Archive for the ‘Risk’ Category

Risk and Strategic Intelligence

May 23, 2022 4 comments

One of the issues that has concerned me over the years is who is not only responsible for understanding what might happen (both risks and opportunities) but also has the capability to do so.

The easy answer is that operating management is responsible for understanding, evaluating, and addressing what might happen that could affect their business and its ability to achieve enterprise objectives.

That’s the easy answer, because I see the risk function as helping management do that. The risk function shouldn’t own the risk or be responsible for identifying and assessing it.

But do either have the capability to do it well?

A Wall Street Journal article, Building a Corporate Strategic Intelligence Program, got me thinking.

Should an organization establish a function whose job it is to survey and monitor the external environment? If so, should it be on targeted areas rather than the whole potential landscape? (The discussion in the article does not include threats or opportunities from internal sources.)

In the article (which has content by Deloitte but is written by an executive from Invesco, the company it profiles), the Strategic Intelligence function is not part of the risk function.

Effective strategic intelligence functions are often well connected across organizations, especially with risk management teams, and well positioned in the organization’s strategy-setting process. They also often report to a C-suite leader to enable intelligence to be elevated to the highest levels of leadership in the organization.

I think this is an idea that is worth exploring.

It would be a team with expertise in analytics and other tools, and access to other sources of research.

What do you think?

Proactive Auditing or Embedded Assurance

May 20, 2022 6 comments

When I saw that Protiviti had published an article with the title What Is Embedded Assurance — and How Can It Benefit Enterprise Projects?, I was intrigued.

What exactly is “embedded assurance”?

I expected something along the lines of the new-fangled concept of ‘combined assurance’, which is really not new at all! In 2009, the IIA issued Practice Advisory 2050-2, Assurance Maps (available only to members). It was an excellent piece of work then and remains useful today.

Or it could have been related to continuous assurance/auditing. But it’s not.

In fact, the concepts behind “embedded assurance” are very old! Just Google ‘pre-implementation reviews’ to find multiple articles on the topic. I was doing these when the authors were in diapers!

That doesn’t mean that the Protiviti piece is without merit (only that the only thing new is the name they give it).

I strongly encourage every audit department to perform proactive auditing, getting involved in major (or even minor) projects when justified by the level of risk to the enterprise.

Vary the level of work, again based on the level of risk.

For example, a pre-implementation review might include one or more of the following:

  • A review of the cost justification/capital expenditure request
  • A review of the requirements documentation
  • A review of the project approach, such as whether adopting an agile methodology is optimal. One of the issues I have seen is that the incremental changes identified over the project’s life move it away from the original intent and why the expenditure was approved.
  • A review of the project plan and its management
  • A review of the design to ensure it will address the requirements
  • A review of the design to ensure it will have the necessary internal controls and security
  • A review of the test plans
  • Independent testing or reperformance
  • Building in additional data monitoring and alerts
  • A post-implementation review

You should also make sure you have the right team for your pre-implementation review.

At Tosco Marketing Company, which had more than 6,000 convenience stores as well as gas stations, management had a massive IT systems project. They would replace all the systems in the stores, connect them with a new central stores management system, run everything on new hardware, and implement a new access control system.

My team included two IT audit managers with application auditing expertise, another IT auditor with highly technical skills (including experience with the new access control system), and an operational auditing manager.

I needed all of these to make sure we covered the waterfront. This was not an IT project; it was a major business project.

By the way, this concept should apply to the proactive auditing of any major project, not just technology ones. For example, get involved in major new construction projects.

What do you think?

How active are you in pro-active auditing?

A Better Objective for an Audit

May 16, 2022 4 comments

Over the years as a CAE, I learned that there was a better way to steer the audit team. Instead of asking them to assess the system of internal control over a process or business unit (an approach that is disconnected from enterprise objectives), or whether the controls provide reasonable assurance that specified risks are at desired levels (a far better approach), I ask them to answer this question:

Do the processes and controls meet the needs of the business?

This makes the members of the audit team think!

What is management trying to achieve with this business unit, activity, process, etc.?

Does the way they are operating, which includes the controls they are relying on, provide reasonable assurance that they will be successful?

That means that not only do they need to take the right risks but seize the right opportunities. Are they doing that?

How well are they leading the organization and its people, obtaining optimal performance from both?

Is there a better way? What can and should be improved?

Answering my question enabled my auditors to assess the management of risks and opportunities and the related controls.

What do you think?

Try it for yourselves.

What should the Audit Committee ask the head of Internal Audit?

May 6, 2022 6 comments

In an April blog post on his new company’s web site, Richard Chambers writes about: 5 Questions the Audit Committee Should Ask Internal Audit – But Doesn’t.

It always surprises me, but perhaps it shouldn’t, that my friend and I (and we have known each other for a very, very long time) often have different views.

There are some issues on which we fiercely agree, such as the need to audit at the speed of risk. (We have both used that expression for a decade or more and written books about it. I claim, although Richard is not sure, to have used it first. But no matter, we both are ardent supporters of a continuously updated, enterprise risk-based audit plan.)

There are also areas where we disagree. For example,  Richard believes strongly that the CAE should report administratively to the CEO because if he/she reports instead to the CFO that executive may try to own the function. I reported throughout my career as CAE to the audit committee and the CFO, and not once did the CFO interfere with my planning or reporting. However, I have personal experience at two different companies, one huge and one small, of a CEO owning and directing the CAE and his planning and reporting. (The first was a company that acquired mine, and the second was a company that mine acquired.)

In this blog post, there are topics that Richard suggests where I fiercely agree, and others where I disagree. No surprise.

Let’s start with where I fiercely agree.

The first and most important is his fifth question:

Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company’s internal controls and risk management?

As Richard says, this is:

…the most important question of all – the question that I often find is on virtually every audit committee member’s mind but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.”

However, I don’t accept that the CAE should ever answer the way Richard describes:

However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table. 

No. The question is the right one. It asks for the CAE’s assessment, their assurance, based on the coverage during the year. How can any reasonable CAE say that they can’t provide an unqualified opinion? The question includes the only necessary qualifier: “based on the coverage during the year”.

As CAE, I started providing my opinion on the adequacy of internal controls to address the more significant risks more than 30 years ago! It had the necessary qualifier, that was based on the work performed. I was a member of the IIA team that developed their Practice Guide: Formulating and Expressing Internal Audit Opinions in 2009.

BUT: the audit plan was specifically designed, even back then, to address the more significant risks to the enterprise as a whole.

In other words, the audit plan was designed to deliver the necessary macro-level opinion at the end of the year!

The audit committee knew this, as did management, so there was no surprise, no question about the adequacy of coverage.

In fact, when I presented the plan for review and approval by the audit committee, I showed them what were the next most significant risks that I would not be able to address due to resource constraints.

That answered, at the beginning and not the end of the year, Richard’s excellent third question:

What are the top five risks that internal audit is not addressing due to a lack of resources or skills?

By the way, lack of skills is not an acceptable excuse, as those can be obtained by co-sourcing, the use of guest auditors, and/or training.

Moving on to Richard’s fourth question, it is again one with which I very strongly agree:

What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?

My quibble is that the question should ask whether that understanding is sufficient, rather than greater.

