Archive for the ‘Risk’ Category

Opportunities to upgrade your skills

August 7, 2020 1 comment

This pandemic has shut down, as you might expect, all the in-person conferences and seminars that I had expected to participate in this year.

However, I will be leading some small group online training starting in October. If you are interested, please follow the links below to obtain more information.

Each event will be what we call 3X3: three hours each day for three days.

Sarbanes-Oxley s404 Master Class October 20, 21, 22

GRC – A Corporate Discipline November 3, 4, 5

Risk Management that Helps the Organization Succeed November 17, 18, 19

Auditing that Matters: Building a World-Class Internal Audit Function

Board members should discuss this excellent paper on Boards and the Taking of Risk for Success

August 3, 2020 2 comments

The ACCA published an excellent product a couple of years ago. Risk and the Strategic Role of Leadership might have been written by three UK academics, but reflects the practical thinking of board members as well as risk practitioners.

Here are some notable excerpts, with some highlighted by me:

  • Boards have always been involved in the management of risk. Without appropriate risk taking, organisations cannot exploit the full range of strategic opportunities that are available to them, nor can they hope to protect themselves from less positive outcomes.
  • Effective risk assessment, reporting and control help to enhance a board’s governance and internal control activities, reducing the probability that an organisation may deviate from its stated objectives and so fail to meet the needs of its stakeholders.
  • Risk may bring with it the potential for losses, but it also offers the potential for opportunity.
  • Boards are still finding it hard to understand and address softer factors, such as culture and risk appetite. Often, this is because of a lack of clear information and difficulties in connecting them to organisational performance.
  • Regulation and compliance remain key drivers for board-level involvement in risk management. Nonetheless, some organisations are increasingly aware of the strategic benefits of risk management in helping them to exploit opportunities and so exceed their stated objectives.
  • Factors such as lengthy risk reports and insufficient time devoted to risk management at board meetings create significant challenges for board-level risk-management activities.
  • Today’s board has a key role to play here, helping its organisation identify and exploit opportunities, which is as much a part of maximising the long term sustainable performance of the organisation as well as overseeing the mitigation of threats.
  • Risk comes with the opportunity for returns, and even seemingly adverse events such as regulatory change or political uncertainty can create opportunities that may be exploited.
  • …highly strategic risks, such as the development of a new product or market, or an acquisition or merger, very clearly combine a range of positive and negative outcomes.
  • exploiting opportunities is as much part of risk management as controlling downside outcomes.
  • Viewing risk as ‘bad’ means that the potential for better-than-expected outcomes may be overlooked. It may also foster high levels of risk aversion in boards, a problem that was identified by a number of the participants in both large and SME organisations. The consequence of this approach is that innovations may be missed.
  • “In some areas there should be a willingness to proactively take risk and indeed that to take no risk is potentially the biggest risk of all because there’s a possibility that people innovate around you, you’re left standing, and as time goes by you become the dinosaur in comparison to the rest of the sector” (non-executive director).
  • In a small number of organisations strategy setting and risk were integrated to a much greater extent. The directors of these organisations indicated that their boards considered the risks associated with choosing or not choosing specific strategic options at the strategy setting phase, as well as the organisation’s risk-management competencies and capabilities.
  • …an extremely prescriptive [ndm: the paper talks about two approaches, prescriptive and principled] risk-management approach may cause board-level risk-management activities to become static and reactive, with board members getting lost in operational detail (a potential problem made worse by lengthy risk registers) and taking an overly negative view of risk.
  • …an extremely principled approach may make inconsistent decisions and may pursue upside opportunities at any cost, exposing an organisation to excessive amounts of risk
  • “So the classic thing, zero harm – we’ve got no appetite for something – it’s a complete misunderstanding of what risk appetite is. There is a wealth of metrics and information out there that you can tap into to articulate statements in a way which will actually add practical guidance to a business, and you’d be able to measure whether you’re operating within those parameters. But a lot of companies are just nowhere… they’re still doing the sort of high, medium and low, hungry-averse-type scales, which are just worthless” (Focus group).
  • …adopting a ‘compliance mind-set’ … may foster excessive risk aversion: ‘it’s the mind-set of actually, rather than helping us take risks better it’s about not taking risks at all’ (executive director).
  • Non-executives need to be assured that executives have ensured there is an appropriate risk-management framework that is operating effectively.
  • What was stressed by a number of participants was the need for discussion of risk at a strategic level – not at a level of governance and oversight that dwells on risk registers and frameworks – in order to be able to take advantage of opportunities.
  • The ability to move away from vast static risk registers that are essentially backward looking, towards a dynamic view of the real-world impact of risks on the activities of the organisation, was something that many have aspired to, but few have actually achieved, in their board’s approach to risk registers. All too often, and much to the disappointment of some participants, the use of risk registers was seen as a ‘tick-box’ exercise characterised as compliance, as opposed to one of many sources of information pertinent to strategic decision making.
  • The risk and/or audit committee was seen to act as a filter for the board, with a more succinct discussion taking place at board level.

The paper has a number of highly constructive suggestions. I recommend reading them all, but here are the ones I especially liked:

  • Place risk in a positive context. Consider the potential for outcomes to be better, as well as worse, than expected, making it clear when you are talking about opportunities and risks. If necessary, avoid using words such as risk if they have a negative meaning in your organisation; eg consider alternatives such as ‘volatility’ and ‘uncertainty’.
  • Integrate your strategy and risk decisions. When setting your strategy and business objectives, consider the potential for better or worse-than-expected outcomes from the outset.
  • Boards should adopt the 75:25 rule. Spend 75% of board meetings looking outwards and forwards. This will help the board to identify external and future threats and opportunities. Spend the remaining 25% of board meetings looking inwards and backwards. This will help the board to understand the organisation’s capabilities and competencies in areas such as finance and risk management.
  • All papers going to the board should have a dedicated risk section within the executive summary, highlighting their risk implications for the strategic objectives of the business. This provides visible anchor points for discussion of the strategic risk-reward equation.
  • Policymakers should revisit their risk mind-set: risk is not bad in itself and opportunities are never certain. Rather than considering risk management as a device for increasing certainty, it should be considered as a means for achieving ever more positive outcomes. Risk management should help an organisation to create value, as well as to protect it.
  • Always encourage boards to make links between strategy and risk. Potential risk exposures, along with the ability of an organisation to manage these exposures, should be considered as part of strategy setting. Risk management should not be a bolt-on activity after the strategy has been determined.

I recommend that the full board, not just the risk and/or audit committee, should receive a copy of this paper and hold a discussion with management on its key points, recommendations, and self-assessment questions.

I welcome your thoughts.

A definitive risk and compliance benchmark report

July 31, 2020 3 comments

Navex bills itself, in all modesty (!), as “the worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address regulatory compliance requirements and foster an ethical workplace culture”. I am sure that every other software vendor and consultancy firm agrees that Navex is #1!

They have just released their Definitive Risk and Compliance Benchmark Report, a publication with a modest name to match their modest branding.

Does it live up to that billing?

One of the things that always bothers me about surveys and the resulting reports is that they ask the providers of information about its value rather than the consumers. They ask the risk, audit, compliance, and other practitioners rather than the business leaders.

Value is only assessed through the eyes of the buyer. The seller can say whatever they like, but it’s all about what the buyer is willing to pay.

Let’s face it: most buyers of risk, audit, and compliance services shell out the money reluctantly.

But, back to their report. Here are some excerpts and I will follow them with comments:

  • Ninety-two percent (92%) of respondents said their organization behaved ethically all or most of the time. Over a third (36%) described their organizations as ethical all the time. This positive view is not shared by the public. In a recent Gallup poll, business executives were considered high or very high in honesty and ethics by only 20% of respondents. In a Deloitte global survey of professional millennials, business fared a bit better, with 49% saying that business leaders operate ethically.
  • Corporate responsibility is not a corporate priority. In the Deloitte global survey of professional millennials, a majority were critical of businesses for focusing primarily on maximizing profits instead of giving a higher priority to pursuing “socially useful” objectives. Although millennials are not alone in their growing concern for more corporate social responsibility, it ranked last amongst R&C concerns.
  • Compliance professionals prioritize workplace culture, but don’t act.
  • Overall, fewer than a third (32%) of R&C programs prioritize preventing and detecting harassment and discrimination, while just one in ten (10%) of respondents said detecting and preventing retaliation was a high priority.
  • Programs in highly regulated industries are more likely to deprioritize activities aimed at reducing harassment and discrimination.
  • Over two-thirds (68%) of respondents identified data privacy and cybersecurity as a top R&C concern, consistent across all maturities. Respondents also listed enhancing data privacy, cybersecurity, and the protection of personal identifiable information (PII) as top priorities. Nearly two-thirds (64%) listed this issue as one of their top two priorities; over a third (35%) ranked it as their number one priority. This was consistent across all maturities
  • Nearly a third (31%) of respondents experienced a data privacy or cybersecurity breach in the past three years.
  • Nearly half (47%) of respondents describe financial integrity and fraud as a “top concern,” up 11% from 2019. Bribery & corruption concerns also rose to 39%.
  • For the first time, this year’s benchmark survey explored the topic of risk integration. Identifying six key types of risk – compliance, IT, operational, reputational, third-party, and financial – we asked respondents how their R&C programs did (or didn’t) manage these concerns. Overall, compliance risk remains the central focus of the vast majority (88%) of R&C programs. This is followed by IT and operational risks at 57% and 53% respectively. No form of risk is managed by fewer than 40% of R&C programs.
  • Overall, a plurality (23%) of programs cite their CCO as primarily responsible for integration strategy.
  • The CRO role is still an emerging one. More than half (53%) of programs do not have a CRO. Of those that do, half (47%) have constructed this role as a dedicated FTE.
  • Overall, respondents believe their risk and compliance programs are well-supported by leadership, with nearly two-thirds (64%) saying they have program buy-in, oversight and commitment from senior management.
  • Over half (56%) of respondents say their R&C program periodically reports to a board that also oversees it.
  • Organizational risk assessments are a core evaluative R&C program tool. The practice of regular assessments is now widespread, with two-thirds (66%) of programs conducting periodic assessments of their organization’s risk profile.
  • A little over half (56%) of programs have audits to measure compliance program effectiveness.


