Archive for the ‘Risk’ Category

The future of risk management

June 24, 2017 Leave a comment

The Institute of Risk Management has a great feature where they have asked people around the world, including a number of luminaries, about the future of risk management.

I was honored to be asked to contribute a video, which you can find on their web page, Risk Agenda 2025: Hear from the experts.

It is intentionally provocative and I hope it will provoke you to join the debate.

Trusted advisors and world-class internal auditors

June 23, 2017 2 comments

I was recently privileged to receive a signed copy of Richard Chambers’ latest book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors. Richard is the President and CEO of The Institute of Internal Auditors, a veteran of internal audit at the highest level, a friend, and an individual with whom I love to debate the practices of internal auditing and risk management. (I hope I am influencing his views on the imminent update of the COSO ERM Framework.)

I thoroughly recommend the book for any internal auditor, at any level.

Richard covers nine attributes of internal auditors who are seen by their customers in executive and operating management as “trusted advisors”. Ther are based on the results of a survey of CAEs and are grouped into three categories:


  • Ethical resilience
  • Results focused
  • Intellectually curious
  • Open-mindedness


  • Dynamic communicators
  • Insightful relationships
  • Inspirational leaders


  • Critical thinkers
  • Technical expertise

I will let you purchase the book (now on sale to IIA members) and read it in detail.

It makes an excellent companion to my book, Auditing that matters. I focus on the design and staffing of a world-class internal audit function, with a portion dedicated to the attributes of what I consider ideal members of the team, while Richard focuses the whole book on the latter.

So how do you leap from a trusted advisor to a world-class internal auditor? There are a couple of points that I did not see covered. Maybe I am taking them to the next level.

The first is seeing your purpose, your mission, as helping the organization and its leaders succeed rather than simply avoiding failure.

Pointing out deficiencies, even when you also point out remedies, is insufficient to be world-class. For that, you need to focus on the issues that matter to leadership and then provide them with the assurance, advice, and insights they need, when they need it, in an actionable form that is quickly digested and acted upon. Give them what they need to achieve their objectives and strategies. In other words, help them succeed.

This requires that we have such an understanding and appreciation of the business and what it takes to run it that we are willing to recommend taking risk when that is right for the business. Sometimes, even taking more risk.

The second is related: being able to hold a productive and constructive hour-long conversation about the business with an executive without ever using the words ‘risk’ or ‘control’.

If you are to tackle the issues that matter and add value through your insight, then you need a truly deep understanding of the business and how it is and should be run.

That’s not an easy task!

These are just a couple of attributes of world-class internal auditors, people who stand out to management so much that they are usually offered leadership positions themselves.

What do you think?


Always-On risk and strategy management

June 10, 2017 7 comments

I like the idea of “always-on” strategy and performance management, as discussed in a piece by members of the BCG consulting firm.

Always-On Strategy hardly mentions the word “risk”, but it’s there in a major way.

Consider this:

To increase the odds of success in today’s turbulent environment, leading companies are complementing their annual strategy-setting process with something more dynamic. We call it always-on strategy.

Always-on strategy gives companies a systematic way to scan for signs of disruption and explore unexpected changes to the strategic environment.  Companies identify the most pressing strategic issues and regularly engage senior leaders in formulating a response.

Doesn’t this sound like risk identification, assessment, monitoring, and response?

Aren’t “issues” the same as risks?

Later, the authors say:

Always-on strategy complements the annual [strategy] process by giving senior leadership a regular forum in which to monitor and discuss issues that warrant continual attention, including those identified during the annual process and during the course of the year.

Isn’t this what we strive to achieve with risk management, addressing the issues that might affect the achievement of strategies and objectives?

But the authors see issue or risk monitoring as the responsibility of the Chief Strategy Officer:

The chief Strategy Officer (CSO) and the strategy team are ideally positioned to identify issues from the top down, both in the business units and externally. They can provide a structure and tools to capture and filter information from the broader organization.

CSO doing this instead of the CRO?

What does this mean?

If the language of strategy and issues resonates with leadership, use it instead of the technobabble of risk.

I met one CRO who reports to the CSO.

Is that a model that makes sense (in non-regulated industries – because the regulators have a risk-averse view of risk management)?

Maybe it does.

Maybe it allows and stresses an emphasis on achieving objectives instead of ‘managing risk’.

What do you think?

PwC does better on risk management

June 3, 2017 2 comments

Last week, I wrote about a PwC piece that IMHO gave poor guidance to boards and their oversight of risk management.

To be fair, there are people in PwC who “get it”.

A different piece, presumably by different people, makes some important points.

How your board can ensure enterprise risk management connects with strategy says (emphasis added):

  • Any major strategic decision carries uncertainty. A well-developed enterprise risk management (ERM) program can help executives meet key business objectives.
  • “ERM” means different things to different people. Some companies simply use ERM to identify, prioritize and report on risks—protecting value. The best companies use ERM to make better decisions, improve their strategic, financial and operational performance and create value. But it takes work and buy-in at all levels to make that happen.
  • ERM is the collection of capabilities, culture, processes and practices that helps companies make better decisions as they face uncertainty. It gives employees a framework and policies to help them understand, identify, assess and manage risks so the company can meet its objectives. It’s most valuable when it’s integrated with strategic planning.
  • ERM should also look at whether the company is taking enough risk and focus on areas of overperformance as much as poor performance.
  • The best ERM programs allow companies to have both risk agility (can you quickly adapt to a changing environment?) and risk resilience (can you withstand business disruption?). And companies that are committed to effective ERM programs periodically assess how they can be further improved.

All of the above is good.

