Risk appetite in practice

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.

The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.

Margins in that business were not high, so the effective management of cost was very important indeed.

[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:

• Procure critical materials at the lowest possible cost to optimize margins
• Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
• Minimize supply chain disruption risk
• Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]

But, there were additional issues or ‘risks’ to consider:

• The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
• If we were dependent on a single vendor, that vendor could demand price increases.
• If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
• If the decision was made to select two vendors, the total cost would be likely to increase.
• If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
• If only two vendors were selected, there would still be significant supply-chain disruption risk.
• If more than two vendors were selected, additional agility would be obtained, but at a cost.
• If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.

Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.

The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.

They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.

The decision involved taking a higher level of some risks and lower levels of others.

Basing the decision on whether one risk was too high would not have led to the optimal overall result.

Now, how would a risk appetite statement have helped the VP of procurement?

I believe the answer is “not at all”.

What do you think?

I welcome your comments.

Advertisement

Cyber and reputation risk are dominoes

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

A case study:

• There is a possibility that the manager in HR that recruits IT specialists leaves.
• The position is open for three months before an individual is hired.
• An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
• A system vulnerability remains open because there is nobody to apply a vendor’s patch.
• A hacker obtains entry. CYBER RISK
• The hacker steals personal information on thousands of customers.
• The information is posted on the Internet.
• Customers are alarmed. REPUTATION RISK
• Sales drop.
• The company fails to meet analyst expectations for earnings.
• The price for the company’s shares drop 20%.
• The CEO decides to slash budgets and headcounts by 10% across the board.
• Individuals in Quality are laid off.
• Materials are not thoroughly inspected.
• Defective materials are used in production.
• Scrap rates rise, but not all defective products are detected and some are shipped to customers.
• Customers complain, return products and demand compensation. REPUTATION RISK
• Sales drop, earnings targets are missed again, and …….
• At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
• The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
• Multiple breaches are not detected. CYBER RISK
• Hackers steal the company’s trade secrets.
• Competitors acquire the trade secrets and are able to erode any edge the company may have.
• The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
• Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

Why do so many practitioners misunderstand risk?

My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.

We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.

We should address risk because of its potential effect on the achievement of enterprise objectives.

Think about a tree.

In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.

Unless the root cause is addressed, the malaise will continue.

In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.

Talking about cyber, or third party risk, is talking about a problem at an individual root level.

What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.

If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?

Now let’s extend the metaphor one more step.

This is a fruit tree in an orchard owned and operated by a fruit farmer.

If a problem is found with one tree, is there a problem with multiple trees?

How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?

Will the owner of the orchard be able to achieve his or her business objectives?

Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.

Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.

I remind you of the concepts in A revolution in risk management.

Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.

Is the anticipated level of achievement acceptable?

I welcome your thoughts.

 

Are you ready for the new technology that will change our world, again?

It’s not that long since we were dismissing the Internet of Things as something very much ‘next generation’. But, as you will see from Deloitte’s collection of articles (Deloitte Review Issue 17), many organizations are already starting to deploy related technologies. I also like Wired magazine’s older piece.

Have a look at this article in the New York Times that provided some consumer-related examples. Texas Instruments has a web page with a broader view, mentioning building and home automation; smart cities; smart manufacturing; wearables; healthcare; and automotive. Talking of the latter, AT&T is connecting a host of new cars to the Internet through in-auto WiFi.

At the same time, technology referred to as Machine Learning (see this from the founder of Sun Microsystems) will be putting many jobs at risk, including analysis and decision-making (also see this article in The Atlantic). If that is not enough, the IMF has weighed in on the topic with a piece called Toil and Technology.

Is your organization open to the possibilities – the new universe of potential products and services, efficiencies in operations, and insights into the market? Or do you wait and follow the market leader, running the risk of being left in their dust?

Do you have the capabilities to understand and assess the risks as well as the opportunities?

Do your strategic planning and risk management processes allow you to identify, assess and evaluate all the effects of what might be around the corner? Or do you have one group of people assessing potential opportunity and another, totally separate, assessing downside risk?

How can isolated opportunity and downside risk processes get you where you need to go, making intelligent decisions and optimizing outcomes?

When you are looking forward, whether at the horizon or just a few feet in front of you, several situations and events are possible and each has a combination of positive and negative effects.

