Archive for the ‘Risk’ Category

The concept of resilience: a new buzzword

February 22, 2021 6 comments

There seems to be a lot of talk and articles these days about resilience.

I have somewhat ignored the term, but recently read an interesting piece in Forbes: What Is True Resilience? (Hint: It’s Not About Managing Risk).

Before I cover that piece, it is interesting to see what people have said about the difference between ‘risk’ and ‘resilience’.

One academic has written (key sentence highlighted):

Resilience is essential to living in a world filled with risk. Resilience has historically been defined as the ability to return to the status quo after a disturbing event. However, in the face of a changing climate and growing population, resilience cannot be based on the capacity to recover from the sorts of disasters we have faced in the past, but requires that we build capacity to avoid damage and/or recover from to the sorts of disasters we can expect to face in the future. If our goal is a sustainable future, we must understand the risks we will face and prepare for those risks through adaptation and mitigation measures. Resilience is crucial in this endeavor, as it is our capacity to cope with both expected events and surprises. To this end, it is critical that we identify, assess, communicate about, and plan for risks that the future will bring.

The OECD has shared:

The ability of households, communities and nations to absorb and recover from shocks, whilst positively adapting and transforming their structures and means for living in the face of long-term stresses, change and uncertainty. Resilience is about addressing the root causes of crises while strengthening the capacities and resources of a system in order to cope with risks, stresses and shocks.

Professor Linkov of the University of Connecticut tells us:

Traditional risk management focuses on planning and reducing vulnerabilities. Resilience management puts additional emphasis on speeding recovery and facilitating adaptation.


The Forbes article is written by a practitioner rather than an academic or consultant. That makes it more interesting as it based on experience borne out of responsibility.

Will Grannis is the leader of Google Cloud’s Office of the CTO and says his customers are asking how his organization’s services “stay resilient in the face of many unexpected, unpredictable events”.

This experience is of interest:

Just this week, unprecedented weather patterns across the U.S. pushed many IT and business leaders to virtual “war rooms” in order to ensure capacity, networking, and applications were instantly and persistently available. But those rooms were in the moment, rapidly assembled and then rapidly disassembled—just like the technology that underpins the real-time applications and services we all depend on. This is the new normal, and it calls for a new model of operations. Rather than setting a fixed reliability as the calculation for contracts and practices, the focus must be on resiliency under any number of conditions.

Building on that, he says (key sentence and words highlighted):

True resilience isn’t about managing a particular instance of risk, but being ready for anything through the way you operate. Today’s disasters may come from wild, unanticipated success (leading to traffic spikes) as much as devastating unforeseen failure (be that a natural disaster, a political event, or a system configuration error that cascades into a global outage).

The rest of the article explains what happened at Google Cloud and some of their philosophy around architecting their services for the general (not specific) customer. There is a continuing article about their approach to resilient IT.


This reminds me of my own experience when I was a vice president in IT at a large financial institution. One of my responsibilities was to develop a disaster recovery plan for our two data centers. I was able to hire a wonderful lady, Ann Tritsch, as my DRP Coordinator (a direct report at manager level). She led the initial effort[1] and we soon faced an important question: did we need to build separate sections of the plan covering the various causes of a disaster?

Operations already had sound processes in place to address and recover promptly from a short outage and our task was to determine how data center operations would recover from an event or situation that would shut down one or both data centers for a longer period. This could be the result of:

  • A fire
  • An earthquake (we were in Southern California)
  • A flood (we were in an area that could possibly flood if a dam broke or there was an extended period of torrential rain), or
  • Some other reason

At that time, emerging thinking was that the planning should address how you recovered, regardless of the cause. That is how we built our plan (with the help of a software solution, I should add).


But the DRP was not enough.

We still had to concern ourselves with making sure the likelihood of a disaster and the effect on the business were minimized – given cost and other constraints.

For example, our senior vice president (Ron Reed) led an effort to determine whether it would be viable to establish what would amount to mirroring the data center. He was looking at the possibility of sending copies of every transaction processed at one data center to the other by satellite (which we did not yet have – and this was before the age of the internet). But the cost was prohibitive. In addition, the two data centers were less than 20 miles apart, so a regional disaster could well affect both.

Ann performed, with the assistance of the operations staff, a review that we would today call a risk assessment. It considered each of the causes we might anticipate and confirmed that we had an acceptable set of measures in place. For example, we considered loss of power and examined the power system and the ability to either switch to a different power station or rely on our battery back-ups. We also recognized that there was a single point of failure in the network where all traffic from outside Southern California passed through a single station; but, there was little we could do to minimize the possibility of an outage.


This still was not enough. While there were some causes of a prolonged outage that we could identify, there was always the possibility of an ‘unknown unknown’: something happening that we could not seriously identify as a likely event, such as being hit by a meteor, a pandemic (worse than today’s), or a terrorist attack.

With this in mind, we developed another plan that we called a Disaster Preparedness Plan. The DPP was designed to help us recover from any event (including unknown unknowns) that would cause more than a short disruption of our data center’s operations.

The DPP included a detailed Communications Plan. While we didn’t know with certainty who in management might be required to respond to the event or situation, we developed the necessary structure and processes.


Between these initiatives and plans, we did what we could to make ourselves what would today be called ‘resilient’.


What I like about the idea of resilience is that rather than designing response around specific foreseeable events and situations, it preplans and prepares you (as best you can) for what you cannot predict.

To quote the Google executive again:

True resilience isn’t about managing a particular instance of risk, but being ready for anything through the way you operate.


Personally, I believe in monitoring and considering what might happen so you can both include it in decision-making and be prepared to respond to foreseeable events and situations.

But I also believe in being as prepared as possible to respond to (and mitigate if you can) unforeseeable events and situations.


So, resilience merits our attention in addition to or as an integral part of any ‘risk management’ activity. (As usual, please note that I much prefer managing for success.)


There is one more and very important aspect to this discussion.

In the same way that you should be prepared and resilient for unforeseen adverse events and situations, you need to be agile and sufficiently aware and responsive to unforeseen opportunities!

People pay far more attention to the first and far too little to the second.


I welcome your thoughts.

[1] Unfortunately, we lost her before the plans were completed.

Are you too risk-averse?

February 15, 2021 4 comments

In a recent article, my good friend Jim Deloach asks a very interesting question:

How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse?


The title of the article is an odd one, which I will discuss before venturing into the body of his thinking. It is Is Your Risk Culture Aligned With the Realities of the Digital Age?

“Risk culture” is a term that has crept into use over the last few years, but it is unclear to me what its purpose and value is.

Jim doesn’t (wisely) define it in this article, but others have:

  • “The norms of behavior for individuals and groups within an organization that. determine the collective ability to identify and understand, openly discuss and act on the. organization’s current and future risks” (McKinsey)
  • ‘Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees.” (North Carolina State’s ERM Initiative)
  • “The values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” (Institute of Risk Management).

Dr. David Hillson (a.k.a., the Risk Doctor) has in interesting discussion of risk culture on the PMI website: The A-B-C of risk culture: how to be risk-mature.

I have written several posts on culture generally and risk culture in particular. You can use the search box at the top right to find them.

The general point in my various blog posts is that there are many, often competing dimensions to an organization’s culture. While you want decision-makers to exercise caution when needed, they also need to be entrepreneurial when that is appropriate as well. You desire imagination and creativity, not simply awareness and trepidation about what bad stuff might happen.

In addition, you don’t want everybody in the organization to have the same attitude towards taking risk. You want sales, marketing, and product design to think one way, and accountants and treasury staff to think another.

So, I hesitate to talk about “risk culture”; instead, we can either talk about organizational culture (with all its complexities) or whether the key decision-makers are making informed and intelligent decisions that involve (as they all do) taking risk to seize opportunities.


Jim gets it totally right when he says:

The ground rules for risk and reward are well known. These rules hold that one must take risks to grow, and typically, the more risk one takes, the higher the potential return. They also suggest that a risk-averse mindset often leads to a lower return. These canonical laws have been embedded in business and finance since before any of us were born.

He also makes a point that I have been making for a few years:

Given the pace of change in the digital economy, the realities are such that it’s not just a matter of taking risk to grow or generate greater returns, it’s also a matter of survival. Bottom line: Organizations must undertake more risk than they may be accustomed to taking if they are going to survive. Refusal to take risk means accepting the risk of growing stale and becoming irrelevant. This is no time to be comfortable with the status quo.

Jim has a very interesting couple of tables that contrast a “traditional view” of risk-taking to one that is “fit for the digital age”. He explains that we need to move “from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical enterprise risks and integrated with strategy setting and performance management”.

There are a number of excellent points in the tables, which I encourage everybody to not only read but also reflect on the depth of meaning behind each of them. For example, he suggests that today we need to:

  • Move from avoiding or mitigating risks to taking them within limits – something I have written about in these pages
  • Maximize the upside while managing the downside. In other words, taking the right level of the right risks; don’t just try to manage and mitigate them out of context of what you are trying to achieve
  • Be proactive and agile
  • Do all of this continuously, not periodically
  • Move away from managing a list of risks and towards managing outcomes
  • While he still (sadly) mentions risk appetite, it is essential to ensure an acceptable likelihood of success
  • Leave heat maps behind in favor of Monte Carlo, scenario (what-if) analysis, and other techniques
  • Integrate all our thinking and actions around achieving our objectives as an organization
  • Ensure decision-making is high velocity and high quality

Another point he makes refers to cyber and why it should not be assessed in isolation:

…an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities that offer significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept.

In the digital age, risk management must help leaders make the best bets from a risk/reward standpoint that have the greatest potential for creating enterprise value. This means that the creation and protection of enterprise value in the digital age depend on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level. A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy setting, planning and business execution; and customized, reflecting organizational business needs, expectations and cultural attributes.

His final points echo much of what I have been saying here and in my books. (That is not to say that he is simply following my thinking; he is a highly intelligent individual and independent thought leader, recognized as such by boards and professional associations for his many contributions – see his profile at the end of the piece. I am pleased to see us aligned on many fronts today.)

He says this very well indeed – note especially the highlighted portions:

In the digital economy, risk management must contribute to reshaping strategy in advance of disruptive change. Integrating more sophisticated quantification and monitoring capabilities into the day-to-day activities of the business in executing the strategy and focusing on the risks and opportunities that matter can help management frame a composite risk profile fit for the digital age and provide more granular information on key aspects of the strategy as well as costs and benefits expected from alternative scenarios.

In the digital age, it is all about maximizing the upside while managing the downside, thus fitting the profile of companies best positioned to compete, thrive and win with an obsessive focus on growth and improving the customer experience. If the organization does not advance its digital maturity, another risk arises. We call it “digital risk,” or the risk of choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend share against new entrants.

