Archive

Archive for the ‘Cyber’ Category

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

Leading an effective information security capability

September 4, 2016 5 comments

With all the press and concern about cyber at all levels of the organization, with the regulators, and among the public, it is a worthwhile exercise to consider what this should mean for the Chief Information Security Officer (CISO) or equivalent.

Some point to the need to elevate the position of CISO to report directly to a senior executive, even to the CEO.

Elevating the position, in my opinion, will not necessarily do more than elevate the voice of cyber in the executive suite. It won’t necessarily drive the resources necessary for an effective cyber program, nor will it necessarily change the minds and attitudes of people from the executives on down.

In fact, elevating the position carries the risk that the CISO will get caught up in organizational politics instead of focusing on cyber risk itself.

Deloitte tackles this and other opportunities in a new piece, The new CISO: Leading the strategic security organization.

Of course, they are using words intended to induce people to read: ‘new’ and ‘strategic’. I think we can easily disregard them and focus on the problem at hand.

First, let’s acknowledge that the role of the CISO (or other individual responsible for information security) should never be considered as simply a compliance function.

Deloitte talks about “the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise”.

But even when I had information security reporting to me 30 years ago, it was about protecting the organization and not just about compliance.

It is foolish to believe that executives or the board will invest if the only return is compliance. Yes, it is necessary but a compliance function will never receive the attention of a function that contributes to the success of the organization. Executives will commit resources to the level they think prudent, but not necessarily what it will take to enable success – because they don’t understand how cyber relates to their personal and corporate success.

If they don’t know that it matters to success, it won’t matter to them.

The successful CISO helps everybody appreciate how cyber contributes to and enables success.

Buried in the Deloitte material are two sections of great importance:

  • While the CISO may think in terms of reducing risks, business leaders take risks every day, whether introducing an existing product to a new market, taking on an external partner to pursue a new line of business, or engaging in a merger or acquisition. In fact, the ability to accept more risk can increase business opportunities, while ruling it out may lead to their loss. From this perspective, the role of the CISO becomes one of helping leadership and employees be aware of and understand cyber risks, and equipping them to make decisions based on that understanding. In some cases, the organization’s innovation agenda may necessitate a more lenient view of security controls.
  • …… CISOs [need] to pivot the conversation—both in terms of their mind-set as well as language—from security and compliance to focus more on risk strategy and management. Going beyond the negative aspect of how much damage or loss can result from risk, CISOs need to understand risk in terms of its potential to positively affect competitive advantage, business growth, and revenue expansion.

These are, in my opinion, the keys to an effective cyber program.

If the CISO is going to influence not only the resources he or she is given but the attitude and actions of the organization, it is necessary not only to understand how the business is run, but to talk to executives in the language of the business.

Talk about how the achievement of objectives may be affected by a cyber breach. Talking about specific objectives is the best way to influence hearts and minds.

Help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.

Talk business risk, not technobabble.

Do you agree?

Are there other points of value in the Deloitte paper?

The State of Internal Audit Capabilities in 2015

October 26, 2015 15 comments

Overall, I am pleased to see the progress the internal audit practice has made over the last few years. While there are still serious problems regarding independence and resources in some parts of the world (where internal audit is established only to “check-the-box, not with any intent to be a serious activity), more and more organizations are moving to what I call “enterprise risk-based” auditing; perhaps half are providing assurance through formal audits and assessments of the management of risk; and, many are focusing on identifying problems before rather than after the occur has become a recurring mantra.

That progress is reflected, for example, in Protiviti’s latest Internal Auditing Around the World and in the IIA’s CBOK series.

Yet, the picture is not entirely rosy.

This year, I have been privileged to work with the National Association of Corporate Directors. I was a panelist at three separate events where they discussed cyber risk.

In one group session, a director said that the board could not ask internal audit to assess and help with cyber risk because they lacked that capability. The others voiced their agreement, one and all.

This is a huge problem!

Internal audit may not always have the talent on staff to address every risk or concern, but if the board would only give it the resources, internal audit can either hire that staff or outsource the task.

As a chief audit executive, I have hired specialists to address specific risks in IT (including highly technical personnel), environmental compliance, engineering, fraud investigations, and more. Where possible, I have provided staff (including myself) training in specialized areas, such as derivatives trading, Six Sigma, and Lean Manufacturing.

I also used outside resources from consulting and personnel agencies:

  • A derivatives trading and management specialist
  • A “white hat” penetration testing team
  • A former global procurement executive
  • An expert in sales contracting and management
  • A corporate tax specialist
  • and more

Some talk about internal audit being the “consultant of choice”. I wouldn’t go that far. Where I would go is that internal audit should have the capability, whether through its own personnel, co-sourcing, or other contract staffing, to address and provide assurance on the key risks facing the enterprise.