I recently had a debate with the great Tom Peters. I first ran into him more than twenty years ago, when he started talking about WoW! Projects. I was so impressed I had each of my internal audit direct reports attend his WoW! seminars! You can see the slide deck of a presentation I made at MISTI’s SuperStrategies conference in 2001 that talks about a Wow! Internal audit department.

Have a look at slides 37 and on.

The debate with Tom (we follow each other on Twitter) was about Managing by Wandering Around (MBWA). He has been an advocate for this practice for a long time and writes about it here.

Check out the video linked in his article and ask whether you and your team are doing enough MBWA to understand the business.

MBWA is a great way of staying in touch with changes in the business (internal and external context) and changes in risks to the business so you can update the audit plan! That addresses Richard’s second question. Just remember that it is the responsibility of management to identify the risks; it is our responsibility to assess how well they do that and to make sure our audit plan is continuously updated so we audit what matters today and will matter in the future.

I suggested to Tom, and after he thought about it, he agreed that instead of MBWA, we should be talking about MBLA: managing by wandering and listening around. The focus is on listening, making sure that you are not talking more than 40% of the time.

I have not addressed Richard’s very first question:

Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?

With all respect to Richard, The IIA, and all CIAs, I have a hard time believing that the Standards are a guide to quality auditing. There are too many issues with them (which I have shared with IIA leadership and hope they are considering as they work towards upgrading them) and adhering to the Standards is not a guarantee of excellence.

Sometimes, you need to go your own way and design an internal audit program that meets the assurance needs of the organization at that time and in your specific circumstances. I admire what Chris Keller did at Apple when he was CAE there, moving from static internal auditing per the Standards to more continuous risk and control monitoring of the various projects at the company.

So – are there questions that Richard has not included in his top five?

My top five are different and include some he did not.

  1. Based on internal audit coverage during the prior year, what is your assessment of the overall effectiveness of the company’s internal controls and risk management? (This assumes that there is a continuously updated, enterprise risk-based audit plan.)
  2. Describe your relationships with management. Is there inappropriate pressure on you to change your audit plan or your reporting? Do you get the support you need from all levels of management? Does management work with you when it comes to assessing and acting on the need for change?
  3. What, if anything, is holding you back from excellence? Are there sources of risk that you wish to address but cannot due to resource limitations – other than those we previously decided not to fund? Are you satisfied with the quality and performance of your staff?
  4. What should we and the board be focused on?
  5. How can we help you?

Somewhere in here, but I hate to remove any of the above, is the set of questions that the committee should ask around the effectiveness of the management team (individually and as a team). In my top ten is also the question of whether the external audit team is effective, including the level of communication and collaboration with internal audit.

There are just so many questions the audit committee should ask!

What have Richard and I missed?


The Latest Report on Fraud

May 3, 2022 7 comments

Every year, the Association of Certified Fraud Examiners (ACFE) publishes a report on fraud. The latest is the 12th in the series, Occupational Fraud 2022: A Report to the nations.

My congratulations and thanks go to the ACFE for an excellent report. I remember how early reports included the employees’ use of company assets like computers in their definition of fraud. I am pleased to see that gone, with every inch of this long report dedicated to information that has value.

The first point that jumps out at me is no surprise. ACFE estimates that the average organization loses 5% of its revenue each year to fraud. Now, 5% is a lot. But does it mean that fraud is a risk to the organization so high that it should be made a priority for internal audit, and a focus of the limited time of the audit committee of the board? I will let you form your own opinion.

Building on that, the median loss per case is $117,000 (down substantially from prior years), while the average loss per case is $1,783,000. As many as 21% of the cases topped a million dollars in losses. Some would have to be several million to explain the difference between the median and the average.

Compare that to the cost of control, or even the cost of investigating fraud. I am not saying that we shouldn’t have controls to prevent or detect fraud, or audits to ensure either than the controls are adequate or to detect fraud ourselves. Just pointing out that the cost may dwarf the benefit if we are not careful.

The largest type of fraud was financial statement fraud, with a median loss of $593,000. It’s interesting that it’s not more, as this number would not be material to most organizations’ financial statements.

Another interesting statistic is that 40% of cases involved more than one type of fraud. 32% appropriated assets and had some form of corruption scheme. Just 2% stole assets and committed accounting fraud.

The average duration of a fraud before it is detected is 12 months. That is faster than in previous years, but still unacceptable. As the paper explains, the longer a fraud scheme continues, the bigger the loss. In addition, if we are not careful others may see an opportunity and fraudulent activity expands.

However, fewer organizations than in prior years are pursuing criminal prosecution, favoring civil litigation. That is the trend over ten years, but the number of those working with the authorities to prosecute fraudsters is still higher at 58% than those suing them civilly (29%). That means 13% are not taking any legal action – presumably because of the cost.

62% are committed by owners or managers/executives, and more involve collusion (up to 58% now).

One important area is how frauds are detected. The 2022 results are:

  • 42% – Tip
  • 16% – Internal audit
  • 12% – Management review
  • 6% – Document examination
  • 5% – By accident
  • 5% – Account reconciliation
  • 4% – Automated monitoring
  • 4% – External audit
  • 3% – Surveillance
  • 2% – Law enforcement
  • 1% – Confession
  • 1% – Other

The total of the internal controls-related detections is 30%, so a tip remains the most frequent source of detection. No change there, except that internal controls and internal audit are doing better.

Another interesting factoid is that organizations without a hotline suffered double the fraud loss when there was a fraud than those that did. I am going to guess that it is probably because organizations that invest in a hotline are likely to also invest in better internal controls.

People have been saying that fraud risk is higher now because of the pandemic. The ACFE study explains that this is due in many cases to staffing shortages and other changes, rather than any change in morale or employee attitudes. But contrast that to the information that the typical fraud cost is less than it was.

As you might expect, the higher the fraudster is in the organization, the greater the loss – and the less likely they are to be fired. Interestingly, the longer the individual has been with the company, the higher the loss. The same goes for the age of the perpetrator. (That makes me a high risk.)

One surprise was that 58 cases (3%) involved the board of directors! Median loss was $500,000.

That’s what I found interesting. What jumped out at you?

How do you measure the performance of the Internal Audit function?

April 29, 2022 8 comments

One metric stands out when it comes to assessing the performance of the CAE and his or her team: the satisfaction of their primary customer, the audit committee of the board. Second to that, and frankly not far apart in its effects on the longevity and mental health of the CAE, is the satisfaction of the CEO, CFO, and the rest of the executive team (but especially those two execs).

Having said that, there are other metrics that are very important.

ACI Learning has shared with us their suggestions in an article you can download.

Measuring the Performance of Internal Audit Departments: Standardize measurements and align business operations with balanced scorecards has some good points.

At the same time, I disagree with some and believe others are missed.

For example, the first metrics suggested are related to time:

  • Audit announcement to when the final report is published (days)
  • End of fieldwork to when the draft report is published (days)
  • Publication of draft report to when the final report is published (days)
  • Time variance Audit plan to actual (hours)
  • Audit plan to actual (%)

As a CAE, I never measured any of these. I don’t think they are meaningful and may even lead practices in the wrong direction!

While some CAEs focus on publishing a report as soon as possible, my focus was on publishing the right, fair and balanced report that will help management and the board with actionable information, effecting the right change (if necessary) for the business.