In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the impact on the achievement of strategic objectives and desired corporate risk profile of alternative scenarios. This analysis contributes to a more robust strategic decision-making process.


Wrapping this up:

  • The traditional ERM practice of a periodic list of risks has little value beyond compliance.
  • It is far better to ensure your decision-makers are able to weigh all the things that might happen, both the pros and the cons, and make an informed and intelligent business decision.
  • These times require agility in the support of fast decision-making, recognizing that fear can easily prevent success.
  • Move from doom to success management.
  • Don’t be afraid to tell decision-makers and management in general when they are being too risk averse. That is part of your job.

I welcome your thoughts.

SOX and the COSO Principles

February 11, 2021 3 comments

One of the requirements for the SOX compliance program is that the assessment is based on a recognized internal control framework. In practice, this is (almost) always the 2013 COSO Internal Control Framework.

COSO says that a system of internal control is effective if it “provides reasonable assurance regarding the achievement of an entity’s objectives. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.”

However, it goes on to say that for a system of internal control to be considered effective, all relevant principles must be “present and functioning”.

COSO says that they can be considered “present and functioning” if there are no related “major deficiencies” that would prevent there being reasonable assurance of achieving the objective(s); for SOX, this equates to having no related material weaknesses.

When the 2013 update was released, I said that this meant three things:

  1. It is necessary to confirm which of the COSO principles are relevant to the assessment.
  2. The way to confirm that they are present and functioning is by indicating which key controls are relied upon for that purpose and confirming that they are adequately designed and operating effectively.
  3. If there was a failure in a control relied upon for the presence and functioning of a principle, that failure could not be a material weakness. In other words, a principle can be considered present and functioning even if there are failures of related controls as long as those failures do not mean there is at least a reasonable possibility of a material error or omission in the filed financial statements.


It is nearly eight years since that update when I suggested that one of more of the COSO principles might not be relevant for SOX – meaning that even their total absence would not amount to a material weakness (as defined).

For example, the second principle is:

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. of objectives.

I contend that while it may be relevant for some control objectives, it is not relevant for SOX. A private company that does not have independent directors can still have effective internal control over financial reporting.


I have questions for you that I would appreciate your answering in the comments below for everybody to consider. (In other words, please do not post your answers only on LinkedIn.)

  1. Have you considered whether any of the COSO principles are not relevant for your SOX program?
  2. Which ones were considered not relevant?
  3. Have you discussed this with your external auditor?
  4. Did they agree, and if not why not?


Thanks – and I look forward to your thoughts on the post and the answers to my questions.



PS – If you are interested in attending one of my SOX Masters classes, please contact Emily Jones at

Optimizing board decision-making

February 9, 2021 5 comments

There’s an interesting article on the London Stock Exchange page: Optimizing board decision-making in the eye of a storm. It is written by an individual that advises boards and directors in the UK.


Risk and audit professionals need to think about what their customers need and how that is changing in these dynamic and turbulent times. They should consider whether there is a need to change one or more of:

  • What they are addressing
  • When and how often it is being addressed
  • The time it takes to do that
  • How the results of their work are communicated, including the speed of that communication


The author references a director who is on “an experienced board with battle-hardened veterans in both the ranks of the executive and non-executive directors.” Even so, “he indicated that the board and executive team seriously struggled with the enormity of the challenges facing the organisation”.

He continues:

While he indicated that the board were quite mature in terms of risk management and business continuity planning, the sheer scale of the Covid-19 crisis literally floored the board both in terms of the scale of business impact, the impact on their employees and currently how difficult it is to plan for the “new normal”. The scale of the crisis necessitated a number of major decisions to be made in a very compressed timeframe.

While the board may consider themselves “quite mature in terms of risk management”, that is questionable – but not a topic for today.

Here are some notable points with my comments:

  • While a board has many broad types of responsibilities, the fundamental responsibility of a board is to make major decisions. At a time of extreme crisis management, this acute responsibility comes to the fore and represents a fundamental test of a board of directors in terms of its calibre, decisiveness, effectiveness, judgement and performance.
    • Comment: I would argue that what is even more critical is the ability of the executive management team to make quality decisions at speed and communicate those decisions effectively.
    • In addition, there needs to be an agreement between the board and the executive team (including the CAE and CRO) on what will be shared with the board, how, and when.
    • The practitioner needs to be alert, communicate issues in this area, and offer constructive suggestions for improvement.


  • The brutal reality of the Covid-19 crisis is that major decisions have had to be made and continue to be made by boards in compressed timeframes of days and in extreme cases hours that have very serious consequences for the organisation, its employees, its customers and shareholder/stakeholders. While in many cases, government and public health regulations dictated timeframes for major decisions, the reality is that in the vast majority of cases, boards are having to get used to extremely short review cycles for what are often complex choices with significant consequences for each option.
    • Comment: again, this applies to the management team as well. Do they have the capacity to make informed and intelligent decisions at speed?
    • Do they know when they have to make decisions?
    • Do they have the agility and flexibility to make decisions, or is there too much red tape?


  • The quality of information is the life-blood of a board in terms of major decision making in normal times. At severe crisis management times like this, it is very challenging for the CEO and executive team to devote the usual time needed to develop comprehensive board packs when in some cases you may have just 24 hours before the next virtual board meeting. In these cases, I believe quality is more important than quantity in terms of helping the board understand the logic behind major proposals from the CEO and executive team. In some cases, while not ideal, CEOs and executive teams are heavily relying on gut instinct in terms of picking from what appears to be radically different options. In these cases, it is important to provide the NEDs with your “gut instincts” and assessment of the pros/cons of each major option.
    • Comment: in times like these, any ‘risk’ practitioner needs to ensure that any identification or assessment of what might happen (which could be adverse, risk, or favorable, opportunity) is performed at an appropriate frequency and speed.
    • Talk about ‘gut instinct’ brings up the issue of cognitive bias, as well as the fact that many decision-makers don’t know what information is available that would be of value, let alone what information can be made available.
    • One thought is to examine the agility of any IT function in providing decision-makers with the information they need, when they need it.


  • It is vital that where needed, a board gets external expertise to help with a major decision. This might be an experienced existing advisor partner who understands the organisation and sector but also may be a truly independent sector expert who could provide a brutally cold objective assessment of the options that could ultimately improve the final decision-making process.
    • Comment: this is where the practitioner can help. I prefer management and the board to use internal resources like internal audit before even thinking of going outside to an organization that doesn’t have much of an understanding of the company and its operations.

The overall message is that the way in which the board and executive management teams have to operate to thrive in today’s environment is changing.

The members of the board, the management team, and both internal audit and risk practitioners need to ensure they can and have changed as well.


I welcome your thoughts.

Lazy auditors

February 4, 2021 13 comments

Internal auditors don’t always have to work harder than others, but I do want them to work smart.

I have seen what I would consider lazy practices over the years and more recently in comments on LinkedIn.

Here are some examples:

  • “Give me a checklist or audit program that I can use.”

This is lazy because the scope and audit approach for every audit needs to be refined every time to address what matters today and will matter tomorrow, rather than what mattered in the past. Assuming (and we know what that means) that the individual who developed the program in the past has it right for today is lazy.

It is especially lazy when it is a document downloaded from the internet or passed to you by somebody in a different company.

Use it as a basis for your own work, perhaps, removing and adding tasks as needed – after thinking it through carefully. But it is usually better to start with a blank sheet and an understanding of the risks that matter and the controls in place to address them. Only then, perhaps, use somebody else’s work to challenge yours.


  • “This is true because the standard/framework/book says it is.”

It is so much better to think for yourself. I have seen LinkedIn comments saying that something is necessary or true because this or that standard says so. Well, sorry, but you need to determine what is appropriate for your specific organization at this point in time. While publications (even my books) should be “food for thought”, thought is necessary. Blindly following the standard without understanding whether and how it applies to your specific situation is lazy.

By the way, so-called ‘best practices’ are what somebody who doesn’t know your organization thinks is best. It’s lazy to go with them instead of thinking about what is best for your business.


  • “I am auditing to company policy.”

But sometimes the policy may be outdated or even sub-optimal. When you audit for compliance with a silly policy, are you auditing against what the organization needs?

We have all heard or even experienced situations where somebody, some official perhaps, gets in the way of progress because of the rules. Maybe those rules need to be changed!

Assess whether policies, standards, and other guidance are appropriate and right for the organization before auditing against them.


  • “We always do it this way.”

You wouldn’t accept this from an ‘auditee’, so why say it yourself? Why be so lazy?

We should constantly challenge our own past practices, even if they have been hugely successful, and see if there is a better way.

For example, I see LinkedIn posts saying you need to have a standard report format if you want to communicate effectively with executives and the board. That is totally wrong: the way in which information is communicated should be tailored to the needs of the individuals you want to receive it – and act on it.


  • “The control is not functioning; fix it.”

If there is a problem with a control, it is lazy not to perform a root cause analysis and find out why it is not functioning. That root cause (and there may be several) must be addressed for the symptoms (the control failure) to be healed.

But there is another why that has to be asked: why is the control important? Why is it needed? Maybe it is not really necessary and that is why it is not being performed consistently.

If you don’t understand the risk that a control is intended to address (see the next point) and whether it justifies the time and cost of performing the control, you can be asking management to waste scarce resources.

It may also be the wrong control procedure; maybe there’s a better way to address the risk (such as using analytics).

It is lazy to see a control is not working properly and as a reflex ask management to fix it so it is performed consistently in future. Make sure you are encouraging actions that are right for the business, not theory or what is “usual”.

In addition, it is lazy to describe a ‘finding’ (an awful word) as “high risk” without explaining why and to what. In other words, explain how the business and its success may be affected.


  • “It is my job to find issues; it is up to management to fix what I have found.”

Continuing from the last point, it is lazy not to work with management and agree with them whether the issue is important or not. The control may be unnecessary or redundant. It is lazy to ask management to continue to perform a control that has no real value.

It is also lazy to send management the draft report with a recommendation (“fix it”) rather than sitting down with them and working out what is the best corrective action (if justified).

Our job is not to find issues. Our job is to enable valuable change. We have failed (IMHO) if management doesn’t see the value of a change and either delays or even ignores it. We succeed when management agrees that there is value in a change and therefore wants to make the change.

It is especially lazy to ask them to make a change where we haven’t worked with them on the need or what the appropriate change is, and then criticize them again (in a follow-up on ‘outstanding findings’) for not making the change on our schedule.


  • “My audit is for two weeks, so I will keep on auditing.”

If it is clear that you are not going to find anything (more) of significance, and you can provide an opinion on the more significant risks to the enterprise based on the work performed, stop! Work should not expand to fill the time available. It is lazy to keep going instead of working with your manager to adjust the schedule.