  1. This is not a risk and compliance report. It’s pretty much ignores any form of risk management.
  2. It does have some decent data on compliance programs.
  3. It is unfortunate that the respondents work at organizations that do not recognize the importance of social responsibility, the harm that can arise if it is ignored and the benefits that can accrue when it is given a priority.
  4. It is even more unfortunate that so little is being done about sexual harassment and assault in the workplace.
  5. Action is not being taken to address culture, even when it is recognized as a problem.
  6. These guys have no clue but are happy to profess expertise in “risk integration”.
  7. Even though the regulators call for compliance to be risk-based, these experts don’t seem to understand or adhere to those practices.

I will let you decide whether the authors are working for the leader.

However, as I said, there is some interesting material and data on ethics and compliance programs.

I welcome your comments.

New advice for internal auditors

July 27, 2020 5 comments

There’s a new article that merits our attention. It’s from the software vendor, MetricStream.

Strengthening Internal Audit’s Business Impact makes some good points:

  • From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness.
  • One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives.
  • Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
  • Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well.
  • Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth.
  • When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses.
  • Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations.
  • While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs.
  • Internal auditors today have the opportunity to create real business impact.

These are all good points.

BTW, they are a software vendor, so I suggest ignoring their comments about technology and its use by internal auditors. There is frequently a great deal of value, but its neither certain nor the same for every organization.

My thoughts:

  • Internal audit has progressed significantly over the last decade. Perhaps half have moved away from annual audit plans to ones that are far more dynamic (in line with agile auditing, although that term is newer than the practice of continuous audit planning). There is still a lot of progress to be made to bring the other half to a more dynamic process and everybody to more of a continuous planning activity than one that is quarterly.
  • The reference to insights is very important. When we developed the Core Principles, we were referring not only to the traditional comments in the audit report, but also to the insights we have as professionals that may or may not be backed by hard evidence, but should be shared with leadership.
  • The idea of “aligning to business objectives” seems passive to me. It sounds like you pick the audits you want to do and then identify which are the objectives to which they might relate. I very much prefer to consider the objectives, what is relied on to achieve them, and then plan audits to provide related assurance, advice, and insight. Add to that ensuring that we only perform audits where there is a strong likelihood that our results will provide valuable information to leaders of the organization.
  • The idea that internal audit challenges the setting of business objectives is, itself, challenging. It’s fair that we say something if we don’t believe the processes for setting the objectives are sound. For example, we should point out situations where functions like Compliance were not consulted, or if the impact of technology advances has not been considered. I think it’s also fair if the objectives of a team or business unit are not properly aligned with those of the enterprise as a whole, or are in conflict with another department, business unit, etc. But I am not sure we should challenge them based only on whether we think they are the right objectives.
  • I agree entirely with the need to make sure auditors understand the business. But let’s not forget other soft skills, such as interpersonal communications, listening and interviewing skills.
  • There’s a lot I could say about reporting. Let me just make two points. 1. It’s not about reporting, it’s about communicating. 2. Tell them what they need to know, not what you want to say.
  • If you cannot explain why something is important and how it affects the achievement of objectives, maybe it isn’t and doesn’t – and management should ignore you.
  • We can and should have a significant impact on the business, but that requires that we audit what matters, when it matters, and communicate the assurance, advice, and insight leaders need for success.

I welcome your thoughts.

The Three Lines of Defense Model is no more

July 20, 2020 9 comments

Today, the IIA released what I would call a replacement for its Three Lines of Defense Model. The old model was released in a Position Paper in 2003, The Three Lines Of Defense in Effective Risk Management and Control.

One of the more significant things to note is the change in name to The Three Lines Model.

Before you read and digest the new model, I suggest you read an excellent introduction by Richard Chambers, New IIA Three Lines Model Offers Timely Evolution of a Trusted Tool.

I disagree with Richard’s piece in one respect, when he says the new model (and it is almost entirely a new piece of work) will change the way many organizations look at risk and controls. I think that is hyperbolic optimism.

Before going further, I should reveal that I am one of the 30 members of the advisory group. But having said that I can also tell you that I was highly critical of each of the previous drafts I received for review and comment. I even made calls to Richard and others pleading for dramatic change, if not destruction of those drafts.

I am thrilled to tell you that I wholeheartedly endorse the new model. It’s not perfect, nothing can be, but it comes close. It has a great deal of value and merits a close read with careful attention to each phrase.

The only change I would have required to the final product would have been to strengthen the discussion of the independence of internal audit by requiring that the compensation, hiring, and termination of the CAE be the responsibility of the governing body, not management.

You can download the new Model from this page.

Some of the improvements:

  • It is no longer only about “defense,” protecting rather than creating value. It’s about achieving objectives and that requires both creation and protection of value.
  • It repeats the consistent message from the IIA, only more clearly, that management is responsible for achieving objectives and the success of the organization, with oversight from the governing body (the board). That includes understanding and addressing what might happen, “risk”.
  • It helps organizations understand the responsibilities of and relationships among the board, management, internal audit, and others.
  • It is based on principles that are sound and useful.
  • It recognizes that what we used to call the second line is really part of management. Now my concern about the old model and trying to fit functions like Legal, Compliance, Information Security, Quality Management, and so is addressed by recognizing that there is some fluidity between first and second lines.
  • The Model emphasizes the need for collaboration, the essence of GRC (see my earlier post).
  • It also confirms that risk management contributes “to achieving objectives and creating value, as well as to matters of “defense” and protecting value”.
  • The final version of the diagram is simple. There’s no need any more to argue about whether there are three, four, five, or even six lines.
  • It’s less about “lines” than it is about who does what and how they collaborate for enterprise success. The Model continues to use the word “lines”, but is almost apologetic for doing so.

I will close with just one excerpt that I like, with one sentence in particular highlighted:

Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. There is a need for collaboration and communication across both the first and second line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.

What do you like or dislike about the Model?

Please share and let’s discuss.

What can the audit committee do for you as internal auditor?

July 16, 2020 4 comments

There’s an interesting new post, an article in the IIA’s Internal Auditor, Working in Concert: ​CAEs weigh in on the types of questions audit committees could ask them to strike the right tone.

Several CAEs were surveyed by the magazine “to find out which key questions they wish their audit committees would have asked them, but never — or rarely — did.”

They identified seven questions:

1.       What can the audit committee do for you?

2.       Is the audit plan the right one, and can it be delivered?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

5.       What is internal audit’s view of external audit and other assurance functions?

6.       How can internal audit add value? What is your vision for the future?

7.       Would you like to have a coffee off-site?

These should all stimulate some reflection, not only by the audit committee but also by internal audit leaders. Here are my thoughts. Please read the article in full so you can see what I am essentially replying to.

1.       What can the audit committee do for you?

My audit committee invariably asked this question so I am disappointed that these CAEs identified this as their #1 missing item.

Why should the audit committee need to “champion internal audit within the organization?” If the team is doing their job, their value is recognized by both executive and operating management. Do you still need your father to champion you in your work? (I know, ouch!)

I agree that members of the audit committee should bring their expertise to the table and help internal audit understand the more significant risks to the enterprise.

I tell the story of Tom O’Malley and one of my first audit committee meetings as CAE at Tosco, an oil refining and marketing company. The genius asked if I had considered the risks due to failure in the blending process. That came out of nowhere and I had no idea what it was about, but I did the right thing. I thanked him and said I would look into it. The blending of various products into gasoline, diesel, and jet fuel was in fact an extraordinarily high risk. If it was done poorly, it could lead to impurities in the product we sold. Some years later, many diesel-fueled vehicles in the Los Angeles area had major problems, even to the point of engine damage, due to defects in the fuel. Now just imagine a 747 coming into land at a major city when the engines fail due to jet fuel impurities.