My focus was on working with management to ensure they had the best systems, processes, organization, and controls to run the business, and to provide related assurance and insight to senior management and the board.

The next set of metrics are:

  • Number of audits planned vs. completed (number)
  • Number of audits planned vs. completed (%)

I don’t see either of these as a measure of effectiveness.

If you are using a continuously updated, enterprise risk-based audit plan, the number of audits planned is changing all the time. This is only relevant when you have a rigid audit plan (typically out-of-date before it is approved by the audit committee) and stubborn adherence to auditing what used to be a risk is considered important.

The authors don’t get to the most important metrics until page 5, when they talk about the customer. However, there is no assessment here of the satisfaction of the audit committee, not even of top management!

On the other hand, I like these:

  • Training hours per auditor
  • Management requests for audit services

There are other vital measures that are overlooked, such as:

  • Satisfaction of the internal audit staff
  • Career progression of the internal audit staff, including their being hired into management positions within the business
  • Staff retention

As a CAE with several companies over many years, I had one set of questions. I asked it of members of the audit committee individually and as a group, as well as of the CEO, CFO, and their direct reports:

  • How are we doing?
  • Are we helping you with your job?
  • What else can we do to help you?
  • What should we stop doing?
  • Do you have specific comments on what we are doing and on the members of the team?

I now ask you:

  • How should you or anybody else assess the performance of internal audit?
  • How am I doing with this blog?
  • What changes should I make?

The Great Resignation Risk

April 25, 2022 3 comments

While many are focused on issues like cyber, saying it is perhaps the greatest source of risk to an organization today, I believe there are greater sources of concern.

One of these has been in the news over the last months, called the Great Resignation

The Great Resignation

Consider this set of survey results from


In the article, they said:

ResumeBuilder estimates that in 2022, as many as 32% of U.S. workers will leave not only their jobs but their careers behind to start afresh in new industries, especially in IT. Overall, a quarter of employed individuals will quit their jobs in 2022, and half will leave in the first half of the year.

In 2020 and 2021, employees left their job in record numbers in what we know as The Great Resignation. One would expect job security as the primary concern during the pandemic and because of its uncertainties. The trend arose as employers failed to accommodate the emerging needs and expectations of the workforce amid the switch to remote work.

In just the second half of 2021, approximately 20 million people quit their jobs, including 4.5 million in November. In these two years, non-essential businesses adopted remote work, forcing the workforce to come to terms with a rapid shift in the culture even as they struggled to maintain a healthy work-life balance.

But at the same time, this uncertainty has made employees rethink their prospects and presented employees opportunities to seek greener pastures. Career strategist and professional resume writer Carolyn Kleiman told ResumeBuilder, “As the pandemic continues, people continue to evaluate their lives, and work is a large part of that.”

What does this mean for risk and audit practitioners?

  1. Recognize the potential effects on the organization and its success of losing key employees. While risk disclosures may talk about the loss of the CEO and other top executives, we also have to consider the loss of:
    • Customer relationships as sales personnel leave, perhaps to a competitor
    • Innovation as top engineers and product designers abandon ship, again possibly to a competitor
    • Momentum in the development and use of technology due to the loss of IT staff
    • Revenue growth as the capacity of the organization to deliver products and services in impacted
    • Key individuals in the performance of critical controls and security practices, with less capable individuals (or nobody) taking their place
    • Leaders within the organization
    • Risk and audit practitioners!
  2. We need to help management understand the level of risk to enterprise objectives, which can be in every nook and cranny of the organization.
  3. We also need to help management assess whether it is doing enough to stem the tide and respond to the waves breaching the storm wall.
  4. At the same time, we should consider whether management is taking advantage of the situation to upgrade its potential by hiring the best people now on the market.

There’s an interesting article in Smart Brief: Let’s call it a retention review. I recommend it.

Forbes says It’s Not The Great Resignation, It’s The ‘About Time’ Resignation.

People are transforming their relationship with the traditional workplace, revaluing the importance of career versus quality of life.

This prompts an overdue opportunity for employers to do the same, by asking themselves four fundamental questions: What do employees seek in this new work-life balance? How will companies provide what employees need for that balance? What does that new workplace look like? What can employees and employers bring to it?

Risk practitioners can work with management to understand the risk (and the opportunities).

Internal auditors can help by assessing whether that is sufficient, and perhaps suggest ways to improve retention and hiring.

What do you think?


Writing this brings something to mind that I want to talk about for a minute.

Some have said that if an event or situation is certain, there is no risk. They are referencing the ISO 3100 definition of risk as “the effect of uncertainty on objectives.”

If there is no uncertainty, they assert, there is no risk.

My problem with that is that while an event or situation may be certain to occur or may even have happened, the effect or effects in the future may be uncertain.

I think we have to be careful to avoid traps like the rigid interpretation of definitions.

But – I will point out that we are talking about the “effect on objectives”. That part of the definition is critical; assessing a risk or opportunity in other ways is not necessarily always wrong, but I think it is questionable.

Audits of information security or cyber may be short

April 22, 2022 3 comments

I have been involved in information security, either auditing it or being responsible for the function at a couple of financial institutions, for a very long time. To me, cyber is not separate from information security. If I were to make a distinction, information security would include not only digital information, but also hard copy reports and other information not stored electronically. But I will treat the terms interchangeably today.


Why do I say audits would be short?

Because they often were short when either I or my team of IT auditors performed them.


The first thing I do is ask for the information security risk assessment.

If they haven’t done one, it is difficult to know where we should focus our limited audit resources. I want to assess the areas where there is greater risk to the business and its success, the achievement of enterprise objectives.

It is difficult to assess whether they have adequate defenses or responses if they haven’t identified the greater sources of risk.

If they have done a risk assessment based on NIST or ISO guidance, it is usually disconnected from the achievement of business objectives and I again have a problem.

I don’t want to audit the “risk to information assets” (per NIST and ISO). I want to audit the risks to business objectives and success.

We can help management as a consulting activity understand how to perform such a risk assessment.

I wrote about this recently for EDPACS in an article that is now free to view: Making business sense of technology risk.


Where I am aware of a specific infosec risk that is critical to business success, I can target an audit.

But those are targeted audits, not an audit of all of information security.

In fact, my approach typically breaks the area up into multiple targeted audits.


I have written before about auditing what I call the information security foundation: where it reports, whether there is an acceptable risk assessment, who leads it, how it is funded, and so on.

I will do that first.

Then I will have some number of audits targeted at specific issues.


Do CAEs pay enough attention to cyber and information security?

I think they do, although every year there are complaints that CAEs don’t have the resources necessary.

My thinking is:

  1. The CAEs risk assessment should identify what they need to audit, including cyber-related audits
  2. That assessment should be shared with the audit committee of the board
  3. Where possible, the CAE should have sufficient internal resources to perform the necessary audits
  4. Where internal resources are not available, the CAE should engage external resources, such as from a consulting firm
  5. If the budget does not permit the funding of high priority audits, that should be a matter for discussion with the audit committee, and they will have the last word.

In his April 6th blog post, my good friend Richard Chambers said:

[The IIA’s Pulse of Internal Audit] reports that 85% of respondents rate “cybersecurity” as a high or very high risk, but it only accounts for 11% of internal audit plans. Allocation of resources to cyber risks is lower than to compliance and regulatory risks, operational risks, and internal controls over financial reporting (SOX).