It is also lazy to continue with the original scope and schedule when it is clear that there are areas of significant risk to the enterprise that were not included in scope, or it is clear that getting to the root cause of serious issues within the current scope will require additional time. Work with everybody to adjust the schedule accordingly.


  • “I can only say what I can prove.”

This is also laziness. While it is desirable to have evidence to support your assessment, your opinion, we are professionals – and entitled to have professional opinions.

Some of the most valuable insights and other information we can provide management and the board stem from our objective and independent view of operations, including people. While we may not want to commit all our thoughts to writing, we should be willing to share our insights as professionals on the competence of managers, the culture of the organization, and so on.


There are other lazy behaviors that I haven’t mentioned. Please feel free to add them in your comments, as well as your thoughts on the ones I have listed above.

Evaluations of the board and its governance

February 1, 2021 2 comments

Ron Kral has shared an interesting article on Holding the Board Accountable through Evaluations. I agree with his opening statement:

I find it interesting that while there is no shortage of oversight scrutiny on management’s activities, the same cannot be said of the board’s activities. Perhaps this is due to the board being at the top of the oversight pyramid or the secrecy cloak often surrounding board communications. Regardless of the rationalizations for not formalizing an evaluation process, boards need to lead by example and demonstrate that they are holding themselves accountable, just like any other part of the organization.

He continues with:

Board evaluations are not just for big-public companies, but rather an important process consideration for all boards and committees regardless of size or industry. The board of directors and its committees serve as the foundation of corporate governance in providing oversight of management as led by the CEO. Governance is a process led by people and enabled by technology. Like any other process, it should periodically be evaluated relative to board and committee objectives. This means taking an objective and candid look at the process, the people, the technology, and ultimately the results.

His list of benefits from a robust evaluation is extensive – as it should be:

  • promoting accountability among directors and stakeholders;
  • confirming an understanding of duties;
  • ensuring an ethical control environment;
  • confirming independence between non-management directors, management and key thirdparties (e.g., outside legal counsel, internal audit, external audit, agents, etc.);
  • identifying the need for additional skills or expertise;
  • assessing director composition in terms of diversity (e.g., backgrounds, age, ethnicity, gender, personalities, beliefs, etc.);
  • helping to prioritize responsibilities;
  • providing candid assessment of what is working and what is not; creating awareness for anticipated risks and opportunities;
  • enhancing the ability to attract qualified leaders, both executive management positions and directors;
  • challenging the committee structure in light of rapid changes;
  • promoting comfort levels with investors and creditors thus reducing cost of capital;
  • and sending a message to shareholders that the board takes its duties seriously.

Ron’s evaluation scope is very broad:

  • governance structure
  • code of conduct
  • culture
  • expertise of directors
  • independence of the board, its committees and its auditors
  • access to information and dissemination
  • management oversight
  • management relationship
  • orientation and training of directors
  • overall performance in terms of reaching objectives and fiduciary duties
  • risk awareness, including cyber risks
  • shareholder and stakeholder relations


Where I differ from Ron is in terms of who performs the evaluation and how.


Ron has not considered (at least it is not discussed) the role of internal audit when it comes to organizational governance.

In a 2010 post (wow), I wrote:

 We also need to build up the courage to take on the topic of governance. The IIA definition of internal auditing requires that we provide assurance on governance, as well as on risk management and the related internal controls. Far too few include governance processes in their audit plans, except as they relate to the code of conduct. This is playing around the edges instead of taking on the heart of governance, such as the activities of the board and its committees, including the timeliness and quality of information they receive; the organization and staffing of the enterprise; and the process for establishing, communicating, and cascading organizational strategies through the organization – to ensure all managers are working to optimize performance and realize organizational goals.


The IIA’s Implementation Guide 2110 provides advice on reviews of governance by internal auditors. There is also a Practice Guide, Assessing Organizational Governance in the Private Sector. In 2019, The IIA published Guiding Principles of Corporate Governance.


Ten years ago, I shared an article I wrote in 2003 for the IIA’s magazine on training the audit committee. In that article, I said:

Audit committees — with management’s assistance — need to examine not only their practices as a committee but also as individuals. Each director needs to assess whether he or she has the knowledge, experience, dedication, and time to perform the job effectively. Looking at some of the recent accounting scandals, one must ask whether audit committee members, individually or collectively:

  • Had a sufficient understanding of their responsibilities. For example, why were some officers allowed a waiver from the ethics policy?
  • Had a sufficient understanding of the key accounting and financial rules affecting their company’s financial statements?
  • Understood the company’s business, including not only how it made money but also how it monitored and measured success?
  • Had discussed and understood the more significant risks to the company’s financial statements, its business, and its reputation?
  • Had sufficient knowledge and understanding to ask the right questions and to assess the adequacy of the answers they obtained?

As a CAE, I helped the audit committee assess its own performance, both as individuals and as a team. From that, we built custom training programs for each director.


While Ron’s article makes the case for the board to have an assessment of its performance, I believe the CAE can provide great value by:

  • Performing reviews or audits of those governance processes of greatest concern (i.e., the results of risk-based planning where only areas of greater risk are included in the scope), and
  • Facilitating self-assessments by committees and even the full board


I welcome your thoughts.

The future of internal auditing

January 26, 2021 4 comments

Bruce Turner, “an active company director and audit committee chair”, was recently interviewed on this topic. You can see the full interview at CERM Risk Insights and there is also an article in Future of Professions.

The second of these, the article, has some interesting observations that I will let you read at your leisure.

When Bruce is asked about how the profession of internal auditing should change, he makes some points worth repeating here:

There are three fundamentals to internal auditors adapting to the changes confronting them – demonstrate impact; embrace technology; and apply a balanced approach.

Auditors will need to continuously demonstrate the value of their work if they are to receive sufficient and sustained funding. They will need to work more efficiently while operating in unpredictable conditions, and it will be imperative to leverage technology to compensate for the likely loss of people within their audit teams. Auditors need a balanced approach, whereby audit technology is used wisely and strategically, and blended with physical interactions with clients to witness organizational culture and operational practices firsthand.

Bruce was asked additional questions that are reported in the CERM piece. One relates to that point in the article about the use of technology.

The question was:

In an article I wrote recently, I envisioned increasingly powerful computing capability and AI-driven screening taking over the preponderance of audit tasks by passing all transactions through the screening process rather than relying on after-the-fact statistical sampling of only some of them.  Is this reasonable?

Bruce’s answer was:

Yes, it is reasonable in organizations that have a strong digital platform. However, there are some global regions where this will be quite some years off. Where internal auditors do have the opportunity to leverage powerful computing capability I would rather see this being used to enhance the value proposition of internal audit (i.e. to help internal auditors boost their value and productivity, without the need to slash internal audit resourcing per se).

I disagree both with the premise of the question and the answer.

I much prefer internal audit to confirm that management has the controls in place to ensure the integrity of data rather than attempting to do it themselves.

The technology being discussed makes excellent detective controls performed by management. Internal audit can help by working with management to deploy these tools for advantage rather than use them themselves.

There are five useful takeaways in the CERM piece. This one resonates strongly with me:

Governance, risk management, compliance, assurance and audit professionals need to be innovative in what they do and how they do it to evolve from a hindsight perspective where they traditionally reported on the past, to delivering insights that help business managers now, and ultimately, they need to share foresight that helps business managers run the business in the future.

Having said that, what do I foresee in the future of internal auditing?

  • A continuation of the trend to flexible and agile auditing that focuses on what matters to the success of the organization now and in the future.
  • The obsolescence of the annual audit plan and its replacement by a continuously updated or rolling plan.
  • A focus on communicating the information that leaders need, when they need it, in a readily consumable form rather than a formal audit report.
  • The elimination of traffic lights to rank issues in favor of an approach that explains why they matter.
  • New attention to the quality of decision-making processes!

That last may not be the final frontier, but it is a fascinating one.

What do you think?

The final frontier

Taking the right risks for success

January 22, 2021 12 comments

This has been a consistent message of mine for a long time. While I generally prefer not to talk about ‘risk’ because the four-letter word evokes a knee-jerk negative reaction from most business people (it is seen as a compliance exercise that gets in the way of running the business), I think it is fair to say that everybody understands that they need to “take risks” if they are to succeed.

The question is whether they really understand what they are doing: do they understand both the range of adverse things that might happen and their likelihoods and  the range of beneficial things that might happen and their likelihoods.

This is where the risk practitioner[1] can help. They can use their tools and techniques to help decision-makers understand what might happen, given the context of what has happened and is happening.


More recently, I have seen others take up much of this message.

Carol Williams is one of these individuals. Her website ERM Insights by Carol has some useful references (especially the list of thought leaders – thank you, Carol). But I especially like her recent post, Is Technology Risk Bigger than “Cyber” Risk? Here are some excerpts:

It’s not an earth-shattering thing to say that news of hacks, data breaches, and other technology hiccups has grown exponentially in recent years. Between January and September 2019, 7.9 billion records were exposed, marking a 33% increase from the same period in 2018.

A few of last year’s data breaches include:

  • An error in pharmacy giant Walgreens’ mobile app messaging feature exposed names, prescription numbers, shipping addresses, and other sensitive information. The number of impacted customers was not disclosed, but the app has over 10 million downloads.
  • Personally identifiable information of over 280,000 current and former employees of General Electric was exposed following a data breach of a third-party vendor.
  • Credentials of over 500,000 Zoom accounts, including email addresses, meeting room IDs, and passwords were found for sale on the “dark web” and hacker forums. (A good reason to use auto generated meeting room IDs and passwords and their waiting room feature!)

Of course, this barely scratches the surface…

There’s no doubt that these and other hacks are serious, but many sensationalist headlines and opportunistic consultants spread alarm about technology risk, cybersecurity and so on, leading many companies to place too much emphasis on this particular issue.

Companies have several frameworks to choose from for helping them address technology risk, with the Risk Management Framework for Information Systems and Organizations from the National Institute of Standards and Technology (NIST) considered the most authoritative. Other examples include the Factor Analysis of Information Risk (FAIR) framework and the ISO 27005 standard.

While these standards do provide guidance on identifying, assessing, and managing technology risk, they each have one big shortcoming.

They fail to address business risks associated with technology…

Truly understanding and managing technology risk effectively requires a holistic approach focused on the business.

At this point, Carol starts to quote from my book, Making Business Sense of Technology Risk.

She also repeats this thinking in my book:

Simply saying a particular cyber or other technology risk is high is not helpful for decision-makers. In a 2016 survey published by Osterman Research for example, an astounding 85% of board members believe they are not getting helpful information from IT executives and staff and 59% say these same personnel will be let go from their jobs for not providing actionable information.