But after a good start, PwC reverts back to a discussion of how to manage the adverse and ignores what it said about making better decisions, creating value, or taking enough risk.

I am afraid that the updated COSO ERM Framework, which is being led by PwC, will do the same. (It did this in 2004 as well). They will start with great stuff about decision-making, setting and then executing on strategies, and creating as well as protecting value.

But then they will revert to their roots and talk about managing a list of risks.

Risk management is about understanding what might happen as you strive to achieve your objectives, then taking actions to increase the likelihood and extent of success.

That means that when you make strategic decisions you have to understand not only the possibilities of bad things but the possibilities of good.

Apply the same discipline and process to the likelihood and magnitude of positive effects as you do to adverse.

In addition, if you don’t focus on the achievement of objectives, but instead manage individual risks, how do you know whether you are likely to achieve them – or the possibility of exceeding them?

I only hope that PwC, with the influence of the COSO Board, gets the COSO 2017 ERM update right.

What do you think?

I welcome your comments?

By the way, if you are involved in the ISO 31000 update, do you expect that to be a leap forward enabling advances in practices such as decision-making?

PwC confuses boards on risk oversight

May 27, 2017 18 comments

I want to start with two admissions:

  • I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
  • I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

  1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
  2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
  3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
  4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
  5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
  6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
  7. How do you and your management team make decisions in the face of uncertainty?
  8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
  9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
  10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

Risk management and thinking

May 20, 2017 6 comments

Last week, I was privileged to present what was billed as a “3 hour master class” on World-Class Risk Management to about 200 risk and internal audit leaders in Moscow.

Organized by Alex Sidorenko and the Risk Academy (check out their excellent web page, which includes blogs and a free book on effective risk management), I spoke about a couple of themes from my World-Class Risk Management book:

  • Effective risk management is about far more than a periodic review of a list of risks. It’s about taking the right level of the right risks, especially as we make decisions running the business.
  • The journey to world-class risk management involves understanding and addressing the risks to the quality of the risk information relied upon by decision-makers, executives, and the board.

The Risk Academy web site includes a link where you can see the entire presentation.

Alex treated me to a tour of the city, which I thoroughly enjoyed – especially the opportunity to chat and share ideas about the management of risk.

During our conversation, I realized something.

What do people say when you do something they think is wrong?

“What were you thinking?”

After you struggle to reply, they continue with:

“You weren’t thinking, were you?”


What do they mean? They mean that you weren’t thinking about the consequences of your actions, what might happen, and the other choices you could have made.

Isn’t that risk management?

  • Identifying what might happen
  • Assessing and evaluating the effects of what might happen
  • Determining whether that is desirable or acceptable
  • Taking action as appropriate, including making a different decision if necessary
  • Checking afterwards that what happened met your expectations and acting as necessary, going back to the top of this list (remember how ISO 31000:2009 says that risk management is dynamic, iterative, and responsive to change)

How can we help decision-makers think about what might happen?

Isn’t that the role of the world-class risk practitioner?

I welcome your thoughts.

Deloitte on internal audit and the path forward

May 12, 2017 36 comments

In a new paper, Deloitte takes the results of its latest survey of chief audit executives (CAEs) and makes recommendations for action.

The survey, which has been widely reported, indicated that in the opinion of the responding CAEs only 28% of them “believe their functions have strong impact and influence in their organizations, while 16 percent felt that Internal Audit has little to no impact and influence”.

I think the path to fixing the problem starts with acknowledging it, which Richard Chamber has done in a number of his IIA posts (which you can find here).

Deloitte has suggested 9 areas of focus.

I disagree with them.

Here are my suggestions for CAEs, audit committee members, and executives who want to help improve the quality and value of internal audit services.

  1. Audit what matters. Audit how risks to the achievement of enterprise objectives, what might cause them to fail and what is necessary to succeed, are managed. Richard Chamber and I have both written a book with advice on the path forward. Neither of us do it for the money; it’s our shared desire to see the profession advance. My latest book addresses this topic and more, Auditing that matters.
  2. Focus on helping your stakeholders succeed, rather than on performing audits and writing audit reports. Read Richard’s latest, Trusted advisors: key attributes of outstanding internal auditors. Ask what information your stakeholders need from you which could make them welcome you to their table.
  3. Communicate what matters, when it matters, in a way that is actionable and readily consumed. The advice on this topic from Deloitte is off the mark. I cover the point in far more detail in my book, including pointing out that IIA Standards do not require an audit report; that the best communication is face-to-face where questions can be asked and answered; and that we need to deliver our assurance, recommendations, and insights at speed. The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.
  4. Understand why the CAE is not getting the respect he or she should. Is it a failure of the CAE to explain effectively or of the audit committee and management to understand the potential for internal audit to help them succeed? Is it because the CAE is complacent, delivering what he is told he should and being satisfied with good performance reviews and bonuses instead of pushing the envelope to deliver the services and value he or she could and should?
  5. Deliver. Last but hardly least, the CAE must deliver assurance and insights that the executive team and the audit committee truly value. Again, this is what my book is all about, but if the executives and audit committee see our end product as ‘ho-hum’ and not something that might affect their decisions or strategies, then is it worth the money being spent on internal audit? Why should they give respect and, more importantly, their time to an activity that is peripheral at best to running the business?
  6. Be willing to change. Some CAEs, such as Chris Keller at Apple, have thrown out the traditional internal audit model because they can see a better way to add value to the organization, providing assurance that the right risks are being taken. We don’t accept people in the business doing things the same way for years because that’s the way it is always done, so why should we do that ourselves?


I welcome your comments and perspectives.