate Finance as part of the period-end close. This entity-level control may operate with sufficient precision to be relied upon to detect a material error or omission in that account. But the entity-level control is a direct control, not an indirect control. (A direct control can be relied upon to prevent or detect an error. An indirect control is one that serves to increase or decrease the likelihood that other, direct, controls will function effectively. Hiring, integrity, oversight by the board – these are indirect controls where a defect would increase the likelihood that affected direct controls would fail.)

Another example that helps us understand the difference is the hiring process (related to principle 4, in the Control Environment). The hiring process most often is at a lower level than the entity-level, often as deep as the activity level as that is where most hiring managers reside. Controls in the hiring process in this situation are activity level (or what I call ‘intermediate level’ controls, operating at a location or business unit rather than either the top or the bottom of the organization) and are indirect controls.

I could quibble with one or two more points, but I don’t want to detract from the report. I want, instead, to encourage you to read and discuss it.

What do you think?

What additional lessons have you learned?

[1] Full credit for this wording goes to the E&Y national office, who used it in a conversation I had with them about the firm’s training of its audit staff.

The most important sentence in COSO

In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.

That sentence is:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.

The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.

To me, this means that:

1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
2. You need to know the risk to those objectives
3. You need to know what is an acceptable level of risk for each objective, and
4. You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels

You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.

In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.

This is how that section starts:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

• Each of the five components of internal control and relevant principles are present and functioning
• The five components are operating together in an integrated manner

There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.

In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.

Let’s have a look at the very next paragraph in the section:

When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.

How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.

An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.

Let’s translate this as well:

1. If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
2. If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
3. When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
4. That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.

So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.

Do you see what I mean?

Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!

Why are so many blind to this most important sentence?

I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)

Do you have a better theory?

Can you explain the blindness of so many to the most important sentence in the entire Framework?

Does PwC understand risk management?

I would like to say that the answer is “yes”, because I used to work for PwC and know many of their people – very good people.

I would also like to say “yes” because COSO has hired PwC to lead the update of their Enterprise Risk Management – Integrated Framework.

But, I cannot say that they do – at least not what is required for the fully effective management of uncertainty.

I think they understand much of the common, traditional wisdom about risk management, that managing risk is about avoiding threats as you strive to achieve your objectives.

But, I think they fail to understand that uncertainty between where you are and where you want to go contains both threats and opportunities – and managing risk is about making intelligent decisions at all levels of the organization, both to limit the effect and likelihood of bad things happening and to increase the effect and likelihood of good things.

Risk management is more than a risk appetite framework set by executives and approved by the board.

It is more than “embedding” the consideration of risk into the strategy-setting and execution processes.

It is more than enabling the board and executive management to make informed decisions, or even for division leaders to make informed decisions. Every decision, whether by executives or junior employees, creates and/or modifies risk.

No. Effective risk management is something that is (or should be) an integral part of making decisions and running the business every minute of every day, at all levels across not just the enterprise but the extended enterprise.

It’s about enabling decision-makers to take the right amount of the right risk.

What’s the point of a risk appetite statement if it is not effective in driving decisions, which occur not only in the board and executive committee rooms, but in every corner and crevice of the organization?

I am using PwC’s latest publication as the basis for this opinion. While Risk in review: Decoding uncertainty, delivering value (subtitled How leading companies use risk management to drive strategic, operational, and financial performance) makes some good points, it also misses the key point about enabling decision-makers to take the right amount of the right risk. It focuses instead on a view of risk management that is centered on a periodic review of a limited, point-in-time list of negative risks – such as those found in a heat map.

(The good point made by PwC is that risk and strategy need to be entwined, both in the setting of strategy and its execution. It is also useful to see that few organizations, just 12% in their view, have achieved PwC’s limited view of risk management leadership.)

I will let you read PwC’s ideas and limit my comments to their Five steps to risk management program leadership.

1. Create a risk appetite framework, and take an aggregated view of risk

I have no problem with the principle that the board and top management should understand and provide guidance to decision-makers so that they take the right amount of the right risk. I also agree that there are multiple sources of risk to any business objective, and that it is necessary to see the full picture of how uncertainty might affect the achievement of each objective.

But, as I said, a risk appetite framework has little value if it is not sufficiently granular so that every decision-maker knows what he or she must do if they are to take the right amount of the right risk. Few organizations have been able to translate a risk appetite statement to actionable guidance for decision-makers, even when they try to use risk tolerance statements. Risk criteria at the decision-maker level must be established that are consistent with the aggregated enterprise view, and this is exceptionally difficult in practice.

In addition, decision-makers should not be excessively inhibited from seizing opportunities or taking/ retaining “negative risk” when it is justified. The focus is far too often on limiting risk, even when it is at a level that should be taken.

2. Monitor key business risks through dashboards and a common GRC technology platform

I agree that every decision-maker should know the current level of risk. But what is key is that the decision-makers have this information. While it is nice to have the risk function aware of current levels of risk, it is the decision-makers who have to act with that knowledge.