With that in mind, risk professionals have an important role to play in ensuring the link between technology risks and goals and objectives is understood by decision-makers. This will mean getting rid of the technical terms and talk the talk of the business.

Again, just saying a particular risk is high, medium, or low without any context doesn’t help executives understand its impact on objectives, much less develop any plans to address it.

How would you answer the question she poses?

Does your company link technology risks to corporate goals and objectives or are they viewed strictly through the eyes of the IT experts?

I welcome your comments – as I sure she will also.


I would also point to Dan French, CEO at Consider Solutions. His latest post asks Is it time to say goodbye to “Risk Management”?

What do you think?


[1] It is better, if you can, to remove the four-letter word from any title. Decision support works so much better.

Risk, purpose, and objectives

January 17, 2021 14 comments

People talk about integrating risk management into strategy-setting and objective-setting, but I have yet to see any good guidance (and that includes from COSO) on that topic.

But should we be talking about risk and strategies (or objectives) or risk and purpose – or even be using the four letter word that starts with R?


If you have been following my blog for a while, you would have seen multiple and often lengthy comments by Roger Estall and Grant Purdy. They are the authors of Deciding: A guide to even better decision making, a book I have recommended.

Roger and Grant describe their book on Amazon:

This book is intended to help decision-makers of all types make even better decisions. The central thesis is that whether ‘Deciders’ realise it or not, all decisions are made using what the authors describe as ‘the universal method of decision-making’. The adequacy of each decision therefore depends on how skilfully the method is applied, whether Deciders achieve ‘sufficient certainty’ about the outcomes that will flow from the decision and the contribution made by those outcomes to the organisation’s Purpose.

Note their focus on Purpose and “sufficient certainty”.

They have also, in the book and in their comments on my posts, trashed the word risk and the idea that it should be ‘managed’.

The idea that we should avoid the work ‘risk’ is something I suggested earlier in Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking[1]. My introduction on Amazon was:

Why is risk management so often a review of what might go wrong? Norman Marks suggests that this ‘doom management’ approach should be replaced with ‘success management’. What might happen that could affect our success, both the good and bad? Is that OK? Now let’s do something about it. Norman’s new book has advice for the CEO, executive team, individual executives, and the board. It focuses especially on the need for decisions to be intelligent and informed, because those are where risks are taken. His earlier book, ‘World-Class Risk Management’ gave more in-depth guidance for the risk practitioner. This easily read and consumed book is designed for those in leadership positions who are interested in making risk management a competitive advantage.

My suggestion to use ‘plain English’ (instead of risk practitioner technobabble) is because the four-letter word risk evokes a negative knee-jerk reaction from executives. They see risk management as something that prevents them from doing their job; it’s a compliance exercise that makes little contribution, if any, to making quality business decisions and achieving their objectives. In addition, it is what I describe as “doom management” when we should be trying to make the informed and intelligent decisions that lead to taking the right risks for success.

The plain English way to talk about risk and opportunities, I suggest, is to talk about “what might happen”. Grant and Roger prefer to just forget about either the word or the concept it is supposed to represent.


While I talk about “an acceptable likelihood of achieving enterprise objectives,” my friend Grant[2] and his co-author Roger prefer to talk about “sufficient certainty about the outcomes that will flow from the decision and the contribution made by those outcomes to the organisation’s Purpose”.

We can quibble about the difference between “acceptable likelihood” and “sufficient certainty”. But I believe (and Roger or Grant will correct me if I am wrong) that these are essentially the same idea.

But there is a clear difference between Purpose and objectives.


Here are some excerpts from Risk Management for Success. (This includes my attempt to help people ‘integrate’ the consideration of ‘what might happen’ into business processes, from setting the direction of the organization to executing on it.) My first drafts did not include a discussion of a Purpose statement, but Grant persuaded me that it was important to consider it; there is clearly a growing appreciation by leaders of its value.

It’s fair to say that pretty much every organization has a formal Mission or similar statement. A 2020 McKinsey Quarterly article, Purpose: Shifting from why to how, said:

Only 7 percent of Fortune 500 CEOs believe their companies should “mainly focus on making profits and not be distracted by social goals.

There is a growing recognition by CEOs and boards of the need to address expectations from the society within which they operate.

In an ideal world, that Mission or Purpose statement drives the longer term plans and goals for the entire organization.

McKinsey surveyed 1,000 people in US companies[3] and found that:

  • 82% said purpose was important
  • 62% said their organization had a purpose statement
  • 42% believe the purpose statement had impact


However, in the majority of cases it is aspirational and only sets out principles that may or may not inform how the organization operates from period to period. It may or not affect how decisions are made on the ground.

For example, here is the Purpose statement from BHP Billiton, an international natural resources company based in Melbourne, Australia[4].

We are BHP, a leading global resources company.

Our purpose is to bring people and resources together to build a better world.


I am sure many CEOs would agree … that a Purpose statement is important and, in some way, guides the organization’s strategy and actions. But it doesn’t guide every tactical decision[5].

I can certainly see that such a statement is very important in nonprofit organizations.

In any organization, it may influence strategic planning and decisions, such as in deciding on strategic acquisitions, and through them the objectives that decisions are intended to achieve.

Bain & Co[6]. tells us that:

By redefining their purpose and focusing on it, companies are better equipped to thrive in an ever-changing world. Consumer products company Mars has recently formulated its purpose as: “The world we want tomorrow starts with how we do business today.” And this philosophy is reflected throughout the organization in many ways, including its $1 billion investment toward becoming sustainable within a generation. Such focus can help a company to attract key talent, engender consumer trust and gain access to important resources such as sustainable supply chains.

How does Mars’ Purpose statement of “The world we want tomorrow starts with how we do business today” affect decisions such as whether to delay the implementation of a new computer system, where to set prices for a new service, or how much to invest in compliance or cyber?

In a 2016 study, PwC surveyed US business leaders. While 79% said that “purpose is central to business success”, only 34% thought that it was consistently used “as a guidepost for decision-making.”

That percentage may be growing, especially if CEOs recognize that they need Purpose or Mission statements that are more meaningful to decision-makers down and across the extended enterprise.

For Mission or Purpose to be an effective “guidepost”, it has to be translated into objectives that the organization, its management and staff work to achieve each period.

The Mission or Purpose statement is something that should be considered in assessing risk management. Some organizations will see it as a higher priority than others.

Where it connects with the running of the organization is that each period’s objectives and strategies should be consistent with and advance its purpose or mission.

How does risk management figure in setting the Mission or Purpose?

Understanding what might happen could but is unlikely to affect the setting of Mission or Purpose statements such as those above.

However, it is an essential ingredient in setting longer-term strategic plans and then the objectives for each period so that the Mission can be achieved.

I see it as an optional element in assessing decision-making and risk management.


Management and the board agree on objectives and compensate individuals based on performance against those objectives.

The objectives have to be aligned with the Mission and the Strategic Plan. In practice, enterprise objectives are proposed by executive management and reviewed (often approved) by the board.

While in an ideal world everybody has a long-range view and makes decisions that are right for the organization in the long-term, in practice most are driven by short-term goals and objectives – and their compensation.


Grant pointed me to the McKinsey piece I quoted in the book. More recently, McKinsey has repeated their advice. This is from this month’s Organizing for the future: Nine keys to becoming a future-ready company:

Top-performing organizations know that purpose is both a differentiating factor and a must-have. A strongly held sense of corporate purpose is a company’s unique affirmation of its identity — the why of work —and embodies everything the organization stands for from a historical, emotional, social, and practical point of view.

Future-ready companies recognize that purpose helps attract people to join an organization, remain there, and thrive. Investors understand why this is valuable, and factor purpose into their decision making: the rise of environmental, social, and governance (ESG)–related funds is just one of the ways they acknowledge that purpose links to value creation in tangible ways.

Nonetheless, few companies harness purpose fully. In a McKinsey survey of employees at US companies, 82 percent said organizational purpose is important, but only half that number said their purpose drove impact. [The same survey quoted in their earlier piece.]

A December 2020 piece reinforced my and McKinsey’s observation that while Purpose is a great idea, it drives very few tactical or even strategic decisions.

The concept of “corporate purpose” is at risk of becoming a vague aspirational statement like “mission” and “vision” were years ago. These statements were put on boardroom walls, but they didn’t really change the way companies conducted business.

There are no rules of thumb that companies can follow in making these decisions. However, defining a clear corporate purpose and rigorously paying attention to long-term value creation can help executives make the difficult choices.


Let me see if I can summarize all of this (even though these are only a few excerpts from my book).

  • Many organizations have Purpose or Mission statements that have been approved by the board and both the board and management profess to believe in them. (However, finding CEOs who will put achieving Purpose ahead of their bonus may be a challenge.)
  • If you have such statements, it is important that they are achieved – but that is a longer-term endeavor rather than something that is achieved this period.
  • Objectives, which in my experience every organization has established to measure and reward organization and management performance for the period, need to be designed to achieve any defined Purpose or Mission over time. Purpose is too aspirational and distanced from tactical and even most strategic decisions to be a major influence on daily decision-making.
  • Management is biased in their decision-making by how they will benefit; they know that they will be rewarded for achieving defined objectives.
  • It is far more practical to focus on the achievement of objectives than Purpose, especially when it comes to decision-making and the consideration of what might happen (risks and opportunities). Purpose statements (such as that referenced above from BHP) are typically aspirational and do not have the metrics associated with them that provide specificity and clarity about direction to decision-makers.
  • We cannot have certainty about either the achievement of Purpose or objectives, but we can strive for an acceptable likelihood of achieving objectives – and that will lead to the achievement, in time, of Purpose.
  • Objectives, though, need to be rooted in an understanding of what has happened, is happening, and might happen – and that is where ‘risk’ management can help (although I prefer the label of success management or even simply effective management).
  • In an ideal world, we would dispense with the four letter word. But that is probably a step too far for most practitioners and almost certainly any regulator. However, we can change what we do so that it not only satisfies any compliance requirements but helps the organization succeed. That is what I recommend:
    • Comply with regulations first, but then
    • Extend your practice to help the organization and its people succeed.


I welcome your thoughts – and am looking forward to Grant and Roger’s comments. I encourage them to share excerpts from their fine book.



[1] Rated 5 stars on Amazon.

[2] Grant Purdy has been a member of the review panels of several of my books, including Risk Management for Success. That doesn’t mean he agrees with everything I have written! Grant has also been a great source of wisdom in my risk management journey. I don’t know Roger beyond his comments on my posts and his book with Grant.

[3] Purpose: Shifting from why to how, 2020

[4] Grant’s former company.