He sees this as a problem, an alarm bell. I don’t.

11% of internal audit resources is a HUGE amount!

When you consider all the risks to business success these days, and the fact that the typical breach costs far less than people think, 11% may be appropriate. It might be too little, but it is more likely to be too much than too little!

If CAEs are following a true enterprise-risk based approach, I will trust them to be focusing on the highest risks to the enterprise, such as:

  • The loss of critical employees, particularly those with strong connections to customers, those who drive product development, the leaders show inspire other employees, and the ones who perform critical controls
  • Supply-chain risks in the midst of political upheaval
  • The ability to leverage new technology and not fall behind competitors
  • The potential for a downturn in the economy
  • Compliance with new sanctions and other regulations
  • The return on investment from marketing and sales initiatives
  • Developing staff when they are remote
  • And so on


The main point is that in the absence of an adequate, business-focused cyber risk assessment, knowing what cyber related audits to perform is difficult.

How do you audit what matters to the organization when those responsible for running the organization haven’t figured that out?

Remember, there’s a huge disconnect between information security leaders (CISO’s) and top management (including the board) when it comes to agreeing on how much resource to allocate to infosec.


I welcome your thoughts.


By the way, I will be speaking at an upcoming virtual conference in May, the Transforming Your Audit Summit 2022. The list of speakers is impressive!

Where should internal audit report?

April 18, 2022 4 comments

This is a touchy subject.

While there is very little debate that the head of internal audit, the chief audit executive or CAE, should report functionally to the board (usually the audit committee of the board), there are some strong opinions on whether it should report for administrative purposes.

This is what the IIA’s Standards have to say (with my emphasis):

1110 – Organizational Independence    

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.


Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

  • Approving the internal audit charter.
  • Approving the risk-based internal audit plan.
  • Approving the internal audit budget and resource plan.
  • Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
  • Approving decisions regarding the appointment and removal of the chief audit executive.  Approving the remuneration of the chief audit executive.
  • Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

1110.A1The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.

The Standards do not discuss what is included in administrative reporting. This is what I believe is included:

  • Reviewing and approving the expenses of the CAE
  • Performing other administrative functions that may be required by organizational policy. These vary from organization to organization but may include the approval of purchase orders that exceed the CAE’s authority level, approval of travel, and so on.

There’s little else that I can think of today.

It is customary for the CAE to be able to attend the executive’s direct reports.

It is also customary, but not always a given, that the executive will be a supporter and champion of internal audit.

The CAE’s cost center may or may not roll up to that of the executive.


Somebody has to perform these administrative functions, and it is unrealistic (with rare exceptions) to expect the chair of the audit committee to do them.

The debate is whether the CAE should report administratively to the CEO, the CFO, or another senior executive.

While it is possible for the CAE to report for administrative purposes at a lower level, for example to the Corporate Controller, this will generally create a perception that the CAE is middle management at best – rather than the senior executive he or she really is (or should be).


Some years ago, the IIA stated its preference (my guess is that this was influenced by its CEO) that the administrative reporting should be to the CEO.

Richard Chambers repeated his strong preference for that in a recent post, New Surveys Raise Alarm Bells for Internal Audit. He tells us:

One of the most jaw-dropping statistics in the IIA’s recent 2022 North American Pulse of Internal Audit report is that 76% of CAEs at publicly traded companies say they work administratively for the CFO! I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who “own” internal audit are more likely to use the function to focus on their own priorities. Even more alarming is that only 4% of respondents are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.

He has strong views on this and so do I.

It could be that his many years as CAE in government service influenced his position. My many years as CAE in US and global corporations led me to a totally different position.

First, administrative reporting does not confer, in any way, “ownership” of internal audit.

Second, I have seen CAEs who report administratively to the CEO forced to work on special projects for the CEO, even to the point of being sent to fire non-performing executives! In other words, the CEO thought he owned internal audit.

Third, the CEO is a busy individual and asking him or her to spend their valuable time on administrative duties like approving expense reports is absurd. In practice, the CEO will delegate those responsibilities to the CFO (at best) or an assistant (at worst, but more likely).

Fourth, you can report to the CFO and have free access to the CEO.

Fifth and extremely important, you are far more likely to be included in the CFO’s executive staff meetings than the CEO’s, even if you report administratively to the CEO. In fact, reporting to the CEO may make it harder to attend the CFO’s meetings. These meetings are very valuable sources of information about the strategies and activities of the organization.

Finally, the fact that 96% of CAEs are content with their administrative reporting should tell us something. These are smart people, and their opinion should be respected as being based on reality. Reporting to the CFO satisfies the intent of Standard 1110: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.”


Should the CAE report administratively to another senior executive?

This will depend on the organization and on the individual executive.

I can see a case being made for reporting to one of these people:

  • Chief Administrative Officer
  • Chief Operating Officer
  • General Counsel

I am not a fan of the CAE reporting to a specialist CRO with whom there may be conflict over the assessment of control deficiencies and the risk they represent.


Whoever the CAE reports to administratively must respect the fact that the reporting is purely administrative, they do not own internal audit, and their role is limited.


How does the CAE make this happen?

That is covered by Standard 1000: Purpose, Authority, and Responsibility.

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.


The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.

The value of the Charter is not that the CAE can brandish its authority when management doesn’t allow internal audit necessary access to information, etc.

The value is that it is discussed and reviewed by the board or its audit committee. That activity instructs whoever is administratively supporting the CAE where the boundaries of their role lie.


What do you think?


By the way, I am not commenting today on the other alarm bells that Richard says are ringing except to say that I disagree on SOX and do not agree with his logic on cyber. (I would point you to an IIA webinar we did together, but the IIA has removed it for some reason. In it, he agreed with my position that IA delivers great value if it is given the necessary resources to fulfil its primary mission as well as test controls for SOX.)

The greatest risk and the greatest asset

April 12, 2022 6 comments

I am, of course, talking about people.


If you look at the root cause of almost every failure or missed opportunity, it comes down to people.

Yet, we don’t pay nearly enough attention to whether we have the right people in the right jobs. You could add to that ‘the right information and authority’, but that is provided by people too.

The Human Resources department is supposed to help everybody hire the right people, train and develop them, and (if necessary) fire people.

But my experience is that they usually get in the way.

They prevented me from hiring the best people for the job I needed done because (a) I wanted to pay them too much in their opinion (based on surveys of positions that were not comparable), (b) I wanted to call them managers (because that is what they were in their last job and reflected the authority and level they would have in this one) but they would have no staff, or (c) they gave preference to people who were not the best candidates, but had been with the company longer or met diversity goals. (I make no apologies for putting excellence ahead of diversity.[1])

When I was a vice president in IT, I completed the annual performance appraisals for my direct reports. All were rated 4 or 5 on a 5-point scale. HR said this was unacceptable and sent my boss, the senior vice president, CIO, to tell me to change it. My rating had to fit a predetermined pattern with only so many at each level, and I needed some to be rated below average – even though none of them were. I knew that such an unfair process would significantly affect morale and I would lose very valuable people.

The SVP told me I couldn’t rate everybody at that high level, so I asked him to name the best performers in his entire department of several hundred. All my direct reports were in his top ten! He relented and joined me in the fight with HR.