Further, why this nonsense about a “GRC technology platform”? Let’s talk about a risk management solution. I know that PwC makes a lot of money helping organizations select and then implement GRC solutions, but we are talking about risk management. Let’s focus on the technology needed for the effective management of risk by decision-makers at all levels across the organization. Integrating internal audit and policy management is far less important (IMHO).

Finally, people forget (and that includes PwC) that you need to monitor risk to each objective, not risk in isolation. Executives and managers need to receive integrated performance and risk information for each of their objectives.

3. Build a program around expanding and emerging business risk, such as third-party risk and the digital frontier

Everybody talks about risk expanding, that there is more risk today than in the past. I am not sure that is correct. Maybe we are just more attuned (which is a good thing) to thinking about risk, and certainly risk sources are becoming more complex. But is there actually more risk?

PwC talks about third-party risk, but that is not new at all. I wish they would talk about risk across the extended enterprise, which would broaden the picture some.

Technology-related business risk clearly merits everybody’s attention. It is unfortunate that insufficient resources are being applied by the majority of organizations to understanding and addressing both the potential harms and benefits of new technology.

4. Continuously strengthen your second and third lines of defense

Is there a reason we shouldn’t strengthen management’s ability to address uncertainty? (They are the so-called first line of defense.) Instead of the risk function feeding fish to management, why not train them to catch their own fish? Every decision-maker should be trained in disciplined decision-making, including the disciplined consideration of uncertainty.

Yes, the second line (risk management, compliance, information security, and so on) should be strengthened.

But, internal audit should not be limited to being seen as a “line of defense”. For a start, risk is not always something you need to defend against – often it should be actively sought as a source of value. Then, internal audit should help the organization actively take the right amount of the right risk, which it does by providing assurance that the processes for doing so are effective and by making suggestions for improvement.

I much prefer to talk about lines of offense. When you attack, you still need to be aware of IEDs, sniper positions, and mines. But the focus is on achieving success rather than avoiding failure.

5. Partner with a risk management provider to close the gap on internal competencies

Such a self-serving platitude! Yes, fill resource gaps with competent, knowledgeable professionals. But don’t hire a consultant to run periodic workshops – fill that need in-house.

 

Am I unfair to PwC?

Do they understand risk management and what it needs to be if an organization is to make the most of uncertainty?

We need to be tough on them if they are going to help COSO bring their ERM Framework up to the standard required for today and tomorrow – enabling better decisions so everyone takes the right level of the right risk.

I welcome your thoughts.

New information and perspectives on cyber security

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.

Cybersecurity in 2015: What to expect

Cybersecurity Hindsight And A Look Ahead At 2015

COSO in the cyber age

As always, I welcome your comments.

KPMG and I talk about changes at the Audit Committee meeting

I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.

That title not only sets the expectations high, but sets KPMG up for a fall.

This is how they start us off, with an astonishing headline section:

ACs TODAY DEAL WITH A BROAD RANGE OF ISSUES, AND ACCOMPANYING RISKS, THAT ARE BEYOND FINANCIAL STATEMENTS, REPORTING AND INTERNAL CONTROLS OVER FINANCIAL REPORTING – THEIR TRADITIONAL AREAS OF RESPONSIBILITY.

These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.

My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.

KPMG continues:

THE DAYS WHEN THE AC AGENDA WAS SOLELY DOMINATED BY AUDIT MATTERS AND TECHNICAL ACCOUNTING DISCUSSIONS ARE GONE.

Sorry, KPMG, but the world does not spin around the axis of the CPA firm.

Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:

“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”

In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.

So what are the changes that should be happening at the audit committee? Here are six ideas:

1. The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
2. The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
3. With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
4. Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
5. The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
6. With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?

If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.

I welcome your comments – especially on these six suggestions.

Going crazy with COSO 2013 for SOX

For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.

PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.

The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.

I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.

The key is to be able to demonstrate that.

We need to remember these facts:

1. Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
2. COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
3. COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.

Now let’s have a look at what PwC has to say.

“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”

I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.

“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”

They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.

“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”

While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.

In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.

“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”

Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).

Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.

But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!

“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”

Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.

It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.

“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”

I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.

“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”

If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!

While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.

I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.

“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”

The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.

PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.

However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.

“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”

We are back on solid ground.

The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.

Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.

But let’s not go crazy!

I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.

By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.

Do you agree?

 

The effective audit committee

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
4. They need to be willing to ask a silly question.
5. They need to persevere until they get a common sense response.
6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leveraging the COSO Internal Control Update for Advantage

PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.

PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.

Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).

Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.

PwC shares their approach, which I don’t think is correct as it is not risk-based.

Here is mine:

1. Do you understand the risks to your mission-critical objectives?
2. Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
3. Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
4. As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?

I welcome your views.