[5] The cynic in me says that for most organizations, the Purpose is to make money.

[6] A global consulting firm, their article is Giving people hope by reigniting your company purpose, 2020

What is wrong with a typical risk register?

January 10, 2021 140 comments

I recently presented at a Zoom meeting of IIA Qatar on the topic of “Risk Management for Success”. At one point, I shared an example of a risk register I had found on the web. I explained how it was removed from the context of achieving objectives (i.e., risk to what?) and that periodically managing a list of risks is not sufficient. Far more is needed for effective risk management as I see it (enabling an acceptable likelihood of achieving objectives[1]).

Risk register

In the Q&A session, somebody asked how the risk register could be improved.


There are multiple problems that need to be overcome, including:

  • As mentioned above, it is a static list of risks, updated occasionally. Managing a list of what could go wrong is not the same as considering how best to achieve objectives. That requires understanding what might happen as part of every decision and that changes often – requiring more than a periodic discussion. However, there is a measure of value in the periodic review of those sources of potential harm that need to be addressed, typically monitored, on a continuing basis. I will come back to that.
  • Also as noted above, these are risks to what and what the devil does a “high” rating mean? It doesn’t help us understand how an adverse event would affect the objectives of the organization. That is not addressed at all, potentially leading those who review a risk register to note it with interest but not know how important the issues are, especially when compared to other matters needing their time and money.
  • A risk register leads to managing and mitigating individual risks in silos instead of considering all the things that might happen, the big picture, to determine the best cause of action and how much to take of which risks.
  • A list of risks focuses only on what might go wrong, ignoring the possibilities of things going well. For example, excellent performance by the project team might lead to early completion of the project.

There are more problems, but I want to talk about one that seems to confound many risk practitioners: that risks (and opportunities) are not a point; there is a range of potential effects or consequences and each point in that range has its own likelihood.


Take the first “risk” in the register above: “Project purpose and need is not well-defined” and ask the people involved in the project for their “risk assessment”.

  • The business unit manager considers the meetings she has attended with the project team. She believes that there is a 15% possibility that they have misunderstood her people’s needs and that could be quite significant. If that is the case, she can see a combination of revenue and cost impacts that she estimates as $300,000 over the next quarter, more and for longer if the problems are not corrected promptly. If you asked her to rate the likelihood and impact, she would say that is medium likelihood and medium impact, for a medium overall severity.
  • The COO tells you that he has confidence in both the business and IT people working on the project and there is a very low probability, maybe 5%, of an issue that he says would not amount to more than $100,000 (the cost of additional work) and would not affect revenue goals. He rates that as low likelihood and impact, for a low overall severity.
  • The project leader exudes confidence. He is 100% confident that there will not be any serious issues. He dismisses the idea of small snags as something that always happens. He also assesses likelihood, impact, and severity as low.
  • The analyst responsible for working with the vendor to identify and implement any customizations is reluctant to give her estimate. Eventually, she admits there is a 30% chance that something will go wrong and it would cost up to $1,000 per day of consultant time to make corrections. She doesn’t know how that might affect the business. When pushed, she whispers that the likelihood is high, effect is medium, and she doesn’t know how to assess overall severity from her junior position.

Are they wrong? Or, are they all right? How can they have different answers?

In all likelihood (pun intended) they are all right.

Like those who only see or touch one part of an elephant, each person has a different perspective, bias, and interest. They also have different information and insight.

Blind men and elephant


A typical risk practitioner would report either the most likely effect and its likelihood, ignoring the others, or the most severe and its likelihood. Some would try to come up with an average of some sort.

That would mean that they would pick the assessment of 30% and $1,000 per day, or 15% and $300,000. But that would then run into a problem when more senior management, the COO, tries to overrule those who don’t (in his opinion) see the big picture. (This is something I have encountered multiple times in my career, but that’s not the topic today.)


Attempting to boil these different answers down to one ‘value’ for likelihood and impact is not what I consider part of effective risk management. (I describe that as addressing what might happen every day so you can have an acceptable likelihood of achieving your objectives.) It is also questionable whether you can calculate ‘severity’ either by multiplying severity and impact or using a heat map.

The fact is that there is no single point.

The fact is that there may be different gradations of ‘failure’, each with its own level of consequence and each with its own likelihood.

The risk register talks about the likelihood of the risk event when it should be talking about the likelihood of the effect.

When you can have multiple levels of effect, you have a range.


A better approach involves bringing all the players (and there would likely be more than these four) into a room and asking these and other questions to come to a shared assessment that makes business sense – recognizing that this is just one of several risks and opportunities to consider.

  • Why is this project needed? How does it relate to enterprise objectives? Why does it matter and how much does it matter? What is important about it?
  • How would a failure to define the “purpose and need” affect the business? What would happen if the project is, for example, delayed? What about if it doesn’t deliver all the required functionality?
  • How should we measure the consequences? Are traffic light ratings (high, medium, low) meaningful? Should we use a dollar figure, for example in estimating additional costs and revenue losses? Would that help us make the right business decisions? How about making the assessment based on how one or more enterprise objectives would be affected, such as how a failure could affect the likelihood they would no longer be achieved?
  • What is the worst that could happen? Now, what is its likelihood?
  • How likely is it that everything is perfect?
  • Assuming that we are using a dollar figure to estimate potential consequences, what is the likelihood of a $300,000 impact? (This would be modified if instead we are assessing based on the effect on objectives.)
  • How about a $100,000?
  • ..and so on until a range of potential effects (or consequences) and their likelihoods are agreed upon.


There are tools (such as Monte Carlo) that can calculate a value for the range of effects and their likelihood. However, while it is possible to have a value, I would talk to the consumers of risk information, the decision-makers, whether they want to see a single value or understand the full range of possible consequences.

This is only the assessment of a single source of risk and it is likely that other risks and opportunities might have to be considered before agreeing (a) whether the situation is acceptable, and (b) what actions to take if it is not.


Even though I talk about risk management providing the information about what might happen (both risks and opportunities) that is required for informed and intelligent decisions, there is still value in the periodic taking stock (to quote my friend, John Fraser) of those risks and opportunities that are so significant they merit a more continuing level of attention.

But such a list has to show why these risks and opportunities are important.

Saying it is “high” means nothing.

It is imperative to explain how it relates to the achievement of objectives.

It is also imperative to show that there is a range of potential effects or consequences; the only exception I would make is where the decision is made that only the likelihood of particularly severe consequences needs to be monitored.


As I explain in my books, what makes the most sense (in addition to the continuous enabling of decision-making) is reporting the likelihood of achieving objectives considering all the things that have happened, are happening, and might happen.

This is actionable information that helps leaders understand whether they are likely to achieve what they have set out to achieve. They can determine whether that likelihood is acceptable and decide what actions are needed, if any.


So, where does all of this leave us?


This is my recommendation:

  1. Ensure there is appropriate attention to what might happen (both for good and harm) every day as part of both strategic and tactical decision-making.
  2. Monitor on a regular basis the likelihood of achieving objectives[2], considering what has happened, what is happening, and what might happen.
  3. Monitor on a continuing basis those risks and opportunities that merit attention because of their potential to affect the business and the achievement of its objectives, both short and longer-term.


I welcome your thoughts.

[1] If you prefer the approach of Estell and Grant, consider the acceptable likelihood of achieving the purpose.

[2] If objectives are designed to achieve purpose or mission over time, this equates in a practical way to monitoring the likelihood of achieving purpose or mission.

Another look at the concept of Risk Appetite

January 4, 2021 30 comments

The blog post that was read most often both in 2020 and all-time was written in 2011. Just what is risk appetite and how does it differ from risk tolerance? has been viewed nearly 80,000 times.

Another of my most-read posts in 2020 is more recent, shared in May of last year. COSO still believes in risk appetite statements. In it, I shared ten questions to challenge those who continue to believe they are not only necessary (for example to comply with regulator demands) but also useful in making business decisions.

But my most recent post on the topic was in October 2020, Are you hungry for a better approach to risk appetite? It is a review of an excellent thought leadership paper by Chris Burt.

The last two, especially, are useful if you have not read them before.

But let’s revisit the topic, as if from scratch.


What is risk appetite? It is defined by COSO as the “amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”

Before analyzing that nebulous statement, it is useful to consider why we are even thinking about risk appetite statements.


Basically, regulators and board members influenced by them want to prevent management from taking too much risk.

By that, I mean acting or failing to act in a way that puts the success, even the viability, of the organization in peril for no good reason and without the approval of the owners of the organization: the shareholders. In addition, these days it is recognized that the failure of an organization can affect others, including customers, creditors, and the community.

Ergo, the concept of risk appetite.


The concept has been broadly accepted in the financial services sector and is required by banking and insurance regulators.

But is it necessary and useful to come up with “an amount of risk that the organization is willing to accept”?


What did organizations do before there was talk about risk appetite? What do many still do in the absence of a risk appetite statement?

Do they let management run wild, taking all the risk they think would help their results and get them significant bonuses – while putting the organization in peril?


There are limits and policies that constrain management actions everywhere.

  • Limits on spending (budgets) and purchasing (purchase orders)
  • Limits on the granting of credit
  • Limits on the approval of discounts
  • Limits on the approval and signing of contracts and commitments, both purchase and sale
  • Trading limits
  • Approval requirements for the granting of system access rights
  • Health and safety policies
  • Ethics policies
  • Information security policies and standards
  • Hiring policies
  • Policies around the sale by management of the company’s shares
  • Limits on the number or value of assets held by the company (such as insurance policies, mortgages, inventory at specific locations, etc.)
  • And so on


Some have developed risk appetite statements that attempt to come up with a single number or value for all the sources of risk facing the organization. They seem to believe that they can aggregate disparate sources of risk, such as credit risk, operational risk, cyber risk, and so on.

I don’t think that is logically (or mathematically) sound.


Some have risk appetite statements (and previous COSO guidance has examples) that say things like “the company has a low tolerance for compliance risk”.

It is interesting that the COSO document I wrote about in May (see link above) seems to think this has meaning and value:

Echo Relief, a service organization to help people through disasters, will pursue new programs that enhance the delivery of services to those in need within our financial ability. We will accept moderate risk to the safety of staff and volunteers as we respond to disasters. In order to maintain good stewardship of donor funds, we have a low appetite for risks related to misuse of funds.

I don’t think that adds more than lipstick value.

It won’t affect any decisions.

So what does make sense?


If I were a CRO today (I retired from that wonderful position several years ago) I would consider developing a risk appetite statement of a different kind – even if I were in an organization bound by related regulations.

Its purpose would be twofold:

  1. To explain how management is guided to take the right risks, neither too much nor too little.
  2. To ensure there is sufficient guidance for decisions made by management (and the board as needed). (Every decision involves taking risk.)