HR also prevented me from retooling the department when I inherited a team whose top speed was average. The CFO criticized me at one point for not running a world-class department when everybody was doing their best (and far better than they had under my predecessor). He changed his tune when I pointed out that I cannot fire people who are not under-performing. Equally, I cannot expect world-class performance from people who are not capable of delivering it.

In time, I was able (with no help from HR) to help them find other positions (advancing their careers in the process), slowly replacing them with more experienced personnel who could deliver greater insights and valuable advice. I left the company just one or two steps from my goal of world-class performance, but it was within reach.


We are not very good at calling a spade a spade.

Internal auditors shy away from informing management and the board (if necessary) when the root cause of an elevated risk and the failure of controls is people.

I have heard many times that auditors are not allowed to recommend hiring additional people when that is what is needed to address a significant source of risk. They are also fearful of saying that an individual is not competent – whether that individual is a trainee, a supervisor, manager, or C-level executive.

It is even more difficult when the problem is the CEO or even the board itself!


So what should we do about it?

First, we should recognize that while it is important to remove deadwood and have the right people for each job, we also need to appreciate and reward those who are truly excellent. (Achieving easy goals is not the same as being excellent.)

Management should be helped to assess whether their compensation and bonus programs are delivering the performance they need.

They should also be helped to understand whether people are being treated well and developed to optimize their potential.


Management needs to sit back and look in the mirror. Do they have the right people in the right jobs? Are the managers doing everything they should? Is HR a help or a hindrance? What actions need to be taken on all fronts?


Risk practitioners need to ask management to look in that mirror. If they see a shadow themselves, they should point it out. They can also work with management to consider the various options, what can and should be done.


Internal audit needs to be alert to poor performers, at any level. They also need to be alert to the failure to recognize and reward high performers, or to train and develop people so they can achieve their potential. Internal auditors should be brave enough to call a spade a spade.


The Board should ask management whether they have world-class people in every position, and what they are doing to develop and train everybody.


Organizations will only achieve their potential if they have the right people performing to their potential.


I recognize that these are difficult times. It is hard to get the best people, and it’s also hard to retain them.

It pays to dedicate time and money to preserving and enhancing the value of your greatest asset: people.


I welcome your thoughts.

[1] By fortune rather than anything else, my hires were predominantly female with a serious sprinkling of people of color.

Give Boards the Actionable Information they Need

April 8, 2022 10 comments

I was recently interviewed for an article that appeared in BoardRoom Insider on Better Board Presentations. If each issue is as good as this excellent piece, you might want to consider subscribing.

I want to thank Ralph Ward for providing me with a copy and permission to share it.

The primary point in the issue is that management needs to give the board the information they need, when they need it.

Rather than massive volumes of data that may or may not be information, and rather than trying to sell the board on what they want, management needs to understand what the board members actually need.

Board Intelligence is a software company with products for the board. Its newsletter, to which I subscribe, has good content. In its latest issue, it says:

As a board’s remit grows, so too do its board papers — with the average board pack now well over 250 pages, according to our research.

The company also tells us:

Don’t tell me everything you know. Tell me what I need to know.” This is the key to a great board paper. And boards rely on high-quality information to drive high-quality decisions.

The information provided to the board has to be concise, clear, and (especially) objective rather than biased towards the decision management wants the board to make.

I like what Ralph says about PowerPoint presentations:

Anyone who plans a board presentation with 100+ slides should be locked out of the boardroom and given time to reconsider. Humans have a limited ability to absorb information — assume that the more slides in your deck, the less info from each will register. Guy Kawasaki uses a “10/20/30” rule for presentations – no more than 10 slides, 20 minutes, and at least a 30-point screen font. Jeff Bezos famously banned Powerpoints for Amazon meetings altogether, instead requiring presenters to write up a four-page memo to be read by all in the meeting.

He adds good advice on how to make an effective presentation, with links to additional material on the topic.

Ralph asks makes excellent points about financial and, by inference, other types of presentation:

Financial data are useless without context. Palvi Metha, CFO of Pioneer Square Labs and a seasoned board member, says “Talking to the board is not about presenting a series of numbers — it’s about telling a story. And people don’t necessarily know how to do that.” This requires learning the specifics among the mountain of data you should share that set the stage for financial decisions. “CFOs tend to hide behind the numbers,” says Edith Hamilton, head of the CFO career coaching firm NEXT New Growth. She finds that audit members are already pretty savvy at “absorbing balance sheets and cash flow statements.” What they really want is to know what story the numbers are telling – “Why is this now $72 million compared to the previous $75 million?”

He quotes me on another issue:

In most board work, directors may or may not have parsed the pre-meeting material you sent them. For audit and financials, however, the data are so important that presentations should just be a garnish atop the pre-read material. “Board members need to get the material well in advance,” notes Norman Marks, a retired senior executive and thought leader and blogger on risk and audit. “Over and over again, I see audit [committee] directors getting hundreds of detailed pages just before the meeting.” This takes some pressure off staff needing to deliver detailed financial Powerpoint shows, but adds pressure in assuring that audit committee packs are rounded up and available earlier than most other board books. Make smart use of executive summaries for longer reports.

But getting the board book out in time won’t help unless the audit committee chair cracks a whip over members when it comes to really reading it. “If I’m the chair, I have to train my board to read the material in advance,” says Marks.

If the material is read in advance, the meeting is able to focus on what it means and what to do. If it is not available to the board and read by them before the meeting, they have to read it at the meeting – a waste of valuable time.

There is also good advice on technology-related board briefings:

CISOs and CIOs by definition deal with highly technical matters, and this is how they measure the results of their efforts. Their first problem when face-to-face with the board is terminology. Dropping lots of Powerpoints onto the board graphing MTTD, MTTR, IDS/IPS, SQLI, and other stuff that looks like Roman numerals will immediately zone them out. But the second problem is that IT’s own measures of structure maturity and reliability, while valuable for their tasks, are likely not ones board members can process and use for their own role. Start by educating your board on what IT leadership does in the trenches, and then solicit their feedback on how to translate this for their governance oversight.

For tech staff, this means turning the equation upside down. Rather than churning out your IT numbers and measures, help the board parse insightful, usable questions – then shape your tech and cybersecurity presentation around answering them with coherent KPIs. Seek feedback from other execs (CFO, marketing, operating heads) on how they make info most board usable.

Ralph advises the CFO to build relationships with the members of the board. The same advice applies to risk and audit practitioners.

It not only builds mutual trust and respect, but it enables us to understand what they need to know – and how to deliver that information.

Stories rather than detailed tables. I really like this. You are getting through to board members when they are looking at you and listening, rather than reading or following along as you go through a chart or bullets in a PowerPoint presentation.

Objective information rather than only what supports your preferred outcome.

There is more, advice I have shared before. For example, if there is a difficult situation talk to the chair and others prior to the meeting.

What advice would you share?

Internal Audit and ESG. How much should we do?

April 5, 2022 7 comments

The latest headline topic for internal auditors seems to be Environmental, Social, and Corporate Governance (ESG).

For background, I refer you to a sensible piece by Richard Chambers.

SEC Climate Disclosure Proposal May Be the Next SOX for Internal Audit summarizes in a clear and concise way (thank you, Richard) the SEC’s proposed climate-related disclosure requirements.

