My friend Richard Chambers has written a couple of posts that merit our careful attention.
Frankly, all of his posts merit our attention, but these are important.
I ask that you review:
- The State of Internal Audit: Facts vs. Conjecture, and
- For Internal Audit, the Best Defense Is a Strong Offense
I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)
However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:
In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.
Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.
- Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
- Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.
Richard is far more provocative than usual in his March 27 post when he says:
It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.
Naturally, Tim sees this as labeling his writing as “fake news”.
Richard is 100% correct when he states:
No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.
Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.
I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.
Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.
Let’s look at some more information.
My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.
I strongly recommend reading the piece and noting the eight action items.
One quote by Brian caught my eye:
Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.
I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.
An article in the local business newspaper reported that:
Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).
In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.
“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.
“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”
Tim has every right to challenge the current state of internal auditing and I know Richard respects that.
I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.
There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).
Nevertheless, we need people like Tim to challenge us.
Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.
Richard and I have both shared our views with new books.
- Auditing that matters takes on the issue of auditing the risks that really matter to the success of the organization and then sharing with executive management and the board what they need to know.
- Trusted Advisors: Key Attributes of Outstanding Internal Auditors discusses the “top attributes needed to excel as an internal audit professional and be viewed as the go-to person within the entity”.
I would like to think that between us we have charted a way forward.
Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.
Let’s adopt that mindset for our own practices and profession.
Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.
I welcome your comments.
NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.
My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.
We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.
We should address risk because of its potential effect on the achievement of enterprise objectives.
Think about a tree.
In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.
Unless the root cause is addressed, the malaise will continue.
In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.
Talking about cyber, or third party risk, is talking about a problem at an individual root level.
What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.
If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?
Now let’s extend the metaphor one more step.
This is a fruit tree in an orchard owned and operated by a fruit farmer.
If a problem is found with one tree, is there a problem with multiple trees?
How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?
Will the owner of the orchard be able to achieve his or her business objectives?
Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.
Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.
I remind you of the concepts in A revolution in risk management.
Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.
Is the anticipated level of achievement acceptable?
I welcome your thoughts.
One of the readers of my work sent me this message.
I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.
In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.
I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).
I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.
Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.
I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?
I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.
I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?
The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.
Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!
I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.
But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.
Down in the weeds, missing the big picture.
I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.
Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.
Where are you now and are you changing?
What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?
By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.
It’s not that long since we were dismissing the Internet of Things as something very much ‘next generation’. But, as you will see from Deloitte’s collection of articles (Deloitte Review Issue 17), many organizations are already starting to deploy related technologies. I also like Wired magazine’s older piece.
Have a look at this article in the New York Times that provided some consumer-related examples. Texas Instruments has a web page with a broader view, mentioning building and home automation; smart cities; smart manufacturing; wearables; healthcare; and automotive. Talking of the latter, AT&T is connecting a host of new cars to the Internet through in-auto WiFi.
At the same time, technology referred to as Machine Learning (see this from the founder of Sun Microsystems) will be putting many jobs at risk, including analysis and decision-making (also see this article in The Atlantic). If that is not enough, the IMF has weighed in on the topic with a piece called Toil and Technology.
Is your organization open to the possibilities – the new universe of potential products and services, efficiencies in operations, and insights into the market? Or do you wait and follow the market leader, running the risk of being left in their dust?
Do you have the capabilities to understand and assess the risks as well as the opportunities?
Do your strategic planning and risk management processes allow you to identify, assess and evaluate all the effects of what might be around the corner? Or do you have one group of people assessing potential opportunity and another, totally separate, assessing downside risk?
How can isolated opportunity and downside risk processes get you where you need to go, making intelligent decisions and optimizing outcomes?
When you are looking forward, whether at the horizon or just a few feet in front of you, several situations and events are possible and each has a combination of positive and negative effects.
Intelligent decision-making means understanding all these possibilities and considering them together before making an informed decision. It is not sufficient to simply net off the positive and negative, as (a) they may occur at different times, and (b) their effects may be felt in different ways, such as a potentially positive effect on profits, but a negative potential effect on cash flow and liquidity; the negative effect may be outside acceptable ranges.
With these new technologies disrupting our world, every organization needs to question whether it has the capability to evaluate them and determine how and when to start deploying them.