I would certainly not try to come up with a single value for risk appetite, nor would I attempt to come up with single numbers for different types of ‘risk’.

I would also avoid flim-flam language that is not actionable, such as “we have a low appetite” for this or that.

How can you ever say that having a low or even no appetite for compliance or safety failures is meaningful? It is impossible to have a zero likelihood of a failure in either area.


My idea of a risk appetite statement would take each area of ‘risk’ and reference how management is guided when it comes to taking it. The document would explain what policies, procedures, and standards apply and whether there are specific limits. I would include how exceptions are handled.

In some cases, there will be specific limits, such as in the granting of credit. In other cases, such as employee safety, management judgment will be guided by related policies, etc.


It is essential, as COSO recognizes, that management be able to take the right risk when warranted – making informed and intelligent decisions.

Also recognized by COSO, limits (even those they refer to as risk appetite) should be exceeded when the business need or reward justifies it. A rigid limit has the effect of limiting success.


If risk management is to be meaningful, it needs to deliver actionable information to help people make informed and intelligent decisions – and take the right level of the right risks.

If you have a risk appetite statement or are developing one, don’t do it to comply with the regulations.

Do it so it means something!

Or, reconsider and focus instead on helping leaders make the right decisions.


I welcome your thoughts.

Most read posts of 2020 and all-time

December 28, 2020 6 comments

It is interesting to me that the blog post that has attracted the most views in 2020 is also the most read post all-time.

It seems people continue to be very interested in risk appetite – signaling that I need to share more thoughts on why this is a concept with serious flaws, which I shall in January.

In any event, the top 12 are shown below. A further 17 had more than 1,000 views.


When it comes to all-time views, these are the posts that have garnered more than 10,000 views.


Please share which posts you enjoyed the most – and why.

Getting the most out of internal audit

December 20, 2020 5 comments

It is encouraging to see the public accounting firms recognize the value that an effective internal audit team can provide an organization.

Earlier this year, PwC shared their views in Getting the most out of internal audit: How can the audit committee help maximize the value of internal audit?

They make a number of good points, but miss the most important issues in my opinion.

Let’s first look at a few of their observations:

  • Maximizing the value proposition of the internal audit group is an effective way to help audit committees address their risk oversight responsibilities. But getting internal audit’s full value requires focus and attention. It requires the audit committee to reflect on what it needs and to be direct with internal audit.

Comment: Internal audit can help with more than “risk oversight.” For example, at one company where I was CAE, the board was concerned with the leadership of CEO. The board chair asked for my insights on the executive team and whether they were effective as a team. I have also helped the audit committee with their oversight of the external auditors, gathering an assessment of their performance from the global management team.

Comment: I find it frustrating to see surveys of audit committee members where they say they are disappointed in internal audit performance. They should remember that internal audit reports directly to them; they must, as PwC says, to reflect on what they need and be direct with the CAE. If he or she is not responsive and performing, they should replace him or her.

  • The audit committee needs robust and concise, yet impactful, reporting from internal audit.

Comment: Internal audit needs to provide the board and the audit committee (and others such as the governance, risk, and compliance committees) the assurance, advice, and insight they need, when they need it, in an actionable form. They need to stop giving them reports with information that doesn’t matter to the organization and the members of the board. They should respect the value of the audit committee’s time: they never have enough!

  • The audit committee can empower internal audit by providing visible support, starting with the Chief Audit Executive (CAE) as the leader of the group…. An open and trusting relationship between the audit committee and the CAE is critical to help develop the CAE into a leader who can deliver value to the organization.… Internal audit often reports to both the audit committee and management. Regardless of the organizational structure, reporting lines that promote objectivity and effectiveness are critical to a high-performing internal audit function. It’s also important that the reporting lines are clearly defined and well-known in the organization.

Comment: Yes, and easy to say. But there is much more, as I will discuss later.

  • The expertise and value of internal audit could be underutilized if its focus is not aligned to the company’s strategic objectives. Audit committees should expect internal audit to work with other risk and compliance functions in the company. Internal audit should clearly communicate how they work with these other groups to assess risk.

Comment: Yes, but PwC simply fails to understand what agile and flexible internal auditing is about. While they use those terms, they also talk about an annual audit plan and audit projects that have multiple phases.

Comment: Internal audit needs to be sufficiently agile and flexible to address the risks and opportunities of today and tomorrow. Annual audit plans are increasingly recognized as an obsolete practice. While PwC mentions rolling audit plans, this is not promoted as a necessary practice in their document.

Comment: It is management’s responsibility to identify and assess risk. It’s about time the audit firms understood this!

  • Once internal audit has completed its work in an area, it issues the report to management and sometimes to the audit committee as well. Some audit committees rely on the CAE to report to them only on significant areas or significant findings. The CAE should provide a summary of all reports issued during the period, including the scope of the audit, the findings by risk level (if used), and whether or not the findings have been resolved.

Comment: The board should be concerned when there is disagreement on the severity of issues and opportunities between internal audit and management, or on the appropriate actions to be taken. This may be why management is not implementing the recommendations; they may not be justified on business grounds. Focusing on open items is good, but first there should be a discussion of whether internal audit is working with management to come to a constructive agreement on the issues and actions – and if not, why not. If internal audit is writing a report and expecting management to follow with a response, that is an indicator of not only poor internal audit practices but also a failure of both management and internal audit to partner with each other.

Comment: Why should the audit committee need to know of ‘findings’ (such as negative word) that are less than significant? Why give them information and consume their time on trivia? It is far better to spend audit committee time on weighty matters and, if there are none, let the time be used for other reports.

Comment: The word ‘significant’ needs to be understood. It should refer to what would be significant to the audit committee members, not to the auditors or middle management.

  • The audit committee should periodically assess the performance of the internal audit function as a whole and the CAE in particular. In doing so, the committee may consult with the external auditors, management, and individuals from third parties (e.g., firms that provide internal audit services) who regularly interact with internal audit.

Comment: Yes, but while PwC has asked some good questions, they don’t ask whether the members of the audit committee feel internal audit is helping them discharge their oversight and governance responsibilities.

Comment: As I will explain momentarily, it is the assessment of the audit committee that should drive the compensation of the CAE.

PwC has shared, in the Appendix, some interesting and colorful reporting suggestions. But I wonder how much of this information the committee members need to know.

I prided myself on telling them only:

  • What they needed to know as a management oversight function
  • When they needed to know it
  • In a way that enabled them to take appropriate actions

Many of my reports to the audit committee were short (15 minutes) and to the point. They don’t really need to know all the trivia in the PwC suggested reports.

So what did PwC miss? What advice should have been clear?

  1. The CAE should report solid line to the audit committee and its members. While there is usually a dotted line to a senior member of management, this is for administrative purposes such as approval of expenses. Talking about dual reporting, even with code words like ‘functional’, waters down the fact that management should not direct the activities of the internal audit function.
  2. The audit committee should act as the direct manager and supervisor of the CAE. This means that they determine who is hired and fired, compensation, budget, and more. This they should make very clear to senior management. Talking about ‘empowering’ the CAE is weak language when strength is needed.
  3. The members should all have a personal (preferably) as well as a professional relationship with the CAE and, if possible, with his or her direct reports. This is simply what good managers do!
  4. The audit committee should take an active role in ensuring that the internal audit function addresses what matters to the success of the organization (risks and opportunities) – and especially ensure they are not wasting time on issues that would never significantly affect its success.
  5. The audit committee should encourage the CAE to share insights not only on processes but on people. The CAE is usually going to be cautious about doing this, which the members should recognize, and where needed the members must be direct in their questioning.
  6. The confidential sessions with the internal auditor, typically held after the main business of the committee is concluded, are immensely valuable. The committee should ensure that there is sufficient time, that others are excluded (except where both the members and the CAE agree they are necessary), and that anything shared is kept confidential.
  7. The audit committee should consider whether the CAE has the ability to act as a senior executive and hold him or her to that standard.

I am sure there is more – and look forward to your comments.

Do you hire people who can think?

December 15, 2020 3 comments

In Auditing that matters (which I strongly recommend for every internal audit practitioner or consultant), I have a chapter on making sure you have the audit team you need.

Here is an excerpt from the start of that chapter. I talks about probably the most important skill I needed from every member of my team.

The need to think

I ask a great deal from my team.

I need them to THINK.

Thinking is not, sad to say, something that every internal auditor does.

In fact, most auditors are trained NOT to think! They are told to ‘follow the audit program’ and do what they are told. Sometimes, they are even told to do the same work as the last time the area was audited.

As we know today, the risks of today are very often not the risks of yesterday. Doing the same audit means we are auditing what used to be the risks, not necessarily what they are today.

While I would always prefer to hire people who have never been trained to “do what I tell you and follow the audit program”, that is not always possible. Very often, I can see in the interview process who has the capability of thinking for themselves. If they have high potential, I will hire them and unlock their chains by insisting that they always use their intelligence. If they drift towards following the same program as last year, I ask them why – and persist until I get their answer, not an answer provided by somebody else.

If we are to gain insights and provide management with meaningful, valued assurance and advice, I need auditors who can:

  • Think
  • Imagine what might be
  • Suggest options for improvement that management has not considered

People can be trained in technical matters such as auditing skills. They can learn the business. But, it is much harder to learn to be imaginative or to think logically.

As long as individuals have intelligence and their curiosity, imagination, and creativity can be unlocked, they have the potential I am looking for.

It takes an unusual recruiting and interviewing process to identify individuals with high potential. It takes a manager who acts more like a mentor and teacher than a supervisor to help those individuals further develop and realize that potential.

I am proud that I have been able to staff my teams with individuals who can think, are willing to challenge traditional thinking (whether by the business, internal audit, or me), and suggest creative solutions to today’s and tomorrow’s challenges.

They have told me, even people who have worked for me for years (or decades, in one case), that I have always challenged them.

One key is to never answer a question – if at all possible. Instead, help the questioner find the answer themselves.

Ivy Yeo worked for me at Maxtor and this is what she had to say on this topic:

“You are the best teacher in my life! You just know when is the time to give me a straight answer to my question (for questions which are beyond my ability to solve). You know just when is the time to answer my question with another question to stretch my ability to think further and discover the answers on my own.”

As a child, I learned the value of a short word: “why?”

In my 2nd grade math class, Professor Taylor asked the class a very simple question: “what is the square root of 4?” I put my hand up, but when I said the answer was 2, the learned professor asked me “why?” He made me think. Answering that this is what I had been told, or that 2 X 2 = 4 was not sufficient. He made me think through and come up with an explanation that demonstrated my understanding of the mathematics involved.