Intelligent decision-making means understanding all these possibilities and considering them together before making an informed decision. It is not sufficient to simply net off the positive and negative, as (a) they may occur at different times, and (b) their effects may be felt in different ways, such as a potentially positive effect on profits, but a negative potential effect on cash flow and liquidity; the negative effect may be outside acceptable ranges.

With these new technologies disrupting our world, every organization needs to question whether it has the capability to evaluate them and determine how and when to start deploying them.

COSO ERM and ISO 31000 are under review and updates are expected in the next year or so. I hope that they both move towards providing guidance on risk-intelligent and informed decision-making where all the potential effects of uncertainty are considered, rather than guiding us on the silo of risk management.

Are you ready?

I welcome your comments.

 

For more on this and related topics, please consider World-Class Risk Management.

Compliance and risk appetite

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations	$1,000,000
Loss in value of foreign currency due to exchange rate changes	$1,500,000
Quality in manufacturing leading to customer issues	$2,000,000
Employee safety	$1,500,000
Loss of intellectual property	$1,000,000
Competitor-driven price pressure affecting revenue	$2,000,000
Other	$1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

• “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
• “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

The value of heat maps in risk reporting

Here is another excerpt from the World-Class Risk Management book. Your comments are welcome.

As you can see, I spend a fair amount of time in the book challenging ‘traditional’ precepts, such as (in this case) the value of heat maps in providing useful information about risks across the enterprise.

 

Heat Maps

Some prefer a heat map to illustrate the comparative levels (typically using a combination of potential impact and likelihood) of each risk.

A heat map is very effective in communicating which risks rate highest when you consider their potential impact and the likelihood of that impact. The reader is naturally drawn to the top right quadrant (high significance and high likelihood), while items in other quadrants receive less attention.

But there are a number of problems with a report like this, whether it is in the form of a heat map or a table.

1. It is a point-in-time report.

When management and the board rely on the review of a report that purports to show the top risks to the organization and their condition, unless they are reviewing a dynamically changing report (such as a dashboard on a tablet) they are reviewing information that is out-of-date. Its value will depend on the extent that risks have emerged or changed.

In some cases, that information is still useful. It provides management with a sense of the top risks and their condition, but they need to recognize that it may be out of date by the time they receive it.

 

2. It is not a complete picture.

This is a list of a select number of risks. It cannot ever be a list of all the risks, because as discussed earlier risks are created or modified with every decision. At best, it is a list of those risks that are determined to be of a continuing nature and merit continuing attention. At worst, it is a list of the few risks that management has decided to review on a periodic basis without any systematic process behind it to ensure new risks are added promptly and those that no longer merit attention are removed. In other words, the worst case is enterprise list management.

There is a serious risk (pun intended) that management and the board will be lulled into believing that because they are paying regular attention to a list of top risks that they are managing risk and uncertainty across the organization – while nothing could be further from the truth.

 

3. It doesn’t always identify the risks that need attention.

Whether you prefer the COSO or ISO guidance, risks require special attention when they are outside acceptable levels (risk appetite for COSO and risk criteria for ISO). Just because a risk rates ‘high’ because the likelihood of a significant impact is assessed as high doesn’t mean that action is required by senior management or that significant attention should be paid by the board. They may just be risks that are ‘inherent’ in the organization and its business model, or risks that the organization has chosen to take to satisfy its objectives and to create value for its stakeholders and shareholders.

This report does not distinguish risks that the organization has previously decided to accept from those that exceed acceptable levels. Chapter 13 on risk evaluation discusses how I would assess whether a risk is within acceptable levels or not.

 

4. The assessment of impact and likelihood may not be reliable.

I discuss this further in chapter 12 on risk analysis.

 

5. It only shows impact and likelihood

As I will explain in chapter 13 on risk evaluation, sometimes there are other attributes of a risk that need to considered when determining whether a risk at acceptable levels. Some have upgraded the simple heat map I show above to include trends (whether the level of risk is increasing or decreasing) and other information. But it is next to impossible to include every relevant attribute in a heat map.

 

6. It doesn’t show whether objectives are in jeopardy.

As I mentioned above, management and the board need to know not only which specific risks merit attention, but whether they are on track to achieve their objectives.