Tom O’Malley was not a member of the audit committee; he was the CEO. But the point remains valid.

Years later, Ed Hajim, a member of the Tosco audit committee, asked if I or any of my team was an expert on derivatives. The company had just established a derivatives trading for its purchases and sales of crude oil and finished products. Ed was the CEO of a financial trading company and had just been burned by his lack of understanding of derivatives. He made sure that I was given the time and budget to attend training at the New York Institute of Finance.

If the audit committee is not doing what the CAE needs from them, my position is that the CAE needs to bring this up, tactfully, in private meetings.

2.       Is the audit plan the right one, and can it be delivered?

Of course, the plan should be questioned, but not in the way suggested by the article. For example, the committee should be asking:

·         How do you determine which areas to address?

·         Are you basing your plan on management’s assessment of risks? If not, why not?

·         How do you keep your plan up-to-date so that you address the risks of today and tomorrow, not those of the past?

·         What should be in the plan but is not, for whatever reason? Which significant risks have you decided not to include?

·         Have you sufficient budget for training and staff development? How are you maintaining and growing your skills yourself?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

This is a necessary question, but why should the audit committee ask it? The CAE should have already given them the answer – and the actions they are taking to address the problem.

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

If this is a problem, the CAE should have already told the audit committee. Are these CAEs, the ones surveyed, too passive?

5.       What is internal audit’s view of external audit and other assurance functions?

Similarly, if there is a problem, the CAE should have already shared that with both management and the audit committee.

The question they should be asking, in private sessions, is “what is your view of the senior management team?” That should be followed by questions about the culture of the organization and the tone at the top. These are far more difficult for the CAE to raise without initiative by the committee members.

6.       How can internal audit add value? What is your vision for the future?

Sorry, but again these reflects on the passivity of the CAE. If the members don’t see the value themselves, there’s a problem. If they ask management (and they invariably do) and don’t get a thumbs up from them, there’s a problem.

The CAE should be asking whether they are providing the audit committee and executive management team with the value they need: assurance, advice, and insight on what matters when it matters.

7.       Would you like to have a coffee off-site?

I was the one taking the initiative and asking for private, sometimes offsite, meetings.

The CAE needs to be and act like a leader, an executive with initiative. As the article says, “CAEs also can take better charge of the situation.”

Father may know best, but we should act like adults ourselves and be less passive.

I welcome your thoughts.

Internal Audit Independence and Objectivity

July 12, 2020 6 comments

Internal auditors are afraid of crossing the line and impairing their independence and objectivity.

That’s fair enough, as long as judgement is used as to what those terms really mean and where the line lies.

My friend Mike Jacka has written eloquently about this and I agree with everything he has to say in NOT a Declaration of Independence.

Some of the examples he shares are right on point. I have seen similar situations where internal auditors acted in a way that I call downright silly!

  • I remember one CAE saying he had to use his own analytics software, not the company’s, to preserve his independence.
  • Another refused to accept a Vice President title because it made him sound like he was part of the management team.
  • Several over the years have told me that their job is to find problems and make recommendations for management response. Independence prevents them from sitting down with management, figuring out and then reporting agreed action items instead of recommendations.
  • Some have even told me that independence prevents them for relying on management’s risk assessment – to any degree.

Objectivity, the leaders of the profession will tell you, is the more important of the two words. But independence is still necessary – as long as we are clear what it means. It doesn’t mean that we can’t report administratively to a top executive, have a vice president title, or accept bonuses based on corporate performance.

The IIA tackled Independence when the Core Principles for the Professional Practice of Internal Auditing were written. (Yes, I know there are related Standards and Implementation Guides.)

I will pat myself on the back for coming up with the phrase used in the Principles: “free from undue influence.” The words “from management” didn’t make it into the final language, but they are certainly implied.

The Principles use the single word Objective, without expansion, but it’s not always as simple as a single word suggests.

Some examples to think about:

  • Your boss, the CAE, has told you to find more deficiencies to report. Is he or she being objective? Are you objective if you obey and report something that really isn’t important so that the audit report looks more substantial (I would call that ‘padding’ the report)?
  • The manager of the department responsible for the controls you are testing has questioned your business understanding. You are angry. Will you be objective?
  • The CAE has told you that he has concerns over the integrity of the department head whose area you are auditing. Will you be objective?
  • The process you are auditing has had multiple serious deficiencies in prior years. Will this affect your objectivity?
  • The department head is somebody that you like personally and admire. Will that affect your objectivity? Will you have an unconscious bias?
  • The employees responsible for the controls are difficult to work with. Will that affect you?
  • The department you are auditing has a reputation for excellence and there were no deficiencies, only best practices in the last audit three years ago. You performed that audit. Will you be totally free of bias and unarguably objective?
  • You audited the area last year and they haven’t agreed to implement any of your recommendations. Will that affect you?
  • Your spouse is nagging you to cut your offshore audit engagement short so you can help look after an ailing child. Will that affect your objectivity?

OK, let’s have a look at the Standards:

Standard 1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.


Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.

Revised Standards, effective 1 January 2017

Frankly, I prefer the phrase in the Principles for independence: free from undue influence. I think the language of the Standards confuses the independence and objectivity, but that’s just hypercritical me.

Some suggest that our independence and objectivity are threatened if the CAE takes on additional responsibilities, participates in executive management discussions, and so on.

I say to that: phooey!

Doing what is right for the organization comes first. Anything questionable should be discussed with and agreed with the audit committee of the board.

But any assurance, advice, and insight we share should be free from bias (conscious or not, positive or not) and as objective as possible.

We are professionals.

Professionals are willing to share their professional opinions and ideas. They come from a place of, yes, independence and objectivity, and when we share them my experience is that they – and we – are treated appropriately.

I welcome your professional opinions.

Dysfunctional GRC

July 8, 2020 27 comments

The Open Compliance Ethics Group (OCEG) has published the results of its 2020 GRC Maturity Survey, written by my good friend Michael Rasmussen. In full disclosure, Michael and I are two of the original three OCEG Fellows. This is an unpaid honor, apparently (in my case) for my thought leadership around GRC.

In fact, I have been writing about GRC for over a decade! For example, in 2009, I wrote Is there value in talking about GRC?

I believe the OCEG definition of GRC is the only one that makes any sense. Theirs is the only explanation of the value and meaning of combining the separate practices of governance, risk management, and compliance. In fact, for most so-called GRC discussions and solutions, the G is silent! Governance is not addressed (and it extends far beyond internal audit and ‘risk governance’ to include all board activities, strategic planning, performance management, legal, and more.)

In the latest OCEG report, Michael quotes the official and current OCEG definition of GRC:

“GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].”

He has also modified it slightly to emphasize the need to integrate multiple functions and avoid siloed operations.

“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity”.

It’s concise. It’s impactful.

Note that this is more than a defensive posture of managing risk and ensuring compliance. It’s about moving forward to reliably achieve objectives.

But there is a great deal behind this single sentence. In that 2009 blog post, I had a more expansive OCEG definition:

“A system of people, processes and technology that enables an organization to:

    • understand and prioritize stakeholder expectations;
    • set business objectives that are congruent with values and risks;
    • achieve objectives while optimizing risk profile and protecting value;
    • operate within legal, contractual, internal, social and ethical boundaries;
    • provide relevant, reliable and timely information to appropriate stakeholders; and
    • enable the measurement of the performance and effectiveness of the system.”

This is more meaningful than the simple version. In fact, I suggest you can’t understand the full meaning of the OCEG definition without it.

I explained this musically in a 2011 post, A metaphor that explains GRC.

Simply stated, everything within the extended organization has to be working together to achieve a common purpose: the achievement of enterprise objectives.

If that is not the case, GRC is not fully functional. It is at least sub-optimal. To at least some degree it is dysfunctional.

Examples of dysfunction I have seen over my career include:

  • Executives putting personal objectives and their related compensation ahead of what is best for the enterprise as a whole
  • People running the business not even knowing what the enterprise is trying to achieve and how enterprise success depends on their actions – or is affected negatively by anything they do or fail to do
  • Individual and team objectives and metrics for compensation that were divorced from what was required of them for enterprise success. They were set in isolation and at best had a tenuous link up to one or more enterprise objectives. Nobody started with the enterprise objectives and determined what was needed from whom, with compensation based on that achievement
  • A failure of visibility of operations across the enterprise. For example, one company had no idea which consultants it was paying, whether they were paying at different rates, that they were paying for the same services in different locations, and so on
  • Executives not working as a team. They withheld information from one another, even competed for customer business, and would never consider sharing resources.
  • A failure to see the big picture of what lies ahead, which some people call risk but includes opportunity as well
  • A failure to base forecasts and projections on the combination of where we are, performance reporting, and where we are likely to go, risk and opportunity
  • An inability to bring all affected parties to the table for decision-making
  • and the list could go on

I believe strongly in the need to assess where your organization is.