As a manager of people, I also use this simple question. It doesn’t matter whether the individual has the right answer or not. I want him or her to explain to me why it’s the correct answer.


This skill, the ability to think, is not only critical but in this dynamic and turbulent environment absolutely essential for success.

When the world is changing, blindly following the practices and principles of the past should not be acceptable.

Use that question, why, as often as you can:

  • Why should we do this?
  • Why does it matter?
  • Why should we do it the same way as last time?

Then follow up with related questions, such as:

  • What are we (the organization) trying to achieve?
  • What is the best way to achieve that?
  • Is there a better way?
  • What would happen if we stopped doing this?

…and so on.


What do you THINK?

Do you emphasize independent thinking?

Do you encourage imagination and creativity?

Are you willing to listen to crazy thoughts?

Trends in SOX compliance programs

December 13, 2020 9 comments

The software company Workiva has been surveying practitioners to understand what is happening with SOX programs since 2016. They recently shared a summary of trends over these last five years.

They draw four conclusions.

1. Internal audit is the majority owner of the SOX program.


  • Technically, management always retains ownership of the SOX program. However, internal audit may perform much of the assessment activity on behalf of management.
  • Workiva has not shared how many companies were surveyed or whether they are the same companies each year. As a result, it is somewhat speculative to draw conclusions from the survey results. However, it is not unreasonable to assume that the survey sizes have been significant and at least indicative of the trends asserted by the authors.
  • There is a huge difference between performing the testing on behalf of management and planning/managing the entire SOX program (a distinction not drawn in the report). My personal observation supports an assertion that the majority of companies rely on internal audit to perform testing. But saying that they own the program goes perhaps a bit too far.


2. Even when internal audit is not the owner of the SOX program, it is involved in several facets of the SOX program.


  • The paper says “we draw the conclusion that the performance of SOX compliance activities is negatively impacting the capacity of internal audit teams to execute assurance reviews”. However, there is no evidence provided to support that position. Just because internal audit in many cases (31% here of the 77% who perform SOX testing, or 23.87% of the population) are spending more than 50% of their time on SOX does not mean that they lack sufficient resources to address their other responsibilities. That question is neither asked nor answered.
  • It is interesting that the percentage of internal audit functions performing SOX testing is down from 85% in 2016 to 77% in 2020. Since this is the greatest consumer of resources (compared to performing walkthroughs, issue tracking, and risk assessment), it is likely that internal audit resource allocation to SOX is actually less in 2020 than in 2016.
  • It is also interesting to see that a number of internal audit functions perform testing but not walkthroughs. That sounds like an opportunity that has been missed.


3. The cost of SOX compliance is increasing.


  • I would be shocked if it was not increasing, given inflation and escalating external audit fees!
  • Workiva says “As organizations continue to grow and processes become more complex, the number of SOX key controls will increase, and survey results reflect this trend as well: the number of respondents who reported 250+ controls increased 10% between 2016 and 2020”. This is not logical if a proper top-down and risk-based approach is taken. Remember that as a company’s revenue grows, so does its level of materiality. In many cases, a careful scrubbing to remove non-key controls from scope should in many if not most cases reduce the number of key controls! As materiality increases, the ways in which there could be an error or omission in the consolidated financial statements will generally go down, not up.
  • I do not see the logic that adopting solutions like Workiva’s reduces cost. If anything, it is likely to increase it.


4. Practitioners continue to focus SOX programs on cybersecurity risk.


  • Hackers that take advantage of cybersecurity weaknesses have never, to my knowledge, targeted the financial statements. They may steal data, ask for ransom, or cause disruption, but the likelihood of a material misstatement as a result of a hack is very low indeed.
  • If there is a breach that causes disruption and an inability to file financial statements with the SEC on time, that is not a SOX issue. It may be a violation of other SEC requirements.
  • While I often hear of pressure from the external auditors to address cybersecurity risks, a proper top-down and risk based approach (preferably using the IIA’s GAIT Methodology, which I strongly recommend) should help organizations determine whether the risk of a material misstatement is real.
  • Workiva justifies their assertion by pointing to survey results: In 2017 (there are no 2016 results) 84% had fewer than 100 ITGC key controls in scope, whereas in 2020 that is 80%. However, in 2019 the number was 77%. The survey results simply don’t support their assertion.



So, what are the SOX program trends based on my experience (I have been leading a SOX Masters[1] training class for 8 years or so)?

  1. There continue to be massive opportunities for most organizations to ‘right-size’ their program. Unless regularly pruned using a top-down and risk-based process, the program will grow out of control. Just because a control was in scope last year does not mean it should continue to be in scope in 2021.
  2. Leadership of the SOX program continues to change, necessitating training for new SOX program (and internal audit) leaders. Several companies send every new leader to my SOX Masters program.
  3. The external auditors continue to latch onto every new risk of the day. The great majority of their requests for scope changes don’t survive the question of “Where is the risk of a material misstatement? Show me!”
  4. While technology can be very helpful and increase the efficiency of the SOX program, care has to be taken when it comes to trying to use it to test controls. Most analytics and other tools test the data, not the controls.
  5. Internal audit adds tremendous value when it performs SOX testing on behalf of management, and their understanding of risk and controls aids SOX program management. But they should always work with the board to ensure they have sufficient resources to address the more significant sources of risk (including opportunity) to enterprise objectives.


I welcome your thoughts.


[1] The next class is scheduled for February, 2021

Delivering value from IT audit

December 8, 2020 3 comments

Some of you may not know this, but earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, thereby, business operations.

I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.

Anyway, IT audit has been a passion of mine for many years.

So, when I saw that Deloitte has published a piece, The Future of IT Audit[1], I was interested.

Here are some excerpts with my comments:

  • In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.

Comment: being an auditor is being an adviser. That should not be a change.

Comment: what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.

  • As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.

Comment: again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters.

Comment: IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See Making Business Sense of Technology Risk. It’s not about IT risk, it’s about business risk.

Comment: the greatest risk may be taking too little risk.

  • Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue.

Comment: nothing new here.

  • Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.

Comment: this sounds good but is misdirected. Focus on the business, not technology out of context.

  • Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk.

Comment: there is so much more, as I will explain.

  • Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.

Comment: this sounds good, but what does it mean?

So what is my advice for IT auditors? What is the future of IT audit?

  1. The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
  2. Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology – and a failure would be serious from a business, not just an IT perspective.
  3. Audit any IT risk assessment (see the guidance in Making Business Sense of Technology Risk). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes; a risk-prioritized list of information assets simply doesn’t cut it.
  4. Don’t underestimate the need to participate and advise on development and major maintenance projects.
  5. Don’t do work where the results wouldn’t matter to leadership.
  6. Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
  7. Provide the insight, advice, and assurance that leaders need if they are to manage the organization for success.
  8. Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
  9. Don’t ‘audit what you can’ – audit what you should because it matters. Get extra resources if there’s a gap.
  10. The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.

What do you think?

[1] Deloitte has done something crazy, at least in a Windows environment. If you cannot see the article because of their advertising, move your mouse over to the left and it should disappear.

Dynamic Risk Management for Uncertain Times

December 5, 2020 8 comments

I always find articles by McKinsey worth reading – and I strongly recommend subscribing.

One that merits our attention is Managing the Future: Dynamic Risk Management for Uncertain Times.

It has one major flaw that I will mention and then we will look past: it imagines risk management as something you do to avoid failure rather than achieve success. It only considers downside risks and ignores upside opportunities. It certainly doesn’t help you determine which risks to take!

The minor flaw is that all times are uncertain!

Having said that, here are some interesting comments from the paper:

  • The digital revolution has increased the availability of data, degree of connectivity, and speed at which decisions are made. Those changes offer transformational promise but also come with the potential for large-scale failure and security breaches, together with a rapid cascading of consequences. At the same time, fueled by digital connectivity and social media, reputational damage can spark and spread quickly.

Comment: let’s not downplay the enormous upside, not only in detecting and addressing ‘risk’ but in upgrading processes and identifying and seizing opportunities.

Comment: the point about the speed of decision-making is very important. Information about what might happen (a) must be rapidly available, and (b) perfection can be the enemy of success. Periodic assessments are clearly unlikely to be sufficient when the situation is changing fast.

  • Stakeholder expectations for corporate behavior are higher than ever. Firms are expected to act lawfully but also with a sense of social responsibility. Consumers expect companies to take a stand on social issues, such as those fueling the #MeToo and Black Lives Matter movements. Employees are increasingly vocal about company policies and actions. Regulator and government attention is reflecting societal concerns in areas ranging from data privacy to climate.

Comment: this is very true and organizations should look into semantic analytics and other tools to address it. This can actually be turned to advantage!

  • Companies require dynamic and flexible risk management to navigate an unpredictable future in which change comes quickly. The level of risk-management maturity varies across industries and across companies. In general, banks have the most mature approach, followed by companies in industries in which safety is paramount, including oil and gas, advanced manufacturing, and pharmaceuticals. However, we believe that nearly all organizations need to refresh and strengthen their approach to risk management to be better prepared for the next normal.

Comment: very few indeed have what I would call mature systems of risk management. Some believe they do, but even those are scarce according to studies by the ERM Institute and others.

Comment: there needs to be a constant questioning of risk management processes to confirm that they continue to meet the needs of decision-makers.

Comment: can we please change from managing risk to managing the likelihood of success?

  • Institutions need both to predict new threats and to detect changes in existing ones. Today, many companies maintain a static and formulaic view of risks, with limited linkages to business decision making.

Comment: this last part is especially true and the article really doesn’t help with constructive suggestions. (It’s a major aspect of my new book.)

Comment: there is talk about objective-based risk management; how about decision-based risk management?

  • Some risks are slow moving, while others can change and escalate rapidly.

Comment: true and risk-related processes have to operate at the speed of risk – and the speed of decision-making.

  • Traditional risk-identification approaches based on ex post facto reviews and assessments will not suffice.

Comment: they have never been sufficient to inform decisions and enable success.

  • Companies need a systematic way to decide which risks to take and which to avoid. Today, many institutions think about their appetite for risk in purely static, financial terms. They can fall into the simultaneous traps of being both inflexible and imprudent. For example, companies that do not take sufficient risk in innovating can lose out to more nimble competitors.

Comment: I love their use of the idea that you need to take risks; so much more savvy and appropriate than accepting risks.

Comment: as with many suggestions from consultants and even risk frameworks and standards, there is little help here in determining which risks to take given the reward and the need to achieve objectives. It’s more than when the reward exceeds the risk. Factors like ROI and how the likelihood of achieving objectives need to be considered.

  • In the next normal, however, institutions will need to make risk decisions rapidly and flexibly, laying out and executing responses, whether immediate or prolonged, about how to avoid, control, or accept each risk.