On the other hand, some risk sources[1] (such as the penetration of our computer network, referred to as cyber risk) can have multiple effects (such as business disruption, legal liability, and the loss of intellectual property) and affect multiple objectives (such as those concerned with compliance with privacy regulations, maintaining or enhancing reputation with customers, and revenue growth). It is very important to produce and review a report that highlights when the total effect of a risk source, considering all affected objectives, is beyond acceptable levels. While it may not significantly affect a single objective, the aggregated effect on the organization may merit the attention of the executive leadership and the board.

[1] As noted in the Language of Risk section, many refer to these as “risks” when, from an ISO perspective, they should be called “risk sources” (element which alone or in combination has the intrinsic potential to give rise to risk). For example, the World Economic Forum publishes annual reports on top global risks, which it defines as “an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.”

Cyber risk and the boardroom

The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.

It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.

Here are some of the points in the discussion worth emphasizing:

“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”

“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”

“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”

“Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”

“Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”

“Cybersecurity is a business issue, it’s not just a technology issue.”

This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.

For example, there are some more points that I would emphasize to boards:

• It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
• Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
• Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
• The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.

I welcome your comments and observations on the article and my points, above.

A huge problem with risk appetite and risk levels

COSO’s ERM Framework defines risk appetite in a way that many have adopted:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”

The problem I want to discuss is whether there is such a thing as an “amount of risk”.

The traditional way of assessing a risk is to establish values for its potential impact (or consequences) and their likelihood. The assessment might also include qualitative attributes of the risk, such as the speed of impact and so on.

But, for many risks there is more than one possible impact, with varying levels of likelihood.

Take the example of an organization that wants to expand and sell its products in a new country. It has set a sales target of 10,000 units in the first year, but recognizes not only that the target may not be reached but that, if things work well, it might be exceeded.

If the sales target is not reached, the initiative will result in a loss of as much as 500 units of currency. The likelihood of that loss is estimated at 5% and is considered unacceptable. There is also a 10% likelihood of a 250 loss, also unacceptable.

Management decides to treat the risk through a number of actions, including advertising and the use of in-country agents, which should reduce the likelihood and extent of losses. However, the cost of these actions will reduce the profits achieved when sales reach or exceed target.

The chart below shows the distribution of possible P&L results, both before and after treating the risk.

So there is no single “amount of risk”. There are many possible outcomes.

It is not sufficient to place a value on the distribution of all possible outcomes and compare that to some other value established as the acceptable level – because some of the points may individually be unacceptable and require treatment.

In this example, management has decided that the likelihood of the greatest levels of loss is unacceptable. If they had reduced the array of possibilities to a calculated number (perhaps based on the area under the curve), they probably would not have considered whether each possibility was acceptable and would not have taken the appropriate action.

Knowing whether the possibilities are acceptable or not, and making appropriate actions to treat them, is critical. A single “amount of risk” fails that test.

We could take this discussion a lot further, but I will stop here. What do you think?

Important new IFAC paper on risk management

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.

This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.

The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!

I encourage everybody to download and read the paper for themselves.

The theme is captured in this:

In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.

The paragraph makes some essential points:

• Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
• The overall purpose is to set and then achieve the right objectives
• A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance

IFAC continues the theme:

This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.

Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.

This is stressed:

Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.

Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:

Risk management assists organizations in making informed decisions about:

• objectives they want to achieve;
• the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
• the controls required to support achieving their objectives.

IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.

The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.

In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)

I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:

As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.

Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.

There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:

• “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
• “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”

Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:

As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.

Let me close this post with a quote from Unilever that is included in the IFAC document:

“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”

What do you think? I welcome your comments.

By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!

A study in enterprise risk management

A new article in Singapore’s Business Times explains that when Singapore achieved its independence in 1965 (through separation from Malaysia), its attention to enterprise risk management helped it become the economic success it is today.  The author says:

Mr Lee [Singapore’s Prime Minister] could arguably have contributed to the development of the ERM framework. Part I of From Third World to First: The Singapore Story, 1965-2000 reads in many areas like a primer on ERM concepts and techniques.

The article refers to the 1995 Australia/New Zealand risk management guidance, which was followed by the COSO (seen as an American publication) and ISO publications.

I like the article’s definition:

ERM can be broadly defined as managing uncertainty – both the risk and opportunity arising therefrom – to create, sustain and grow value.