How dysfunctional is it?

What is holding it back from peak performance?

I wrote a book to help with this in 2014: How good is your GRC? It has 12 questions to guide you through the assessment process.

The OCEG report is well worth reading. It focuses on whether the various functions within the extended enterprise are “integrated” or whether they are in silos. While it is able to report that most organizations are moving to integrate further, only 14% say they have integrated many or all organizational silos of operation.

One huge opportunity is the integration of risk and performance. This helps you see what a car driver likes to see: where you are and what lies ahead, your speed and vehicle performance, and other information that helps you drive with confidence and safety to your destination.

But OCEG reports that this integration is unusual.

Read the report, please.

But before taking actions to upgrade your GRC, identify what is holding you back and where you need improvement. This is a great opportunity for internal audit!

Are all the horses (or mules) pulling your wagon in the same direction, giving their all for your safety and success?

mules pulling a wagon

As usual, I welcome your comments.

Agile and more effective internal auditing

July 5, 2020 11 comments

It is a pleasure to talk about a consultant’s paper on internal auditing that has significant value. Far too often, my posts are critical. This time is different.

A new KPMG Australia paper has a somewhat limiting title of “COVID-19: Enhancing internal audit effectiveness”. The subtitle, “A practical guide for agile internal audit” is more meaningful.

While COVID may have been the stimulus for the paper and a good marketing tag, the paper makes suggestions that should have pre-dated and now continue past this crisis.

  • Agile internal audit techniques allow for a timely and fit-for-purpose approach to providing assurance during uncertain and changing times.
  • Agile internal audits are founded on the agile project and change management methodology, built to accommodate continually changing circumstances. As the agile method is shorter and iterative it allows for more flexibility and delivers greater impact when new initiatives arise, or significant business interruption occurs. Agile approaches to delivering outputs are increasingly being used across all organisations, including second and third line functions.
  • Agile internal audit delivers reduced costs, efficient delivery and improved quality.
  • Agile is based around the concepts of:
    • shorter, accelerated audit cycles
    • timely insights
    • greater stakeholder interaction and alignment to stakeholder needs
    • reduced waste and documentation
    • frequent communication
    • increased audit quality.
  • Agile assists in prioritising audits based on risk and the organisation’s readiness to perform the audit, with the delivered report focusing on providing insights and delivering briefer, timely feedback – with less words and, ideally, more visuals.

I will let you peruse and think carefully about the excellent table that contrasts  traditional and agile auditing.

There is a great deal to think about, not least of which is why KPMG says that full scale internal audits are still required. I challenge that, as I pretty much stopped doing them in 1990! Agile audits that are focused like a laser on the risks that matter and can provide the assurance, advice, and insight on what matters when it matters should dominate the audit plan.

What do you think of the KPMG piece and my comment?

Understanding data breaches 2020

July 1, 2020 2 comments

For 13 years, Verizon has shared their Data Breach Investigations Report. The 2020 edition is now available.

As usual, it contains some interesting information:

  • Only 70% of breaches were by external actors.
  • Organized crime was behind 55%.
  • Nation states, sysadmins, and end users were each behind about 10% of the breaches.
  • 22% included social attacks (pretexting and phishing), 96% of the time by email. 1% by phone or SMS.
  • 17% involved malware; 27% of malware was ransomware.
  • 8% was from misuse by authorized users.
  • Partners were involved in 1%; multiple parties were also involved in 1%.
  • 81% were contained in one day or less [a massive improvement from what I have read in the past].
  • 72% of the victims were large businesses.
  • 58% of victims had personal data compromised.
  • 20% of breaches take months to be discovered, a significant improvement from prior years
  • Of the 108,069 breaches and 157,525 incidents reported to Verizon, more than 100,000 breaches “were credentials of individual users being compromised to target bank accounts, cloud services, etc.”
  • There were 25,029 incidents involving organizations where they could identify the industry category. 7,463 (30%) involved professional organizations, 6,843 (27%) were of public organizations, and 5,471 (21%) were information industry related.
  • Of the 3,262 breaches involving organizations where the industry was known, 521 (16%) were in healthcare, 448 (13%) in finance.

Unfortunately, there is next to no information on the extent of damage caused by the incidents. The top part of Figure 32 seems to indicate that very few exceed $100,000. However, the report says that “In 2019, the Secret Service prevented $7.1 billion of cybercrime losses and returned over $31 million in stolen assets to victims of fraud”.

The report has some fascinating detail that should be of great interest to infosec practitioners.

I keep coming back to the issue of whether data breaches are as significant a ‘risk’ as people make out. All of the studies point to small losses among a few massive ones that hit the headlines.

I suggest that every organization consider:

  • If we have a breach, how is it likely to affect the business and how it is run? Consider that there may be a single breach or a sequence of breaches by the same people.
  • How great would the damage be?
    • In terms of dollar losses?
    • In terms of impacting our ability to meet business objectives?
  • How likely is it to be so significant an impact that it merits board attention? Remember there is a range of potential impacts from minor to massive, each with its own likelihood, not a single point.
  • How much should the organization invest to prevent, detect, and respond to breaches – given the potential downside of a breach, the resources available for investment, and the opportunity to invest those resources elsewhere?

Cyber is a tough topic to translate from techie-talk to business-speak, from the concerns of the CISO and CIO to those of the CEO and the board. If you haven’t seen it, please consider my thought-provoking Making Business Sense of Technology Risk.

How do you measure the effectiveness of internal audit?

June 25, 2020 19 comments

I want to thank Dr. Rainer Lenz for telling me about the new paper he and Dr. Marc Eulerich have written for the IIA’s Internal Audit Foundation. (I also want to commend the Foundation and the IIA Dallas Chapter, the sponsor, for their innovative crowd-funding of the paper.) Rainer and I have exchanged thoughts and ideas about internal audit for years, and I respect him and his contributions to the profession.

The products of the Foundation are intended as leading research. They do not represent guidance.

Defining, Measuring, and Communicating the Value of Internal Audit: Best Practices for the Profession has some excellent content, especially the quotes from CAEs. I will focus on those before explaining why I think it falls short.

  • Internal auditors and internal audit functions have been struggling — some more than others — to find convincing answers addressing one fundamental question: What is the added value of internal auditing in the specific organizational context?
  • Internal audit’s perceived value and its standing in the profession itself and among its stakeholders is still often described as hazy and enigmatic.
  • Deloitte (2018) finds that only about 40 percent of CAEs believe that their function has strong impact and influence within the organization and only 46 percent think that stakeholders are aware of internal audit’s services. In other words, more than 50% of internal audit’s key stakeholders do not see the added value of their audit functions.
  • …there is a difference between the value internal auditors think they rendered and what their stakeholders perceive.
  • “[What we] try to do is help the company identify the top risks, determine whether or not the management and risk management practices are adequate to deal with those risks or whether or not additional work needs to be done […]. Then I’m providing the assurance that it’s in place and operating the way it should be […]. I’m like your doctor or your dentist, I can’t brush your teeth for you, but I can tell you here are the steps you need to do to be healthy and I don’t want to be a police officer. I want to be that person that helps you get healthy, but I can’t do it for you.” —CAE of a large multinational technology company
  • “The audit committee and the management board know that we are going after the right topics and provide advice about these hot topics and we have a lot of them in our company. That is, I would say, our number one value. Number two, obviously, is that the audit committee and our board of management not only know that we go after the right topics, but that we have the competencies to tackle those topics.” —CAE of a large, listed infrastructure company
  • …the survey responses unambiguously suggest assurance services as internal audit’s core value.
  • …in some organizations, stakeholders actually completely deny internal audit’s value.
  • “Our value proposition cuts across all of the types of risks that the company sees, going from operational through financial and regulatory. We have to offer assurance for the audit committee and the C-level.” —CAE of a large multinational company from the financial industry
  • “We are providing the assurance: is everything (e.g., controls) in place and operating the way it should be?” —CAE of a large listed multinational company
  • “We are seen as the trusted advisor at least for management, we give them advice and also give the audit client advice, how they can do better. We are not only the bad ones, telling them what they are doing wrong. We also tell them how they can do better. Thus, it is important to be ready to switch your roles.” —CAE of a large listed multinational company
  • “How would I define the strategic value of internal auditing? From the perspective of the person receiving the value, they (the stakeholders) are able to say, I can use this information from internal auditing. I needed this information and I can actually make things better.” —CAE of a large national governmental organization
  • [Only] about half of the participants stated that they deliver significant value.
  • …company size does not prevent internal auditors from adding value to the organization. The overall picture regarding total assets and revenues suggests that there is no association between company size and value creation.
  • …the self-perception of audit leaders surveyed is that the audit committee and senior management (the two central stakeholders of internal audit) are very satisfied with the work.
  • …the added value of internal audit can be made clear through direct communication between the CAE and key stakeholder groups. The direct contact with both senior management and the audit committee provides the internal audit function with the opportunity to demonstrate and discuss its value performance and establish a relationship built on trust.
  • Truly audit what matters to the success of the organization. Become a respected value driver of the organization.