Internal audit should:

  1. Inform the audit committee when it has insufficient resources to address a specialized area of risk, and endeavor to persuade them to provide such additional resources (headcount or dollars) to address the need
  2. Inform the audit committee that it has the capability to obtain the necessary resources to address specialized areas such as cyber security, ethics compliance, corporate culture, corporate governance and more. This means that the CAE needs to build a network that he/she can tap to locate and hire the necessary expertise
  3. Challenge management and even the audit committee when either goes outside to obtain assurance on an area of risk

I welcome your comments.

Compliance and risk appetite

July 18, 2015 7 comments

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations $1,000,000
Loss in value of foreign currency due to exchange rate changes $1,500,000
Quality in manufacturing leading to customer issues $2,000,000
Employee safety $1,500,000
Loss of intellectual property $1,000,000
Competitor-driven price pressure affecting revenue $2,000,000
Other $1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

  • “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
  • “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

Cyber risk and the boardroom

June 5, 2015 7 comments

The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.

It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.

Here are some of the points in the discussion worth emphasizing:

“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”

“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”

“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”

Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”

Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”

“Cybersecurity is a business issue, it’s not just a technology issue.”

This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.

For example, there are some more points that I would emphasize to boards:

  • It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
  • Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
  • Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
  • The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.

I welcome your comments and observations on the article and my points, above.

How much cyber risk should you take?

May 24, 2015 6 comments

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisors, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit and/or risk committee, are concerned about cyber and the risk it represents to their organization. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organization.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses, and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated, and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer, and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared to the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I welcome your thoughts, perspectives, and comments.

Cybersecurity is broken

April 11, 2015 6 comments

At least, that is what one expert has to say in a provocative piece in SC magazine.

Here are some excerpts, but I recommend you read the short article.

The author, the CEO of a software vendor of cybersecurity products, starts with these points:

…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….

A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.

He then spells out a truth that we should all acknowledge:

Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.

The article then takes a new direction (at least for me):

CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..

If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.

I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:

That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.

He continues to press his point:

Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……

Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..

In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.

So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.

I think that is something that every organization should consider – especially encryption.

But is it enough?

For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.

I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.

We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.

So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.

Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!

I welcome your views.

Understanding and managing cyber risk

March 29, 2015 8 comments

Last week, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40-50 board members very actively involved – because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals, or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk, and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved, and how useful it is – and to whom.

New information and perspectives on cyber security

March 21, 2015 10 comments

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.

Cybersecurity in 2015: What to expect

Cybersecurity Hindsight And A Look Ahead At 2015

COSO in the cyber age

As always, I welcome your comments.

Technology, Strategy, Cyber, and Risk

November 8, 2014 2 comments

How do you assess the risk of missing the opportunity to leverage disruptive technology?

Does being on the “bleeding edge” still scare you?

Are you scared of cyber risk that you are rooted in place?

With incredible advances in technology coming at us from all sides, the potential for organizations to offer new products and services, as well as make dramatic improvements in how they run the enterprise, is huge.

Yet, each of these new technologies also introduces new risks that are of concern to information security, risk, and assurance professionals.

I am concerned that organizations are not prepared to survive let alone thrive in this environment.

I want to share some questions for your consideration, but let’s look first at one new technology that is emerging as disruptive to manufacturing and other sectors: additive manufacturing, commonly known as 3-D printing. These two sites explain some of the potential:

For most of us, 3-D printing is something from the world of science fiction or TV series. But, it is real and it is now.

Do you think every organization that could be affected by this technology has taken the necessary steps to determine how it should affect their organizational objectives and strategies? Do they even know how it could affect them?

My questions:

  1. Is your organization monitoring new technology and able to identify how it could affect your organization?
  2. Do you know what your competitors may be doing with it?
  3. Do you know what other organizations are doing or planning to do that might turn them into competitors (think Apple and Rolex)?
  4. Are the right people thinking about how the technology could affect your organization?
  5. Do they have the ability to come up with ways to use the technology that are novel and different from others?
  6. When new technology is considered, does your organization have reliable processes to assess related risks?
  7. Is the voice of risk heard – and understood?
  8. Is your organization prepared to take the risks necessary to succeed?
  9. Do you understand the risk of not taking the risk?
  10. Is your organization sufficiently agile to cast old ideas aside and seize the opportunities?
  11. Is your organization willing to wait when the (adverse) risk exceeds the opportunity?
  12. Do your information security, risk management, internal audit, and other assurance providers steer you to take the right risks or are they only a drag, pointing out the negative?