In 1965, Singapore was faced by a number of grim realities. It had no natural resources; in fact, it has to import almost all its water and food. (The article talks about the lack of an ‘economic hinterland’.)At that time, Singapore had uncertain relations from its neighbors in Malaysia and Indonesia, which could have led to conflict. In its early days of independence from Great Britain (achieved in 1959), the region went through a period of communist insurgency, so civil peace could not be taken for granted. Finally, the region had a culture that included a level of corruption and bribery (coyly referred to in the article as ‘guanxi’).

Singapore’s ERM program identified three risks, according to the article:

Risk A was survival without an economic hinterland. Risk B centred on guanxi or personal relationships in business transactions. Risk C was the prevalent toleration of money politics accepted as common practice and part of the regional political culture.

Risk A arose from the uncertainty of the new nation’s survival without an economic hinterland following Singapore’s expulsion from Malaysia.

Risk B and Risk C, attributable to history and culture, threatened achievement of the strategic goals and operational objectives arising from Risk A.

The leadership team saw both Risk A and Risk B as road blocks. These risks precluded good corporate governance essential to attract foreign direct investments to support Singapore Inc’s early industrialisation goals.

Singapore’s leadership team addressed these three risks, not by always trying to limit risk but in some cases working to take advantage of opportunities.

To mitigate Risk A, the leadership team identified the opportunities presented by the uncertainty of survival without an economic hinterland.

These opportunities were channelled to business planning. A plan and strategy re-emerged, Mr Lee wrote, to “leapfrog the region”, link up with developed nations, and “create a First-World oasis in a Third-World region”.

The key operational objective was to build Singapore Inc’s own economic hinterland, bring about transformational change and prove the prognosticators wrong.

Responding to Risk B and Risk C to achieve comparative advantage in a region known for corruption, the leadership team embraced the rule of law.

Built on the legacy British legal system, the law was implemented under a culture of efficient, effective and honest enforcement.

This served to encourage the inflow of investments and to protect investors. The action comported with the ERM concept and technique to use controls, together with monitoring, as a risk response or risk treatment.

Control was in the form of laws, regulations and rules to mitigate the identified cultural risks. Monitoring came from the enforcement of rules efficiently, effectively and honestly.

This is a time when tributes to Lee Kuan Yew (the Mr. Lee referred to by the article) are flowing in. Who can dispute the success of his leadership (while recognizing the harshness of some earlier actions)?

Is it justifiable to put much of the transformation of Singapore down to risk management? The article says:

The legacy of Mr Lee and his pioneer generation of leaders in facing uncertainty with capacity, sagacity and gumption is an inspiration to managers in this endeavor.

What do you think?

Is risk management about “facing uncertainty with capacity, sagacity and gumption”?

Information Security and Risk

Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?

I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.

Two points stand out for me:

1. The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
2. Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.

Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.

While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.

I welcome your comments.

Leading the 21st century organization

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Auditing Risk Appetite

Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.

The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.

What is risk appetite?

In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:

Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.

Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.

Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.

The FSB document includes some useful language (emphasis added):

“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”

The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):

“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;

“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;

“c) establish and actively monitor adherence to approved risk limits;”

The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.

Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.

The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):

“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;

“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;

“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;

“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;

“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;

“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and

“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “

This is useful for anybody who wants to audit risk management, even if for a non-financial institution.

I translate all of the above to answering these questions:

1. Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
2. Is that guidance updated and communicated as business conditions (internal and external) change?
3. When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
4. Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
5. Are exceptions appropriate reported and addressed?
6. Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?

That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.

What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.

I welcome your comments.

Dynamic, iterative, and responsive to change

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

“Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

“Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Risk Management is not about Defense

From time to time, I get into trouble with the IIA.

Here’s another opportunity.

The IIA has embraced the Three Lines of Defense Model and in 2013 issued a Position Paper (identified as strongly recommended guidance[i]) The Three Lines of Defense in Effective Risk Management and Control. Since then, IIA leadership has advocated the model, including in its recent Enhancing value Through collaboration: A call to action (see this related post).

The idea of the model has some merit. It distinguishes between functions that own and manage risk (operational[ii] management: the 1^st line of defense), those that “oversee risk” (including risk management facilitation and monitoring of risk management practices: the 2^nd line of defense), and those who provide independent assurance (primarily internal audit: the 3^rd line of defense).