I find it refreshing and exciting to see the ideas and even the language I have been promoting for many years repeated by the authors and the CAEs they talked to. Just look at that last sentence I quoted. It’s something I might have said.

Now for the criticism. (Sorry, Rainer.)

  • The paper talks about ‘assurance’ as being limited to financial reporting and compliance. This is a major misunderstanding. As referenced by the CAEs that are quoted, assurance relates to all sources of ‘risk’ and opportunity. “Is everything in place and operating the way it should be?”
  • No reference is made to the Core Principles for the Professional Practice of Internal Auditing. (I thank Paul Hicks for pointing this out.)
  • The value of anything is what people are willing to pay for it – as a general rule.
  • To know whether the stakeholders on the board and in top management believe they are receiving full value is to ask them. To quote from the paper, “there is a difference between the value internal auditors think they rendered and what their stakeholders perceive.” If they say, for example, “I can use this information from internal auditing. I needed this information,” then you are adding value. I cover this extensively in Auditing that Matters, with examples of positive responses to the question of “How are we doing” of:
    • “Keep it up or your fired”, a joke by the CFO before awarding me a huge bonus
    • “You help us sleep through the night” from an audit committee chair
    • “You have yet to perform an audit I wouldn’t gladly pay for” from a divisional CEO
    • “You help us stay efficient” from another divisional CEO
    • “I want you to attend the IT committee meetings” from a board member who chaired that committee
    • I (an executive) don’t want to cut internal audit budgets when we are having layoffs.
  • The metrics discussed in the paper are, by and large, measures of ineffectiveness. For example, completion of the audit plan measures whether you have continued to audit what used to matter, rather than what matters today and tomorrow. If you have an audit plan that is continuously updated, by definition you are completing it.
  • There are other metrics which are more useful, such as the number of requests from management for assistance. A soft one, which defies measurement, is the speed with which executives respond to e-mails or requests for a meeting.
  • While I agree with the use of a maturity model in assessing internal audit performance, the one in the publication is poor. Providing effective assurance on what matters, when it matters, satisfies all three levels of the paper’s model, and there is insufficient attention to providing insight as well as advice. I have a much more sophisticated model. Unfortunately, it is not free: Is your Internal Audit World-Class? A Maturity Model for Internal Audit.
  • The publication has contradictory information without explanation:
    • …only about 40 percent of CAEs believe that their function has strong impact and influence within the organization and only 46 percent think that stakeholders are aware of internal audit’s services. In other words, more than 50% of internal audit’s key stakeholders do not see the added value of their audit functions.
    • [Only] about half of the participants stated that they deliver significant value.
    • Survey participants indicate that more than 80% of the stakeholders are either “very satisfied” or “satisfied.”

Finally, if you have to tell the audit committee and CEO how valuable you are, you are lost. If they don’t already believe you are valuable, then you are doing something wrong.

If I was on the audit committee of an organization, I would assess internal audit based on:

  1. Are they helping me be effective as a board member, providing the assurance, advice, and insight on what matters, when it matters, in an actionable form that I need?
  2. Does the management team believe and trust internal audit’s assurance, advice, and insight? Do they agree that internal audit provides the information they need on what matters, when it matters, and in an actionable form?

When I started out as a CAE many, many years ago, I started to fall into the trap of trying to put a value on our assurance, advice, and insight. The number is meaningless.

I turned instead to asking my stakeholders some simple open-ended questions, such as “are we helping you as much as we should” or “are we doing something that is not valuable to you?”

The only thing that matters is the assessment of the customer. Having said that, there is good advice available elsewhere (hint) on how to build and then measure a world-class internal audit function.

I welcome your thoughts.

Announcing a new pair of books for internal audit practitioners

June 19, 2020 4 comments

Case Studies book coverDiscussion Guide book cover

One of the best ways for an internal audit department or individual internal auditors to upgrade their practices is by discussing case studies.

I learned this through a friend of mine, Professor Barbara Toffler, who mentored top executives on ethics. Instead of learning an ethics code, which is not sufficient in guiding action in real life, she led sessions where a team of executives would discuss one or more case studies based on real life situations. This was very effective in helping them think through the implications of the situation and how they should – and should not – respond.

Auditing that Matters: Case Studies is a collection of 20 case studies based (all but one) on real life situations from my years as an internal audit executive.

When an internal audit function holds a team meeting, each member is given a copy of this book (preferably in advance) and asked to think about what they would do. Each case study ends with a number of questions, but the leader can certainly either adapt them or add his or her own.

Then the team leader can facilitate a discussion of the selected case and see if the team can, after exploring the options, come to a shared approach. The discussion alone can be illuminating even for the more senior members of the team.

The team leader uses the partner to the Case Study book, Auditing that Matters: Case Studies Discussion Guide to help him or her with ideas and suggestions for each case.

While the pair of books is designed for groups (including college classes), individual practitioners may also find the books useful.

Both books are available in e-reader form from Amazon (Kindle), but I recommend the print copy so people can highlight sections or make notes.

This pair of books rounds out a series. First there was World-Class Internal Auditing: Tales from my Journey that explained how I came to my approach to internal auditing. Then, Auditing that Matters explained how to achieve what I consider world-class internal auditing practices, and most recently I published Is Your Internal Audit World-Class?: A Maturity Model For Internal Audit so that people can assess their practices.

I hope these are helpful.

More thoughts on risk management

June 17, 2020 4 comments

Today, I am going to review some recent articles on risk management. Each has some good notes, which I will highlight, without hitting what I believe to be all the right ones for success.

AuditBoard is a software vendor and they have shared a whitepaper Strengthening ERM: A Key to Success in a Volatile Environment in a blog entitled Getting Risk Management Right: Making the Case for Risk Maturity. (You can download the whitepaper using a link, with registration, in the blog.)

The blog makes some points I have made before:

  • …effective business leaders understand that organizations must take risks in order to be successful in a competitive business landscape.
  • …higher risk maturity ratings are linked to better stock price performance, lower market volatility (and reduced insurance premiums), higher market valuation, and greater organizational resilience in response to key market events.

The question is whether AuditBoard’s idea of risk maturity is a good one. I doubt it, especially when they use artificial distinctions between strategic and other risks. If something is not a “risk” to enterprise strategies, its unlikely to merit executive and board attention. They have included Earnings Shortfall as an Operational rather than a Strategic risk, so they have lost me.

However, using a maturity model for assessing ‘risk management’ is an excellent idea and included my own (as well as a few others) in World-Class Risk Management.

The whitepaper also hits some good notes (my comments are in square brackets):

  • Enterprise risk management (ERM) is an activity whose overall objective is to enhance organizational performance.
  • 83% of institutions in Deloitte’s latest Global Risk Management Survey, 11th edition, have an ERM program in place, up from 73% in the prior year’s survey. [But very few are ‘mature’ according to the ERM Initiative’s study.]
  • Now more than ever, it is important to have mature risk management practices in place to respond as efficiently and adequately as possible to unprecedented risk events, such as the Coronavirus (COVID-19) pandemic.
  • Adopting a strategy-centric position toward ERM—as opposed to overly focusing on risk prevention—empowers leaders to take the right risks and realize significant strategic advantages, while strengthening organizational resiliency and agility during times of crisis.
  • “[ERM] is not a separate activity with its own objectives but an integral part of the organization’sstrategy setting and performance processes.” — COSO, Creating and Protecting Value, January, 2020
  • …a 2018 study found that only 22% of organizations with ERM programs in place described their risk management programs as “mature.” Such stark numbers [which are higher than I believe are justified] illuminate the greater overarching issue of risk maturity and its effects on organizational success.

The paper relies heavily on the COSO ERM Framework. One problem is that while it says you should focus on risks from a strategic perspective instead of a risk perspective, it is a static approach.

Risk (if you want to use that term) is not static. A periodic process in the midst of a dynamic environment simply doesn’t cut it for me.

It also omits any mention of the fact that we take and modify ‘risk’ with every decision. Those decisions are made every day across the extended enterprise.

Finally, while it talks about a strategic purpose, there is no measurement of the likelihood of achieving your objectives and strategies. Is that likelihood sufficient?

I think any maturity model has to consider the ability of the organization to:

  • anticipate what might happen,
  • in a dynamic environment,
  • and make the decisions that lead to taking the right ‘risks’ with an acceptable likelihood of achieving enterprise objectives.