Comment: having switched to taking risks, now the authors turn back to the passive act of accepting risks. When you start laying in the idea of seizing opportunities you start to align with the reality of business decision-making.

  • Today, the art of the possible in defending against adverse outcomes is rapidly evolving. Automated control systems are built into processes and detect anomalies in real time. Behavioral nudges influence people to act in the right ways. Controls guided by advanced analytics simultaneously guard against risks and minimize false-positive results.

Comment: they also help identify and seize opportunities.

  • Companies should maintain and periodically update detailed crisis playbooks. Their strategies should include details on when and how to escalate issues, preselected crisis-leadership teams, resource plans, and road maps for communications and broader stakeholder stabilization.

Comment: I agree, but let’s also make sure that the organization is agile and flexible enough to take advantage of opportunities.

  • Today, many firms see enterprise risk management as a dreary necessity but hardly a source of dynamism or competitive advantage. It can suffer from being static, siloed, and separate from the business.

Comment: what do you expect when you only review a list of risks instead of talk about how to achieve success?

  • To meet the needs of the future, companies need to elevate risk management from mere prevention and mitigation to dynamic strategic enablement and value creation.

Comment: Finally!

  • Companies can embrace the digital revolution to improve risk management.

Comment: true.

  • …we believe companies need to rethink their approach to risk management, to make it a dynamic source of competitive advantage.

Comment: transform it from something you have to do to something you want to do – somewhat of a theme in my book.

What do you think?

Selecting software for risk management

November 30, 2020 1 comment

A number of people have asked me about the future of risk management.

I can tell you that I am seeing progress!

You won’t necessarily see this in surveys, for example those of the ERM Institute – which show no improvement, even possible degradation in the maturity of risk management programs.

But I am seeing it in a couple of areas:

  1. Practitioners who, based on their comments to my blogs, have not only embraced the need for change, but are on that journey. They are moving (or have moved) from the periodic review of a list of risks to a form of risk management that is more continuous, enables effective decision-making, and is focused on helping the organization succeed. This is what I talk about in Risk Management for Success.
  2. Software vendors are starting to see the light as well. Some have been in touch with me to tell me how they are moving their products in the direction indicated in my book. They are emphasizing the need to be objective-focused and help organizations understand the likelihood of achieving those objectives.

This latter is reinforced by my good friend Michael Rasmussen in his post from early November: Rethinking Risk Management RFP Requirements.

Here are some excerpts with my comments.

  • Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey.

I agree, but let’s also agree that a ‘risk management maturity journey’ is not about identifying and reviewing a list of risks every so often.

  • This involves a clear understanding of where you are now with risk management and where you want to be. 

Yes, find a solution that meets your needs for now and also for your future. It’s less about ‘risk management’ needs and more about the need for insight and information to fuel effective decisions.

  • There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. 

The key here is that it is all about ensuring people have the information they need about what might happen to make the informed and intelligent decisions necessary for success.

  • ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. 

Yes, although it would be interesting and beneficial to turn that on its head.

Objectives need to be understood in the context of risk (which includes opportunities).

  •  Risks cannot be understood and managed in isolation. 

Yet, everybody does that over and over again.


1000% correct.

My question is this:

Are you evaluating software based on how it will help people get the information they need for informed and intelligent decisions, or are you limiting your sights to what is needed for compliance purposes?

I welcome your thoughts.

Risk Management for Success – E-reader Version

November 30, 2020 1 comment

Initially, I only had a hard copy version available for my new book. The reason is that the maturity model section is extensive and has to be presented in landscape. Amazon’s Kindle software does not support a book that has both portrait and landscape sections.

A number of people told me that they wanted an e-reader version because of issues with Amazon delivery to their location.

I have now added that e-reader (Kindle) version and it’s available on Amazon.

I continue to recommend the hard copy for several reasons, including the fact that it presents far better in terms of format.

I had to make a compromise with the Kindle version. Since I cannot include the landscape maturity model in the same document, the Kindle version has a link so you can download it in PDF format.

I hope this works for everybody.

I am very interested in any feedback readers may share on the concepts and ideas in the book.

I am convinced that transformation is essential – and that the book portrays a vision for ‘risk management’ that will change the views of leaders from it being a compliance activity to avoid failure to one that makes a significant contribution to achieving success.

New Guidance from COSO on Compliance Risk. Is it of value?

November 22, 2020 3 comments

One of my good friends asked me to review the latest from COSO, Compliance Risk Management: Applying the COSO Framework, which was published this month.

My friend said it was one of the worst pieces of guidance released by COSO, but I tend to disagree. It has value but is incomplete.

I like these comments:

  • Compliance risks are common and frequently material risks to achieving an organization’s objectives.

ndm: It is refreshing to see the reference to achieving objectives.

  • Compliance risks are those risks relating to possible violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could result in direct or indirect financial liability, civil or criminal penalties, regulatory sanctions, or other negative effects for the organization or its personnel.

ndm: The publication includes not only violation of laws and regulations but also of corporate values, what OCEG refers to as mandatory and voluntary boundaries.

  • Although the underlying acts (or failures to act) are carried out by individuals, compliance violations are generally attributable to the organization when they are carried out by employees or agents of the organization in the ordinary course of their duties. The exact scope of acts attributable to an organization can vary depending upon the circumstances.
  • Compliance violations often result in fines, penalties, civil settlements, or similar financial liabilities. However, not all compliance violations have direct financial ramifications. In some cases, the initial impact may be purely reputational. However, reputational damage often leads to future financial or nonfinancial harm, ranging from loss of customers to loss of employees, competitive disadvantages, or other effects (e.g., suspension, debarment).
  • A series of events in the 1980s in the United States led to the U.S. Sentencing Commission publishing guidelines in 1991 for the punishment of organizations for violations of the law. Among its provisions, the sentencing guidelines for organizations provide for very significant reductions in criminal penalties if an organization has an effective compliance program in place. Important amendments were made in 2004 and 2010 to clarify and expand on the characteristics of an effective program.
  • Separately, the USSG also require that organizations periodically assess the risk of noncompliance and continually look for ways to improve their C&E programs.
  • The USSG do not mandate C&E programs for any organization; however, they provide an incentive for the establishment of such programs as a means of mitigating the significant penalties that can otherwise result when an organization is found to have violated federal laws.
  • A sampling of some of the guidance from outside the U.S. reveals a mostly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s Ministry of Justice has provided guidance on the Bribery Act 2010, describing procedures that commercial organizations can put in place to minimize the risk of bribery.

ndm: I am pleased to see reference to other nations and also to the ISO standards.

  • …internal control is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of internal controls.
  • An important aspect of ERM is its focus on creating, preserving, and realizing value.
  • It is important to understand that although virtually every employee plays a role in managing risk, the management/ mitigation of compliance risk is primarily the responsibility of all management at all levels.
  • The role of the compliance and ethics officer is to help management understand the risks; lead the development of the program to mitigate and manage those risks; evaluate how well the program is being executed; and report to leadership on gaps in coverage, execution, or material instances of noncompliance, including those by senior leaders.
  • The board of directors is responsible for oversight of the organization’s C&E program, and management is responsible for the design and operation of the program.
  • Culture begins with a sincere commitment to compliance and ethics at the leadership level.

ndm: The commitment has to be sincere. Leaders have to walk and talk in a way that people believe in their integrity, morality, and ethical behavior. A leader is somebody you willingly follow, and a leader when it comes to compliance inspires all to be ethical.

  • When allegations of noncompliance or unethical behavior emerge, they must be taken seriously. This means that individuals should be required to report wrongdoing and have multiple avenues for reporting.

ndm: It is hard and legally questionable to require people to report suspected wrongdoing.

  • Context is critical to understanding and managing compliance risks. Business decision-making is one of the drivers of compliance risk; decisions can create new risks, change existing risks, or eliminate risks.
  • Risk interdependencies may also affect how an organization manages compliance risks. An organization’s responses to other risks (e.g., strategic, financial) may affect compliance risk in a positive or adverse way.

ndm: This is one of the areas where the guidance is incomplete. There may other sources of risk and opportunity that need to be considered together with compliance-related risk.

  • Organizations must also recognize that they cannot realistically eliminate all compliance risks or reduce the likelihood of occurrence to zero. This is simply not possible. As a result, engaging in discussions about risk appetite relating to compliance risks is a valuable tool in prioritizing efforts aimed at prevention and detection of specific compliance violations. Guidance from regulators is consistent with this concept: expecting organizations to reduce and manage, not necessarily eliminate, compliance risk.

ndm: This is similarly incomplete. You cannot discuss ‘appetite’ for compliance risk in a vaccum. More later. In addition, expressing a risk appetite for compliance risk is dangerous ground. Do you want to admit (and document) that you are willing to be in violation of law?

  • The compliance function should be involved in strategy discussions from the standpoint of (1) understanding the strategy so that the C&E program can be designed to manage compliance risks appropriately and (2) advising strategic decision makers about possible compliance risks associated with strategies under consideration.
  • If strategic decisions made by an organization involve merger or acquisition activities, it is important for compliance to be involved early in the process so that appropriate due diligence focusing on compliance risks can be performed.
  • Sometimes, performance metrics developed for business units can inadvertently create incentives to violate compliance requirements.
  • Developing a risk inventory for compliance risk is similar to the process of developing the ERM risk inventory.

ndm: Developing a risk inventory (or register) is fraught with problems, as you tend to end up managing the list of risks instead of managing the business for success. Later, COSO refers to and provides an example of a heat map – for which the best reaction is Yuk!

  • In addition to severity and risk appetite, some organizations consider other factors in their risk prioritization. Adjustments might be made to the risks on the basis of velocity, persistence, and recovery.

ndm: It’s refreshing to see recognition that other factors should be considered in assessing risk.

  • If risks are managed in isolation without consideration of other risks, inefficiencies — and possibly conflicts — can occur.

ndm: True, but what about opportunities?

There’s a great deal more information of value. These are just some of the highlights.

So what is missing?

  1. There is no answer to the question of how do I determine how much to invest in preventing non-compliance. What is reasonable, such that it would be accepted by regulators?
  2. There is no discussion of how to consider the fact that decisions involve multiple sources of risk, and making a decision without considering all the things that might happen is likely to have undesirable results.
  3. There is no discussion of how to factor in opportunities, the reason to take risks.
  4. The reporting is siloed rather than showing leaders in management and the board the big picture.
  5. The risk is portrayed as a point rather than as a range of potential effects on objectives.
  6. Even though there is reference to other nations, it is past time for COSO to be an international body with international thought leadership.

These and more are discussed in Risk Management for Success.

I welcome your thoughts.