Rather than repeat the proposed requirements here, I refer you to Richard’s piece or, if you need, the SEC’s proposal.

Richard suggests three ways internal audit can assist:

  1. Make sure our leaders are aware of the rules and help them to formulate a response to the risk of non-compliance.
  2. Provide assurance on the planned disclosure process. In the same way that internal audit assesses and provides assurance on new technology projects, we can provide assurance on the new disclosure process.
  3. On a continuing basis, assess and provide assurance on related controls.

He closes his article with encouragement:

As assurance professionals, we must keep our eyes on the horizon to identify, monitor, and address critical compliance risks. As I mentioned, the proposed climate disclosure requirements present challenges and opportunities for internal auditors. Those who joined the profession after SOX was embedded into our compliance practice will learn firsthand about management’s need for accurate information and the importance of internal audit’s advice through the early days of a major regulatory change. Our first duty is to help our companies achieve and maintain compliance, but we also have an excellent opportunity to demonstrate our crucial role in confronting significant emerging risks. First and foremost, look for ways to help protect and create value for your company. The clock is already ticking.

(My disagreement is mild: our first duty is helping with the achievement of enterprise objectives.)

The IIA has taken a similar stance.

They published a series of questions internal auditors can ask in a Bulletin last month.

In addition, the IIA’s Internal Audit Foundation collaborated with EY on a white paper: Prioritizing Environmental, Social, and Governance (ESG) – Exploring Internal Audit’s Role as a Critical Collaborator. Like the others, it summarizes the proposed rules before talking about the role of internal audit.

They shared the results of a survey when it comes to current internal audit involvement:

Most organizations have involved their internal audit functions in some way with the organization’s ESG initiatives. Just under 30 percent of CAEs of internal audit functions that are involved indicate they are engaged in one or more of the following:

  • Providing advice on setting ESG program goals and metrics.
  • Reviewing how ESG goals and metrics are tracked and monitored.
  • Reviewing implementation of the ESG program and related policy documents.
  • Reviewing the accuracy of ESG reports provided to stakeholders.

…internal audit is most often involved in assurance services supporting processes, controls, and data validation for reported material ESG information. Typical advisory services include weighing in on climate risk and the inclusion of ESG in the organization’s enterprise risk management (ERM) program. Internal audit functions also perform governance engagements to assess whether adequate roles, responsibilities, and processes are in place to execute on the ESG strategy and manage risk…. internal audit also can provide ESG-focused audits on topics such as climate, environmental compliance and performance, worker safety, data security, and sustainable supply chain practices. Additionally, 10 percent of CAEs indicate that their internal audit function is involved in other ways as well.

One area we have seen internal audit add significant value to ESG reporting is assessing the completeness of the operational boundaries, especially for large, decentralized organizations. For example, inventorying the greenhouse gas emissions sources across Scope 1, 2, and 3 emissions requires a deep understanding of the company’s operations. Internal audit can provide this insight to validate that all applicable business activities, locations, subsidiaries, and joint ventures are included in reporting. However, 35 percent of CAEs indicate that their internal audit functions have no involvement.

Going forward, two-thirds of CAEs indicate that they plan to perform ESG-related engagements over the next 12 months, with 45 percent planning advisory services and 31 percent planning internal control reviews.

Many of the internal audit executives view ESG as the next SOX. There are many parallels between today’s ESG reporting landscape and how SOX developed in the early 2000s. Internal audit functions have an opportunity to get ahead of impending disclosure regulations and the ensuing assurance requirements by implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations.

My major problem with the above is that it should not be internal audit that is “implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations”. That is a management responsibility.

KPMG weighed in with Internal Audit’s role in ESG. They say (see my emphasis):

As with financial reporting, the independent and objective assurance only internal audit can provide must be an integral part of an organisation’s ESG response.

Management teams across organisations are recognising the opportunities and risks ESG presents. This includes the due-diligence required to integrate ESG measures across any organisation. To make informed decisions, directors must have reliable assurance on the effectiveness of ESG management, including ESG governance, risk assessment, KPI monitoring and reporting. That assurance should come from internal audit.

They refer to the IIA’s publications, with perhaps stronger language than the IIA would prefer.

According to the IIA, at a minimum the internal audit function should provide the following assurance over ESG reporting:

— Review reporting metrics for relevancy, accuracy, timeliness and consistency: It is critical that all public ESG reports provide information that accurately depicts an organisation’s ESG efforts. This is particularly important as regulatory oversight and public scrutiny increases.

— Review reporting for consistency with formal financial disclosure filings: While ESG reporting provides non-financial data, any information that conflicts with formal financial disclosures will raise a red flag with investors and regulators.

— Conduct materiality or risk assessments on ESG reporting: Organisations must have a clear understanding on how ongoing ESG efforts or public commitments to reaching ESG goals can rise to the level of materiality.

— Incorporate ESG into regular audit plans.

— Build an ESG control environment: Internal audit can advise on developing specific internal controls for ESG reporting.

— Recommend reporting metrics: Internal audit can provide insights into the kind of data that accurately reflects relevant ESG efforts within the organisation.

— Advise on ESG Governance: Internal audit can provide guidance on ESG governance because of its holistic understanding of risk across the organisation.

As with the EY and IIA’s materials, the KPMG paper has some valuable advice, although we have to be careful with the word “should”.

Deloitte had their say in an article published in the Wall Street Journal’s CFO Journal.

In ESG and the Role of Internal Audit, they correctly say:

With their ability to anticipate risks, advise senior leaders and the board of directors, and provide assurance, internal auditors are well positioned to act as catalysts for furthering an organization’s ESG goals while helping to identify potential obstacles.

Given their broad purview across the enterprise, internal auditors can assess an organization’s ESG risk from multiple perspectives and help connect dots. For example, in assessing governance and policy, internal auditors can consider whether the organization has created a governance structure and culture that support effective climate risk management and whether information on climate risk is being reported to the board.

The paper sees a role for the external auditor that worries me. It is not something I would engage them for.

The American Institute of Certified Public Accountants (AICPA) and the CAQ are similarly encouraging external auditors to engage in ESG reporting, providing a road map for audit practitioners to understand ESG reporting as well as the related risks and legal considerations associated with including this information in regulatory filings.

“Independent auditors, in their public interest role, play a part in the flow of reliable information for decision-making,” the AICPA and CAQ wrote in releasing the road map in February 2021. Third-party assurance from an independent auditor can enhance the reliability of ESG information reported by companies, they say.

An article last year in the Journal of Accountancy has the title of Internal audit has pivotal role in ESG reporting.

That may be hyperbole.

Anthony Pugliese, CPA/CITP, CGMA, president and CEO of The Institute of Internal Auditors (IIA) is quoted by the Journal as saying that (with my emphasis) there is an “imperative” for internal audit to be involved.

Is there an “imperative”?

Should internal audit be involved, and how much should we be involved?

We can:

  • Stand on the sidelines for now, waiting for a better time. This is unlikely to be the best option.
  • Participate as a consultant as the organization prepares for the regulations. I like this and see the CAE or a senior audit executive in this role.
  • Assess the planned design of the controls to ensure compliance with anticipated ESG disclosure requirements.
  • Assess the design and operation of the controls over the organization’s carbon footprint, the controls that ensure that footprint is at a desired level.
  • Assess the operation of the ESG disclosure controls.
  • Provide annual (or more frequent) independent assurance on ESG disclosure controls.