My good friend Michael Rasmussen has been cogitating and then writing about risk management this month as well. His first article was The Pandemic & the Dominos of Risk Interconnectedness.

Michael’s a smart guy and when he writes it’s always thoughtful, so I give it my attention. Again, there are some nuggets:

  • Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.
  • As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic.
  • With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
  • Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
  • Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done.
  • …risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacted.
  • Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions.
  • Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

I can understand how Michael thinks of a “risk event” having a domino effect. I don’t ascribe to that way of thinking. I prefer to think of a typical event as having multiple possible (ranges of) effects on multiple objectives.

What is critical, in my view, is that organizations strive less to manage risks, let alone risks in isolation, and more to manage the achievement of enterprise objectives. They need to obtain assurance that there’s an acceptable likelihood of achieving objectives, and that requires understanding what might happen and how it might affect one or more objectives – then acting where that is not acceptable.

Michael’s second article is Managing Risk Creatively & Structurally.

This is a thought-provoking piece and I encourage everybody to read and reflect on his point.

Let me just pick one section and build a different point than Michael’s:

If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.

I agree 100% with everything he has written – but it is incomplete.

1.       He is only considering threats, not the benefits of crossing the street.

2.       The level of benefit affects the decision of whether and when to cross the street. Do you want to cross because there’s a shop window that’s interesting, or is it because your 5-year old daughter is lying on the sidewalk with a head injury?

3.       The decision also should consider the options. Is your spouse or a police officer close to your daughter so you can rely on him or her? How far would you have to walk before you can get to a safe crossing place?

Quality decision-making depends on the use of both sides of your brain, as Michael says. My brain tells me that you need to consider and then weigh all the things that might happen (aka risk), understanding and taking the right level of the right ‘risks’.

I keep coming back to this:

If the CRO only addresses potential threats, executives and the board will learn all the reasons NOT to cross the road, and none of the reasons you should.

Does this make sense?

The Evolution of Internal Audit

June 14, 2020 20 comments

Now is an opportunity for internal audit leaders to pause, reflect, and consider whether it is time to leave past practices – even if they have proven remarkably successful – for a different approach to internal auditing.

As I said to the author of Reassessing Risk: What Matters Most Now?:

“Never has business changed so much, so fast”

“As the business is probably going to be run differently, so shouldn’t we run internal audit differently?”

“Doing a traditional audit that takes weeks, if not longer, is not necessarily going to help business leaders run the business today”

Another article that appeared this month in Internal Audit 360o was The Value Challenge in the Evolution of Internal Auditing. The Italian authors, a CAE and a manager in a consulting firm, said:

The recent macroeconomic developments emphasize a change that is already taking place: remaining anchored to the most traditional and archaic conception of the internal audit mandate exposes the profession to the highly probable and impactful risk of losing relevance, progressively emptying not only its perceived value but the real content of the profession as well.

We live in an era of epochal changes which demand an evolution of the internal audit profession. Paraphrasing Darwin: if we as auditors will be more reactive to change and will change proactively, we will not only survive, but also consolidate a competitive advantage. The alternative would lead the function to an inexorable, progressive decline.

I am pleased to see a growing number of internal audit departments moving from a static annual (or worse) audit plan to one that is dynamic and based on a continuous understanding of how the business and its environment is changing. (Some call that risk assessment, but it’s really more than that.)

Certainly, continuous monitoring of the business that dynamically updates the audit plan, so that internal audit is addressing what matters now and soon to the leaders of the organization, is important.

But there is more to being agile, a term mentioned in the second piece.

Think about the navy.

Do its commanders send in a fleet every time there is an issue?


They recognize the need for agile, fast, and mobile forces that are capable of acting quickly to achieve their mission, in addition to the more traditional use of overpowering force.

Internal audit needs similar capabilities.

There are times when a fleet of auditors needs to be sent to attack an issue.

But, that fleet takes time. It requires time to plan, mobilize, and then execute. It may also require time to consolidate, consider, evaluate, and report its findings.

Can the organization wait? Don’t they need information on significant ‘risks’ now rather than later?

The modern internal audit team needs to be as agile as its audit planning. It needs the ability to send in a one or two person commando team that will get in and out rapidly, with the information needed by leaders of the organization.

Audit at the speed of risk and the business, providing management and the board with the assurance, insight, and advice they need, when they need it (i.e., not waiting weeks for a formal report), in a readily actionable form.

In my internal audit departments, the typical audit was one or possibly two people for a week or two – total, not just fieldwork. They focused on the few risks at any location or in any business process that had the potential to be significant if poorly controlled.

If you spy an enemy risk on the horizon, you need to evaluate and respond at top speed, not waiting until the fleet has arrived.

How agile is your internal audit team? Do you have speedboats or only battleships?

Is your average audit 200 hours or more? If so, are you auditing areas where, even if there were problems, they wouldn’t rise to the level that requires CEO or board action? Why? Are you taking too long to provide management and the board with essential assurance, advice, and insight?

Audit with focus and be agile about it.

I welcome your thoughts.

When an internal audit consultant goes seriously wrong

June 7, 2020 14 comments

In a recent post, I criticized Protiviti’s Brian Christensen for saying that internal audit should monitor risks. I said that was management’s job, not internal audit’s. If management is not doing that job, there’s a serious problem that internal audit should be reporting to the board. Brian replied, correctly and appropriately, that he agreed with me; internal audit should assess management’s processes for identifying and assessing risks and, if they are adequate, use them as the basis for developing the audit plan; if they are not adequate, that should be reported but internal audit still needs to do the work necessary to ensure the audit plan addresses the more significant risks to enterprise success – see also my recent post where I shared a 2003 Position Paper from (UK) IIA.

I accept and agree with Brian’s explanation.

But I cannot accept another piece of (mis)guidance from Protiviti.

Risk Awareness and Analytical Insight: Driving Audit Into the Future was written by two of the firm’s leaders in healthcare auditing.

It starts with a disturbing comment. Despite recent IIA surveys showing that an increasing number of IA functions are updating their audit plan on a more frequent basis, Protiviti says (my emphasis):

When it comes to risk awareness, the status quo for the past several years has been to conduct an annual risk assessment that established the compliance and internal audit plans for the year. In some cases, those were being performed only every two to three years. Based on a recent poll that was taken during a webinar titled Focusing on the Risk Assessment Process in a Dynamic Environment, approximately 50% of the respondents indicated that they conduct a risk assessment annually or even less frequently. Audit hours would then be focused on executing projects from the plan with little regard to changes in the environment throughout the year. Occasionally, something would surface that shifted audit’s focus from the annual plan to an event at hand that warranted attention, but this has been the exception rather than the rule. It is not acceptable or viable simply to move forward with the way things have always been done. Internal audit and compliance must retool themselves to leverage data in new ways to help prioritize their focus.

I agree with the authors’ comment. It is certainly “not acceptable or viable simply to move forward with the way things have always been done”, not if that includes basing audit engagements on what used to be a risk.

Having correctly made this point, the authors make a huge mistake.

They say:

We [internal audit] must alert the business to external conditions that are changing, whether that be in terms of regulatory matters, payer behavior, payment models, customer population or other obstacles the industry is experiencing.

If management and the board rely in internal audit to do that, instead of doing it themselves, the organization is in dire straits. I am not saying that internal audit is not competent; I am saying management is not competent!

Internal audit needs to have some serious conversations with the executives and the board if this is the case.


Internal audit should be assessing whether management is doing its job. If not, then inform the board so they can act.

The rest of the Protiviti article expands on this incorrect approach.

I hope and trust nobody follows their example.

I hope and trust that Protiviti (and I rely on Brian for this) acts to stop both the message and any related internal audit services they are performing. They are better than this. The firm was a go-to co-sourcing partner when I was a CAE and I am friends with a number of their people.

That’s my rant for the day.

What do you think?

Understanding and practicing risk-based internal auditing

June 4, 2020 18 comments

Recently, I have shared a number of related posts on risk-based internal auditing (RBIA) that received a lot of attention:

One of the comments was by a CAE, Paul Hicks (thank you), who said that he had been practicing risk-based internal auditing for 15-20 years, ever since it came out. He was referring to a 2003 Position Paper on Risk Based Internal Auditing from what is now the Chartered Institute of Internal Auditors (UK and Ireland). Unfortunately, it is no longer available on the Institute’s website, so I have made my copy available here:

The Position Paper did not invent risk-based internal auditing. I recall discussing it 30 years ago with practitioner, teacher, and author David McNamee – as discussed in a post of mine for the IIA in 2003: Explaining Modern Risk-Based Auditing.

This old Position Paper has some excellent content that is worth reading, including (with my emphasis):

The objective of RBIA is to provide independent assurance to the board that:

  • The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended.
  • These risk management processes are of sound design.
  • The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board.
  • And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat.

RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement.

The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite).

This guidance is supplemented with an excellent and simple flowchart. There are also these points:

  • The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives.
  • The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary.