Do you agree with this list? What would you change?

I welcome your comments.

Information Security and Risk

October 24, 2014 4 comments

Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?

I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.

Two points stand out for me:

  1. The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
  2. Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.

Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.

While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.

I welcome your comments.

Leading the 21st century organization

October 6, 2014 1 comment

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Management for the next 50 years

October 3, 2014 3 comments

An article in McKinsey’s Quarterly Journal that I strongly recommend is on the topic of Management intuition for the next 50 years. My only quibble is that title implies that there is time to act; I believe organizations that prepare now for the changes described in the article will thrive immediately and their competitive advantage grow in the next decade let alone 50 years.

I recommend a careful read of the entire piece. Here are some key excerpts to whet your appetite (emphasis added):

“We stand today on the precipice of much bigger shifts…., with extraordinary implications for global leaders. In the years ahead, acceleration in the scope, scale, and economic impact of technology will usher in a new age of artificial intelligence, consumer gadgetry, instant communication, and boundless information while shaking up business in unimaginable ways. At the same time, the shifting locus of economic activity and dynamism, to emerging markets and to cities within those markets, will give rise to a new class of global competitors. Growth in emerging markets will occur in tandem with the rapid aging of the world’s population—first in the West and later in the emerging markets themselves—that in turn will create a massive set of economic strains.”

Any one of these shifts, on its own, would be among the largest economic forces the global economy has ever seen. As they collide, they will produce change so significant that much of the management intuition that has served us in the past will become irrelevant. The formative experiences for many of today’s senior executives came as these forces were starting to gain steam. The world ahead will be less benign, with more discontinuity and volatility and with long-term charts no longer looking like smooth upward curves, long-held assumptions giving way, and seemingly powerful business models becoming upended.”

The article discusses three key trends while acknowledging that there are many more:

  • Dynamism in emerging markets
  • Technology and connectivity
  • Aging populations

This is what it says about technology and connectivity:

“As information flows continue to grow, and new waves of disruptive technology emerge, the old mind-set that technology is primarily a tool for cutting costs and boosting productivity will be replaced. Our new intuition must recognize that businesses can start and gain scale with stunning speed while using little capital, that value is shifting between sectors, that entrepreneurs and start-ups often have new advantages over large established businesses, that the life cycle of companies is shortening, and that decision making has never had to be so rapid fire.”

I think this is very well said! They go on to say:

Emerging on the winning side in this increasingly volatile world will depend on how fully leaders recognize the magnitude—and the permanence—of the coming changes and how quickly they alter long-established intuitions.”

“It will be increasingly difficult for senior leaders to establish or implement effective strategies unless they remake themselves in the image of the technologically advanced, demographically complex, geographically diverse world in which we will all be operating.”

Technology is no longer simply a budget line or operational issue—it is an enabler of virtually every strategy. Executives need to think about how specific technologies are likely to affect every part of the business and be completely fluent about how to use data and technology…… Technological opportunities abound, but so do threats, including cybersecurity risks, which will become the concern of a broader group of executives as digitization touches every aspect of corporate life.”

“New priorities in this environment include ensuring that companies are using machine intelligence in innovative ways to change and reinvent work, building the next-generation skills they need to drive the future’s tech-led business models, and upskilling and retraining workers whose day-to-day activities are amenable to automation but whose institutional knowledge is valuable.”

McKinsey closes with a reiteration of the problem that is also an opportunity for those prepared to take the risk and embrace the need for change:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

I welcome your comments.

Dynamic, iterative, and responsive to change

August 23, 2014 4 comments

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Understanding Governance Risks

July 14, 2014 4 comments

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?

Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..

But governance risks extend well beyond that

Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.

Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.

The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.

Do you agree? I welcome your comments.

Guidance for Directors on Disruptive Change

July 7, 2014 3 comments

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

  1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
  2. Who is responsible for the assessment process?
  3. Who determines whether existing strategies, objectives, or plans should be adjusted?
  4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
  5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
  6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
  7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.

Board Oversight of Cyber-Risks

June 29, 2014 4 comments

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

Missing the boat on IT and technology

March 29, 2014 8 comments

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

  •          What are you doing to become a pioneer of technological innovation?
  •          Do you have a strategy for the digital age? And the skills to deliver it?
  •          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

March 22, 2014 12 comments

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

New Paper on Risk Assessment and the Audit Plan

March 15, 2014 14 comments

One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.

Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.

Unfortunately, it fails to deliver on that promise.

While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.

I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”

The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”

Here are the two main problems with that last sentence:

  1. The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
  2. While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.

My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)

Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?