Distinguishing the roles of management, risk management, and internal audit has merit. It is also useful to talk about the need for coordination.

However, I believe the IIA has made a grave mistake.

Risk management is not about defense.

It’s about management making informed decisions and taking the right risks.

If anything, that is offense.

Defense implies you are defending against risk. If you don’t take risk, you wither and die.

Defense implies that risk is bad. It is not. It can be positive or negative and, as one sage individual commented on my blog, there is often an opportunity to change a potential negative into a positive.

Last week, I met a top financial services risk management expert in Singapore (Martin Davies of Causal Capital). He told me about a situation where a trader submitted a proposed transaction for risk management review and approval. It was rejected because it fell outside the organization’s “risk appetite” (used in this context, it really referred to risk criteria[iii] rather than risk appetite as defined by COSO ERM). The risk manager rejected it. Martin explained how if he were in this situation he would sit down with the trader and work with him on how the deal could be restructured such that it is acceptable[iv].

This is offense, not defense.

In any event, my view is that when you put responsibility for managing risk in the hands of a siloed risk management function you are at the same time removing that responsibility from operating management.

This is not a good thing.

Management needs to own risk, with risk management serving as facilitator.

The IIA paper talks about risk management “overseeing” and “monitoring” risk management practices – which sounds awfully (and I mean awful in every sense) like corporate police and a siloed, adversarial risk management function.

No. This is a practice that will only stifle an organization and limit achievement.

Let’s talk about the lines of offense instead of defense.

How can risk management enable the organization to take the right risks, optimize outcomes, and not only achieve but surpass objectives?

I welcome your comments.

 

PS – controls help the organization go faster, not just preserve value

 

[i] Why this is considered guidance escapes me. I understand how it can represent the IIA’s thinking but it is information in nature rather than guidance for the professional practice of internal auditing. I contrast this with the Position Papers on the role of internal audit in risk management and governance, which did provide guidance.

[ii] IIA refers to risk management as being owned by operational management. I don’t understand why they don’t include executive management and the board. They refer to senior management as setting strategies and objectives and defining the governance structure, but that is taking risks and making decisions is not limited to operating management.

[iii] Follow the links to a paper by Martin on risk appetite that relies on ISO 31000:2009 rather than COSO ERM.

[iv] I am with Martin and would fire the risk manager who simply stamps reject the proposed trade.

Guidance for Directors on Disruptive Change

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
2. Who is responsible for the assessment process?
3. Who determines whether existing strategies, objectives, or plans should be adjusted?
4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.

Risk Management Challenge – The Answer

The Question

In a recent blog, I said I had asked one of the leaders of a CPA firms’ ERM consulting practice this question:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

As Arnold Schanfield predicted, the individual did not provide an answer to the question – although he agreed with the premise in the blog post.

In that earlier blog, I asked:

“…what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?”

I shared another situation:

“Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?”

I asked “Which is the right risk to take? How can she know?”

A number of people provided their thoughts – and I thank them for sharing.

The Answer

I believe the answer can be obtained using risk management principles (using the guidance of your choice – mine is ISO 31000). You can also consider, as I do, that these are principles for effective management and decision-making. Here is my thought process:

1. The owner of an objective is also the owner of any risks to those objectives
2. Where the owner of a risk is not responsible for all the actions and activities that affect the risk, he needs to communicate his needs to all whose actions he is dependent upon. In other words, he needs to make sure they know how their actions will affect him
3. But that responsibility is not one-way. Managers should take responsibility for the effects their actions will have on others
4. In the first example, every organization whose objectives are dependent on the new service center should ensure that their needs and expectations are known and understood by the managers of the new service center
5. The manager of the service center needs to know how any failure to meet those needs and expectations will affect the business
6. The manager of the service center needs to work with HR and ensure they not only understand that he wants to hire for the new operation but how critical that need is to the business. For each position, he needs to agree on requirements such as timing, experience, location, and so on
7. The HR manager must go beyond any paperwork (e.g., staffing requisition) to ensure he understands all expectations, including  the risk to the business should there be either delays or compromises in hiring
8. The HR manager also needs to understand any legal, company policy (such as not discriminating based on gender, age, or race), or other requirement when deciding how, when, and where to hire the recruitment officer
9. The HR manager should consult with other business managers, including the manager of the service center, before making any decision that could impact his service to them
10. The manager of the service center should monitor progress in hiring the recruitment officer as a delay represents a risk to his and his customers’ objectives
11. Any manager should be able to ask for assistance from the risk manager, such as facilitating a workshop to discuss the situation and agree on actions
12. Each player should communicate any changes in the situation
13. In the second example, the managers whose objectives are impacted by the procurement decision should ensure that the procurement manager fully understands their priorities (such as quality vs. cost vs. reliability, etc.)
14. The procurement manager similarly needs to take responsibility for knowing his customers’ (within the business) priorities
15. Where appropriate, in the opinion of the procurement manager or the managers of manufacturing or finance (for example), the decision should be made collaboratively
16. The risk manager may be of value by facilitating a discussion