The only change of significance I would make today would be to change the focus from risks that “may hinder their achievement” to a more inclusive discussion that recognizes that management needs to take risk and seize opportunities through informed and intelligent decision-making. Risks (what might happen, both good and bad) need to be at desired levels, not necessarily lowered.

[A quick example from my books: When I was at Tosco, the Treasurer only invested overnight funds in the safest government securities. My auditor, Laura, pointed out that the company was trading derivatives and the risk we were taking in these two activities was inconsistent. After consulting with the CFO, the Treasurer modified the investment policy to include allowing the purchase of less secure securities.]

I would also add the need to maintain the audit plan at the speed of risk. Listen to this video with a CAE who has implemented continuous audit planning at the speed of risk (or speed of the business, if you prefer).

Let me close with a video by my good friend, Richard Chambers, President and CEO of the IIA. It is the latest in his series, IA Insight and Advice. Audit Reporting at the Speed of Risk.

Richard makes some good points and I added this in my comments to him on Twitter:

Richard, excellent topic and points. We talked about this in our video.

    1. Tell them what they need to know, no more
    2. Tell them when they need to know
    3. Tell them in a way [that is] readily consumed
    4. Most important, tell them in person and discuss
    5. Write later if needed

What do you think?

Should the IIA (Global) update and issue this guidance?

Should it update the Standards to be consistent with modern risk-based internal auditing practices?

By the way, as you will know I have written several books on internal auditing that explain all of this, most notably Auditing that Matters. I will soon be announcing the publication of a book of case studies with an accompanying discussion guide that will help practitioners further enhance internal auditing practices.

I have been begging for a critical update to the IIA Standards

May 28, 2020 28 comments

That is not an exaggeration.

I have spoken to multiple IIA leaders for more than a decade, including a series of chairs of the IIA’s Standards Committee, about the need to update guidance on internal audit’s risk assessment and audit plan.

This month, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan. Practice Guides (PG) are recommended guidance but not mandatory.

I was excited!

I became even more so when I saw that they had taken up a number of issues I had been speaking about (along with many others) for years.

Here are some of the shining lights in the PG (with my highlights):

  • In today’s business environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks.
  • To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
  • Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
  • While the annual risk assessment is the minimum requirement articulated in the Standards, today’s rapidly changing risk landscape demands that internal auditors assess risks frequently, even continuously. Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.
  • Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
  • …. need to continuously assess risks, reevaluate risk priorities, and adjust the plan to accommodate the new priorities.

I am now on page 5 of the PG and things are looking good – very good. On page 7, I even saw a reference to a ‘risk universe’. This is a term I coined many years ago, when I was preaching about the need to replace the obsolete concept of an audit universe with a risk universe.


Because we are providing assurance, advice, and insight on (as the PG says) “the risks with the greatest potential to affect the organization’s ability to achieve [enterprise] objectives.”

We should be auditing whether management has effective controls to address those risks (you can talk about “auditing the risks”) rather than auditing individual business units, locations, processes, etc.

Audit and provide assurance on the management of the risks, not the management of “auditable entities”.

At the end of the day, the audit committee and top management need assurance from us that the more significant risks are being addressed properly, and you do not achieve that by auditing entities instead of risks.

To repeat what the PG says in its initial pages:

  • address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
  • produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
  • continuously assess risks, reevaluate risk priorities, and adjust the plan.

And, the audit plan should answer the question in the PG:

  • Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?

By the way, and this is important, to gain assurance on a single enterprise risk of significance, you may have to consider controls at multiple locations, in multiple departments, and within multiple systems. Auditing what happens at a single “auditable entity” often won’t give you sufficient insight into the management of an enterprise risk.

Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks.

Audit risks to the enterprise, not risks to an auditable entity.

Moving on.

The PG includes one paragraph on page 12 that is important, although not well understood and not explored further by the PG:

…internal auditors should consider that “risks represent the barriers to successfully achieving … objectives as well as the opportunities that may help achieve those objectives.” Indeed, “risks may relate to preventing bad things from happening (risk mitigation) or failing to ensure good things happen (that is, exploiting or pursuing opportunities).”

In other words, it is necessary for management not only to only take risks when justified, but also to seize opportunities judiciously.

Having set the stage, that internal audit should be addressing the more significant risks to the enterprise’s objectives, and making sure that we are agile in responding to changes in those risks (including the emergence of new ones), the PG loses its way.

The PG crashes and burns by talking about an audit universe (a list of auditable entities). It then turns everything to ashes by recommending what we used to call cyclical auditing!

The audit frequency is based upon the level of residual risk determined in the risk assessment. For example, auditable units ranked high-risk may be audited at least annually (or once every 12 to 18 months), those rated with a moderate level of risk scheduled may be reviewed every 19 to 24 months, and those rated low-risk might be audited only once every 25 to 36 months (or not at all)

This approach has been obsolete for at least 20 years.

The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out. The PG at one point even mentions moving to a 7 year plan!

To top it all off, the PG recommends a level of detail in the plan and its documentation that goes well beyond what is necessary, efficient, agile, or of interest to the executive team or the board.

OK, enough criticism. Let’s be constructive.

Here’s my advice:

  1. Understand the business and its environment
  2. Understand the organization’s strategies, goals, and objectives
  3. Understand how success is measured by the board and management team
  4. Determine which are the more significant sources of risk to enterprise objectives and build (and maintain) a risk universe
  5. Confirm that there would be value in performing an engagement relative to those risks, whether assurance or advisory. For example, consider whether management already has a project underway to address the issue
  6. Prioritize the enterprise risks based on their significance to the enterprise and the value of an audit
  7. Determine a strategy for each audit engagement. That may require:
    1. Assessing the management of multiple significant enterprise risks in a single audit of a single entity
    2. Assessing the management of a single enterprise risk across multiple entities in a single or multiple audits (examples are in Auditing that Matters)
    3. Some adaptation of these two
    4. Being flexible and agile, expanding or contracting the scope and level of work during the audit as needed
  8. Don’t spend so much time on risk assessment and audit planning that you are not getting enough audit work done

Continuously ask this question (modified slightly from that in the PG):

Which internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks to the enterprise and its objectives are being managed[i] effectively?

I was one of the members for many years of the IIA’s international committee that worked on PGs and wrote a few myself. I know there is a tension between the need to move the profession forward and the concern about leaving past practices and their adherents behind.

But I can only recommend the first 5 pages of this PG. (If you want practical guidance on enterprise risk-based auditing, please see Auditing that Matters.) Both the PG and the related standards need serious revision.

Should I resume begging?

I welcome your comments.

[i] “Managed” means making intelligent and informed decisions that include taking risk or seizing opportunities where justified, and managing or mitigating risk when appropriate.

COSO still believes in risk appetite statements

May 24, 2020 22 comments

My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.

He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).

Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!

Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.

Personally, I see the growing chorus as progress!

We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the informed and intelligent decisions necessary for success.

This is what the COSO announcement on May 20th said:

In an effort to help boards, executives, and managers recognize how a better understanding and communication of risk appetite will help their organizations succeed, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is releasing new guidance, “Risk Appetite–Critical to Success,” focusing on how organizations can promote risk appetite as an integral part of decision-making.

I have written extensively about the concept of risk appetite here and in my books. My most recent discussion was Do risk appetite statements add value? You should also consider “Should we tear up the risk appetite” statement? and Let’s talk about risk appetite.

The authors of the new COSO guidance are the same people who have written about risk appetite for COSO before. So it may be difficult for them to step back and challenge their own (and COSO’s) established thinking.

I have a few questions for them and anybody else who likes risk appetite statements.

  1. Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?
  2. What is your personal “amount of risk”? Do you have an amount of risk that includes the possibilities of family illness, job loss, auto accidents, problems with your home, serious family disputes, and so on?
  3. If you don’t need a risk appetite statement in your personal life, why do you need one in your professional life?
  4. How do you explain the act that an “amount of risk” is a concept that is wrong both logically and mathematically? Are you using the discredited formula of likelihood times effect? How do you come up with an “amount” when there are actually ranges of potential effects (not a single number) each with its own likelihood, as well as multiple sources of risk (such as compliance, cyber, human resources, treasury, and more)?
  5. Why are there no examples of how you calculate risk appetite and then use it to compare it against the potential for reward and make quality decisions? Is it because that is not as easy (or practicable) in practice as it sounds in theory?
  6. While COSO seems to recognize that what might happen includes not only harms (which they call risks) but also positive things (they call opportunities), the discussion of risk appetite only talks about the negative. How do you make intelligent and informed decisions without comparable information on both the positive and the negative? How can you weigh them against each other to see if the risk (negative) should be taken?
  7. Isn’t it far better to use techniques like Monte Carlo Simulation that considers all the possibilities, not just harms?
  8. Where is the guidance on how to measure the possibility of reward and then compare it to the possibility of harm, and do that for each option or scenario? Why only provide guidance on half of the equation? How do you ensure that the right risks are being taken and opportunities seized?
  9. The guidance talks about operationalizing the risk appetite using risk tolerance. How are they any different from the limits and standards that have been in place for many decades? In other words, why can’t I simply retain my existing standards and polices and forget about risk appetite?
  10. How do risk appetite statements help you ensure that you have an acceptable likelihood of success, whether that is measured by the achievement of objectives, strategy, purpose, or something else?