Each organization will have to make a decision based on its specific circumstances.

Let’s face the facts.

  1. We need to put our limited resources where they add the most value, where the more significant sources of risk to enterprise objectives lie.
  2. We can’t audit or consult on everything.
  3. If we allocate resources to ESG compliance and other related risks, that resource has to come from somewhere else, other projects, or we need additional resources.

Is ESG compliance, including but not limited to disclosure controls, one of the top risks at your organization?

Maybe it is, and maybe it is not.

Where does it lie in comparison to traditional areas for internal audit attention, let alone new ones such as?

  • Compliance with sanctions and related regulations, including those imposed as a result of the invasion of the Ukraine
  • The impact on risks and controls of the Great Resignation. How is the operation of key controls affected as people leave the organization?
  • The effect of work-at-home on controls. I heard from a partner in a law firm that his associates are not learning and advancing due to the loss of in-person supervision and training. Some are not putting in the same hours. In addition, his firm is finding it hard to replace those who are leaving.
  • The need for resilience, especially as we are hearing of increased nation-supported cyber-attacks.
  • How to price products and services in a period of inflation.
  • How to prepare for a possible depression.

If the audit committee, management, and the CAE agree that (a) ESG should be an area of focus; (b) there is a need for assurance on related controls and disclosures; and (c) internal audit should have a major role, then the CAE should ensure that:

  • There is sufficient, capable resource to do the work.
  • There is sufficient resource to address all the other sources of significant risk and value.

If management is willing to fund independent audits of ESG-related controls, I prefer that money be allocated to internal audit than used to hire EY, Deloitte, KPMG, or anybody else.

I find it curious that many of the voices that are today advocating for internal audit involvement in auditing management’s controls were strongly opposed to internal audit doing the same for SOX when that came along.

Let’s not repeat the mistake made by many of taking on added responsibilities (in this case for ESG) without added resources.

I welcome your thoughts.

Are Boards Getting the Information they Need on Strategy, Culture and Risks?

April 1, 2022 8 comments

Today, I am hosting a Guest Post by Elliot Schreiber, PhD. I have a few comments at the end.


Boards have responsibility for approving the strategy and risk appetite of the company.  This requires directors to have sufficient information to assure themselves that they can make the best decisions possible at the time the decision is needed.

Those who follow business literature know that there has been an increase in focus on culture, and how to create a “healthy” environment in which employees feel respected and are engaged in creating value for all stakeholders.  This is not a search for “feel good” environments.  Healthy cultures create greater financial success over the long-term.  Conversely, an unhealthy culture, one that is authoritarian, puts the organization at risk.  However, boards have not focused on organizational culture, seeing it as an operational, management responsibility. But before focusing on culture, boards need to work with the CEO to ensure that the right values are embedded in the organization.

What do we do, though, if the CEO is the problem, fostering values and culture that are unhealthy and create unnecessary risks.  This has been the case in more than 70% of the corporate crises in recent years. Wells Fargo, Volkswagen, and Boeing, to name but a few have all had crises caused by a CEO that created an environment in which employees were afraid to disappoint and incentivized to do the wrong things.  The damage to each of these companies has been considerable in terms of market value loss, increased cost of capital, loss of key talent, and greater regulatory scrutiny.

We should question why the boards of these companies did not see the problem in advance.  Some, like Margaret Heffernan believe it has to do with “wilful blindness” and that in every crisis there is someone who know but chooses not to believe it or share it.  And if the crisis is caused by the CEO, there would likely be little information provided to the board.  Yet, how could Wells Fargo open 3.5 million bogus accounts for customers without the board knowing?

While boards do not want to step into operational issues, they need to be able to understand opportunities versus risks, even those caused by the CEO.  However, consider how boards get information on critical issues.  They need to make choices, to call on the heads of environmental affairs, R&D, Compliance, Human Resources, Corporate Strategy, Public Relations, Legal, Investor Affairs, Information Technology, Government Affairs, Internal Audit, and Enterprise Risk Management. Would the information be discussed by the entire board or a committee?  And if a committee, which one?  In either case, directors would likely sit there hearing a debate from the different perspectives of each executive on what to do. And if the board wanted to know if the culture was conducive to averting a potential crisis, where would they go to find out?  Sounds like a joke and maybe a bit of hyperbole, but each of these people would have a different perspective on the issue that should be heard. Not only is this cumbersome for the board, but it also highlights the inefficiencies and risks of organizations that operate in silos.

Silos exist in almost all organizations.  They may have been established as centers of excellence to help the business make and execute decisions.  However, the people within these siloes rarely share information with one another and rarely collaborate.  In fact, they compete with one another for access to the CEO and board and for budgets and influence.  Lack of information flow is a recipe for unnecessary risk.

If silos made sense in an industrial age, they make little sense today.  Since the inception of the Internet, stakeholders have been able to access considerable information, not all of it factual, to determine if the company is meeting their expectations.  When a company fails to meet the expectations of stakeholders, one of its stakeholders might take action that will erode value, either immediately or over time.  Silos also reflect a mechanistic view of a corporation as a value chain rather than a system within a large ecosystem. The value chain envisioned an organization taking in raw materials and moving it through the organization until it can be marketed and sold, thereby creating profits.  Staff organizations were there as support.

In 1971, 85% of the market value of companies in the S&P 500 came from tangible assets.  Today, nearly 90% of market value comes from intangible assets, the primary one being reputation.

We cannot manage a complex system of external stakeholders with a purely mechanistic organization.  We must be able to understand the opportunities versus risks for each stakeholder, so that strategy and risk inform one another and the CEO and board get a comprehensive view of how their decisions will be received within the ecosystem in which they operate.  Silos waste resources, kill productivity and make it more difficult to meet objectives. This is a recipe for increased risk.

Instead of silos, consider if the organization did away with silos and created a cross-functional group of experts focused on strategy, culture, stakeholder value and risk.  This group would have as its remit assessing business opportunities and risks for each stakeholder and would have access to the board in the same way internal audit has access to the Audit Committee.  They would examine information and debate the opportunities versus risks and then would provide the board with a comprehensive view of how each stakeholder would likely respond to a given board action.  Decisions would be more strategic and less reactive or defensive. In addition, the group would provide “group cover” for a whistleblower who might see and want to call attention to a risk early on.  Given the politization of business, it is becoming more critical that companies adopt such cross-functional analysis.

In summary, boards are not currently getting the comprehensive information about complex strategy and risk decisions due to the way information flows or is bottled within the organization.  Instead of having functional silos competing based upon their own sense of value, the emphasis would be shifted to providing their expertise to others and then finding the best way to create and preserve value for the organization.


Norman’s Comments

  1. As said many times on this blog, I am not a fan of the concept of risk appetite. I favor limits and policies, but the idea that there is an “amount of risk” escapes me.
  2. I am not sure the board should be expected to know about Wells staff opening millions of bogus accounts. However, they should expect management to know – and for somebody, somewhere, to come forward and blow the whistle.
  3. I am not sure about a stakeholder-focused approach. I prefer one that is focused on enterprise objectives. However, when there are activist shareholder groups this is probably wise.

Board members talk about risk

March 29, 2022 1 comment

Two recent pieces share the thoughts of board members and advisors.