The bottom line is that in neither case should the decision-maker base their decision on their own objectives. They need to understand and consider the objectives of those affected by their decision.

Similarly, everyone whose objectives are “at risk” to decisions and actions made by another should seek out those others and work to ensure their and the organization’s objectives are known and considered.

Where possible, decisions should be made collaboratively with all those potentially affected.

Do you agree?

Board Oversight of Cyber-Risks

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

• Transforming Cybersecurity (Deloitte)
• Why senior leaders are the front line against cyberattacks (McKinsey article)
• Shifting Risks and IT Complexities Create Demands for New Enterprise Security Strategies (IDC White Paper)
• Lessons from Target’s Security Breach (Cutter)

A Risk Management Challenge for You

I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right risks”.

They don’t provide the guidance people need when they make decisions as part of running the business on a daily basis.

I am in the middle of an email discussion with a leader of one of the Big 4 CPA firms’ risk management consulting practices. He is one of the few from the Big 4 that I have heard say the same thing I do – that risk is taken every time you make (or decide not to make) a decision, and that those making decisions need guidance on which are the right ones to take.

This gentleman has developed a somewhat complex process that takes the organizations’ objectives, identifies the type and general source of risks to each of those objectives, determines at a high level the aggregate level of risk to each objective that would be acceptable, and then drives this down to the decision-makers whose actions create or modify those risks – and finally determines what would constitute an acceptable level of risk at their level.

It’s a valiant attempt to deliver guidance to those taking or modifying risk every day.

But is it enough?

I asked him this question, to which he has not yet replied:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

We say that risk is the effect of uncertainty on objectives and that you have to assess each risk within the context of objectives.

But what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?

In practice, the HR manager has his own objectives, as does the HR department. For example, he probably believes that one of his primary objectives is staying within budget. Can he achieve that without adversely affecting another department’s objectives to an unacceptable extent?

It’s not only that delaying hiring or hiring somebody with insufficient experience may adversely affect the operation of the new service center, but problems at the new service center might result in failures to bill customers accurately, pay critical vendors on time, produce accurate financial and operational reporting, and more. The ripple effect could be substantial and affect multiple organizational objectives.

A (COSO) risk appetite statement or framework set by the top management team and approved by the board is of no help.

Are (ISO 31000) risk criteria any better?

Management decisions like this are made every day.

Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?

Which is the right risk to take? How can she know?

I welcome your comments.

Isn’t this the core, the heart of risk management?

How Good is your GRC? My book now available in paperback and soft copy

Background

Anyone who has been reading my posts should know that I have concerns about the way people are misusing the term GRC. In my April post, I closed with:

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

So how do we move forward?

It is important to get each part of the business working well. But it is also important that they work together. We don’t want fragmented operations that operate in silos.

How can an organization’s board, executives, or internal auditors determine whether their different activities (such as strategy, performance, and risk management) are working together, in harmony, for the optimization of performance while acting with integrity?

 

The Book

I have a new e-book, How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners. It consolidates my thinking about what GRC means and the business problem it represents (the failure to have the various pieces work together in harmony). I include twelve questions, with discussion, that you can use within your organization in a discussion or assessment process.

 

How and Where is it Available?

If you want a soft copy to read on your PC, tablet, or eReader, a Kindle version is available from Amazon. If you want to read it on your PC, first download the free Kindle for PC app; for the iPad or iPhone, download the free Kindle app from the Apple App Store; and for an Android device, there is a free app on Google Play. Then go to Amazon to purchase the ebook.

A paperback version is now available from Amazon or (my preference) the CreatesSpace e-store.