COSO ERM and ISO 31000 are under review and updates are expected in the next year or so. I hope that they both move towards providing guidance on risk-intelligent and informed decision-making where all the potential effects of uncertainty are considered, rather than guiding us on the silo of risk management.
Are you ready?
I welcome your comments.
For more on this and related topics, please consider World-Class Risk Management.
It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.
Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.
Now, a new report by the Institute of Business Ethics, Checking Culture: new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.
The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):
“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”
In 2014, the UKIIA published Culture and the role of internal audit.
I strongly recommend reference to both papers.
As usual, I have some concerns.
- While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
- There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
- Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
- Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.
Does this mean that internal audit should not have a role? No. They should.
This is my preference:
- All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
- Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
- The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
- The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.
For a different spin, check these out:
- What are the most common organizational culture problems?
- 3 Cultural Problems That Cause Good Employees to Go Bad
- 7 signs your organization has a toxic corporate culture
- Risk Culture (Institute of Risk Management)
What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?
The IIA released an update to its standards (specifically, the International Professional Practices Framework, or IPPF) at its recent International Conference, in Vancouver. They now include new Core Principles for the Professional Practice of Internal Auditing, as well as a Mission of Internal Audit statement.
This is how the principles are described:
The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission (see Mission of Internal Audit).
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
I was privileged to be a member of the task force (RTF), composed of leading internal audit practitioners from across the globe, which recommended that the IIA leave the definition of internal audit unchanged but add core principles and a mission statement. Taking the last item first, we recognize that each IA department will probably have its own mission statement, customized to its organization and charter. However, including a generalized mission statement in IIA guidance would be useful.
The RTF debated whether the IIA standards are rules-based or principles-based. We all felt that they are principles-based, so somebody asked what those principles are. After a lot of discussion, we developed ten that after minor word changes are the Core Principles listed above.
In August, I am joining with Paul Sobel in a free OCEG webinar to discuss World-Class Internal Auditing (based, in part, on my book of the same name). One of the questions we will each answer is which of the principles is our favorite. My choice will probably be “is insightful, proactive, and future focused”. I explained why in a post last year, Auditing Forward.
But, I might also choose “communicates effectively”. Here are a few excerpts from the book:
It is revealing that the IIA Standards do not require an audit report! Standard 2400, Communicating Results, simply says “Internal auditors must communicate the results of engagements.”
The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.
Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board need to know about the results of our work.
The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.
I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.
I heard them say that they wanted to know the answers to two questions:
- Is there anything they need to worry about?
- Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?
In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn’t want to waste their time (my expression; they didn’t actually use those words) on matters that didn’t merit their attention.
The traditional way to express an opinion in an audit report is through a rating scale, such as one that uses a three point scale of Satisfactory, Needs Improvement, and Unsatisfactory.
I don’t believe that a rating scale conveys to the executive reader what they need to know.
If we are tasked with assessing controls over risks, we should not only be telling management whether the risks are being managed effectively but explain, in business language, the effect on corporate objectives.
My focus is always on providing each stakeholder with the information they need to run the business, when they need it, in a clear and easy-to-consume fashion.
Which are your favorite principles?
Do you agree with my thoughts on auditing forward and effective communications?
How does your internal audit department measure up to these principles?
 To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.
The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.
In this post, I want to focus on compliance and risk management/appetite.
Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.
I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.
I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.
Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.
Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.
I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.
This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.
Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.
One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”
Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.
Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.
Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?
If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:
Non-compliance with applicable laws and regulations $1,000,000 Loss in value of foreign currency due to exchange rate changes $1,500,000 Quality in manufacturing leading to customer issues $2,000,000 Employee safety $1,500,000 Loss of intellectual property $1,000,000 Competitor-driven price pressure affecting revenue $2,000,000 Other $1,000,000
I have problems with one risk appetite when the organization has multiple sources of risk.
- “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
- “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”
The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.
Setting a risk appetite for employee safety is also a problem. As I say:
…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.
That last sentence is a key one.
While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.
COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.
The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.
Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.
Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?
If risk appetite doesn’t work for compliance, then what does?
I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.
Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .
The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.
I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.
A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.
By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.
I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.
Ethics and fraud are different.
Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.
However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.
When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.
Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.
What do you think?
BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.