If you are still enamored with risk appetite, I hope you enjoy and benefit from this new guidance. Unfortunately, I find it of little use.

I welcome your thoughts.

Should we audit at the speed of risk?

May 22, 2020 8 comments

It’s quite a few years[1] since I first started talking about “auditing at the speed of risk”. Sometimes I also referred to “auditing at the speed of the business”.

The idea is that the world within which we live and work is dynamic and turbulent – even more so now than when I first started using the term to describe the impact of new technology.

If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice, and insight) to our leaders in executive management and on the board.

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen together with Sharon Lindstrom talk about the need for “agile auditing”. Here are some quotes. Note that the first quote uses that same phrase.

  • With regard to immediate needs, the question we as internal auditors are asking ourselves right now is, “How can we be most helpful at this moment?” We have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
  • Auditors should put aside worries about violating independence standards for internal audit when providing consulting to the second and first lines of defense and see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
  • While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves.
  • Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing….. But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
  • It is at this point that internal auditors may need to re-think their risk assessment
  • It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. [Note by Norman: It is NOT internal audit’s responsibility to identify or assess risk. That is a management responsibility. Internal audit should be assessing how well management does that, not doing it themselves.]
  • Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.

I have also been talking about Agile auditing for years[2]. I am encouraged to see this new focus by Protiviti on it.

What do I mean by agile auditing?

  • Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly
  • Being able to perform audit engagements at speed. If you think of an agile person, they move with quick steps. IA functions that take weeks or even a month to perform an audit are not agile
  • Being able to stop auditing when there is little value in continuing
  • Being able to accelerate and expand an audit engagement when new and significant issues or opportunities emerge (a.k.a., stop-and-go auditing, as discussed in Auditing that Matters).
  • Being able to communicate the results when they are needed by management or the board. If you take even a week to share the nature and extent of issues, you are not agile

One of the points I made in my recent webinar with Richard Chambers illustrates this. Richard asked me what I might include in my audit plan for the second half of 2020. I replied that “I don’t think that far ahead!” I said that today I would be working on what mattered right now and this week, anticipating what might matter next week and month, and later looking at how the business will be changing in future months. Our environment was and is changing very fast indeed, and where we should put our limited internal audit resources should be changing at the same speed.

In their CFO Signals for Q2, Deloitte makes a couple of interesting observations:

  • …many management teams remain focused more on ensuring viability and adapting for near-term performance than on evolving their company for success post-crisis. Still, teams’ focus varies greatly by industry, and many appear to be putting in substantial work on survival, adaptation, and evolution at the same time.
  • 60 percent of CFOs do not expect to return to a pre-crisis level of operations in 2020. Instead, 21 percent expect to reach this milestone in 1Q21, with 39 percent saying 2Q21 or later.

The speed of management is changing.

Decisions have to be made faster in response to changing conditions and in anticipation of what is around the corner.

We have to provide the assurance, advice, and insight that will enable the leaders of our organization to make intelligent and informed decisions at that higher speed.

So, I now suggest a number of ‘mottos’:

  1. “Audit at the speed of risk”
  2. “Audit at the speed of business”
  3. “Audit at the speed of decision-making” [NEW]
  4. All of these require “Audit with agility”

What do you think?

[1] Since at least 2002.

[2] Since at least 2010, and it is covered in Auditing that Matters.

The post-pandemic practitioner

May 16, 2020 5 comments

As Winston Churchill said, “To improve is to change; to be perfect is to change often”.

COVID-19 is disrupting life all over the globe.

Organizations are having to change to survive, let alone thrive.

For example we are seeing:

  • Changes in how people work
  • Disruption to the supply chain
  • A need to reconsider where we manufacture products
  • Shifts in how people purchase goods and services
  • and more

Whether we are talking about corporations, not-for-profits, or government agencies, leaders are changing how they run their organizations today and how they will run them tomorrow.

They face different challenges today than they did three months ago (or just last week) or will in three months’ time.

Here are some useful pieces for you to consider:

Some interesting quotes:

The coronavirus pandemic has radically changed demand for products and services in every sector, while exposing points of weakness and fragility in global supply chains and service networks. At the same time, it has been striking how well and how fast many companies have adapted, achieving new levels of visibility, agility, productivity, and end-customer connectivity—while also preserving their cash.

All over the world, companies are being challenged by the COVID-19 crisis to find new ways to serve their customers and communities. Many are rising to the occasion. Almost every leader we speak with has an inspiring story of radical, positive change in how work gets done and what it can accomplish.

Amid the fear and uncertainty, people are energized as companies make good on purpose statements, eliminate bureaucracy, empower previously untested leaders with big responsibilities, and “turbocharge” decision making. As one executive we spoke with observes: “Our senior team meets every morning for 30 minutes. It’s incredibly productive. We make decisions and go. We don’t have full information, but that’s OK—we can’t afford not to move.”

The speed of the pandemic surprised everyone. So, too, did the fast reflexes of some companies: even their own leaders were shocked at how quickly colleagues stepped up, made dramatic changes, and began performing at new levels.

In our conversations with operations leaders, we find that many are energized and inspired by the progress the crisis has forced them to make. Production lines have achieved record levels of availability and output: one automotive company found that manufacturing productivity actually increased when it introduced physical-distancing measures. After switching to daily planning cycles and gaining real-time visibility of their operations, managers don’t want to return to the old cadence of monthly planning and metrics that lag behind the situation on the ground. With physical stores closed, online and direct-to-customer sales are booming in many categories. That’s inspiring companies to upgrade their sales and distribution capabilities to meet this new type of demand.

As uncomfortable as it feels, leaders are finding that they can make decisions faster than they thought possible—and with imperfect information. The aha moment for some executives is the realization that when urgency and uncertainty collide, the time spent waiting to decide is a decision in itself.

Inertia is clearly riskier than action right now, so companies are mobilizing to address the immediate threat in ways they may have struggled to when taking on more abstract challenges, such as digital technology, automation, and artificial intelligence (all of which still loom). Bold experiments and new ways of working are now everyone’s business.

..the post-pandemic reality will likely be very different. Businesses may find, for example, that their trading partners have been undergoing changes too and that relationships may change. Vendors they used in the past may no longer be available, or may be available on different terms. Customers that were loyal before the pandemic may have shifted to new providers. Consumers may have developed new habits that will inform their preferences and behavior when the pandemic is over.

Planning has never been a particularly easy task, but the spread of COVID-19 has made it even more difficult. Finance professionals are used to accuracy, consistency, and relatively predictable planning cycles, not the unclear economic conditions and time horizons of a global pandemic. As one executive told us: “The five-year plan that we would be sending to the board right now is completely out the window. How do we plan in this environment when we don’t know what is going to happen?”

What leaders envision for their enterprises today may change with new information or new, yet unanticipated behaviors in the market. An organization needs not only a reemergence plan but also a framework for updating this plan in a way that does not generate confusion or uncertainty.

Amid the terrible human toll of the pandemic, some organizations are finding that, by working differently, they can rise to the occasion and help their employees, customers, and even their communities.

Across industries, companies are realizing that they can aspire to much more than simply a safe return to work. They want to take what they have learned during the COVID-19 crisis and create a new kind of operational performance.

As business operations make the transition to the next normal, speed will continue to be of the essence. Companies that are willing to maintain their momentum while also setting new standards and upending old paradigms will build long-term strategic advantage.

The organizations we serve as practitioners are changing.

Surely, we should be at least open to changing ourselves: changing how we work, the services and information we provide, and even our own self-image.

I suggest that we all set aside what has worked for us in the past, even the professional standards and guidance that we have followed.

Instead, let’s challenge ourselves by answering this question:

How can we best help our organization survive and then thrive today and tomorrow?

Here are some clues:

  1. How has the organization changed in the last couple of months?
  2. How is it likely to change over the next few months and into next year?
  3. How has management of the organization changed?
  4. What are the issues and challenges consuming management and board attention and how are they different today and into the future?
  5. How have essential business activities changed?
  6. How has the board changed in its activities?
  7. What information do your leaders need, especially what information do they need but are either not getting or are not getting reliable data promptly?
  8. What do they need to know about how the organization is behaving?
  9. What do they need to know about the capacity of the organization to meet demands over the next months or so?
  10. What can you do?

Now ask and answer that question again:

How can we best help our organization survive and then thrive today and tomorrow?

I welcome your thoughts and ideas.

How have you changed?