McKinsey had a podcast and published an edited transcript in The role of the board in preparing for extraordinary risk. It makes the point that “Risks that threaten a company’s existence require unique interventions from the board”.

A senior McKinsey advisor, Celia Huber, reported:

We run an annual global board survey of approximately 1,500 corporate directors, and we found that directors are not pleased with their performance on risk management. In fact, only 7 percent of the respondents believe that over the past year their boards were “most effective”—the highest rating—at risk management, and only 40 percent say their organizations are prepared for the next large crisis.

A McKinsey consultant answered the question of where board should focus their attention.

It’s the high-consequence, low-likelihood events, such as the pandemic, that can cause long-term economic impact, significant reputational damage, and leadership changes. But you also want to consider the certainty of that impact. This is not about looking for “black swans” but identifying events that would have significant ramifications for the core of your organization and value proposition. If you provide cybersecurity, for example, a cyberattack will be a core piece of that value proposition. Identifying those predictable surprises is where boards should focus their energy and time.

This is followed by the statement that:

A goal for corporate boards is to ensure management identifies and addresses predictable surprises that could affect the whole company.

That statement is consistent with the focus I have been recommending to understand how a risk or opportunity might affect the achievement of enterprise objectives.

The board member in the conversation makes a very important point:

It is tempting to look at risks individually, but there are benefits to considering scenarios where multiple risks hit at the same time. That’s what COVID represented: we had a health crisis, a financial crisis, and a social crisis. Companies that take on significant financial risk, with high leverage, should consider the operational risk. During the pandemic, retailers with high leverage whose stores suddenly closed faced bankruptcy because of a combination of risks rather than individual risks.

Too many not only manage risk rather than the business, but err even more by managing individual risks in a silo rather than all the things that might happen.

Predictably, the podcast is only talking about the bad things that might happen. But good things can happen and need to happen if the organization is to succeed.

I recently recorded a short message for the Institute of Risk Management in India (where I am on the advisory board). In it I talked about the need for practitioners to help decision-makers not only understand each source of risk and opportunity, the things that might happen, but weigh them together. Only then can an informed and intelligent decision be made.

A second piece was published in Forbes, Cybersecurity And The Role Of The Board, written by Betsy Atkins, a board member at Wynn Resorts and elsewhere.

Her focus is on cyber, following a presentation to her board by one of the audit firms.

She posits questions for a board in response to new regulations that are coming from the SEC.

  • Does the board have a cyber expert? What are their credentials and how was their expertise determined?
  • How does the Board execute its oversight of cyber-risks?
  • Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?
  • Do you have a Chief Information Security Officer? Where does that person report? What are their credentials?

She doesn’t answer any of these questions, or other questions that she suggests may be inferred by the proposed regulations.

But, they are good questions for discussion by the senior management of the organization, replacing “the board” with “the senior management team”. Then, the CEO can facilitate a discussion by the board.

I remain strongly of the opinion that the board should look to the CEO (with support from the CIO, CFO, COO, and others) for risk and cyber understanding.

If the CEO cannot explain how risks (and opportunities) are considered in strategy and objective-setting and then in daily operational and strategic decisions, there is a problem.

If the CEO cannot explain whether and why the organization has adequate cyber measures in place, there is a problem.

The role of the board is NOT to be the expert. It is to ensure that management has the expertise it needs to run the business effectively to achieve the objectives and longer-term purpose of the organization.

Practitioners can help:

  • Enterprise risk practitioners can help decision-makers have, understand, and weigh the information they need about what might happen so they can consider their options and act where appropriate.
  • InfoSec practitioners can work with business management to understand how a breach might affect the business and its success, the achievement of enterprise objectives, assess whether that is acceptable, and then work with others (like enterprise or compliance risk practitioners) to ensure that is one of the risk and other factors considered in decision-making.
  • Audit practitioners can make sure all of the above is happening. If not, they can not only report the risk that this presents but stimulate action. Where needed, they can facilitate discussions among the various group, serving as translators between technobabble and business language. (They can also perform or make sure others perform the white-hat penetration testing recommended by Betsy Atkins.)

I welcome your thoughts.

A major new role for the practitioner

March 25, 2022 4 comments

Yesterday, I was reviewing State of Cybersecurity 2022 from ISACA. They surveyed 2,031 people who “hold the ISACA Certified Information Security Manager® (CISM®) certification or have registered information security job titles”.

The results are sad. They include (with my emphasis):

  • Sixty-three percent of respondent enterprises have unfilled cybersecurity positions.
  • Fifteen percent say they are significantly understaffed.
  • Sixty percent of enterprises report experiencing difficulties in retaining qualified cybersecurity professionals.
  • The number of survey respondents who believe their cybersecurity programs are appropriately funded increased to 42 percent—a five percentage-point jump and the most favorable report since ISACA began its state of cybersecurity reporting.
  • Last year’s declining optimism about cybersecurity budgets reversed course this year, with 55 percent of respondents expecting an increase in funding.
  • Although 82 percent of respondents believe their leadership team sees value in conducting a cyberrisk assessment, only 41 percent of respondent enterprises perform an annual cyberrisk assessment.
  • 33% perform assessments more often than annually: 8% every 7-12 months; 16% every 1-6 months; and, 9% monthly.
  • Despite the high-profile media attention to ransomware attacks during this reporting cycle, cyberattack reporting is mostly unchanged from last year.
  • Sixty-nine percent of respondents whose organizations experienced more cyberattacks in the past year report being somewhat or significantly understaffed.
  • While there are other more prevalent reasons for cyber staff to leave a company, such as high stress levels (45%), 34% say they are leaving because of a lack of management support.
  • Survey respondents’ confidence in the ability of their cybersecurity team to detect and respond to cyberthreats reaches an all-time high of 82 percent — a five percentage-point increase from last year (figure 32). This confidence is remarkable, considering that 46 percent of respondent enterprises have a security staff of just two to 10 individuals. Further, in-house staff fully manage approximately half of their five major security functions (identify, protect, detect, respond and recover), with most of the remainder partially outsourced.
  • Only 34% believe that their cybersecurity training and awareness programs have had a strong impact on overall employee cybersecurity awareness in their organization, with 46% reporting some positive impact.

While ISACA, as you can see from the language in the excerpts above, focuses on the positive – the small improvements in a few areas – I can only see a sad state of affairs.

All of the respondents were information security practitioners.

They believe, and this is understandable, that they have insufficient budgets and resources.

Now let’s throw in some additional observations:

  • Surveys show that it can take as long as six to twelve months to detect a breach, and three months or more to know what has been affected. This doesn’t compute with the report that 82% say they can detect and respond to cyberthreats.
  • Other surveys show that there is a gap in the understanding of cyber-related risk between boards, top executives, and cyber practitioners.
  • Management and the board will fund and resource activities they believe add value, giving a desirable return on investment. That return can come from eliminating or mitigating the harmful effects of a breach. The fact that they are not providing the funding and resources practitioners believe is appropriate is telling!
  • Consultants (even spreading to the SEC!) are asking boards to improve their cyber technical knowledge and understanding. However, boards need to understand the business, their competitors, the regulatory environment, compliance requirements, and both opportunities and other sources of risk. They also have to be experts in hiring, firing, and compensating executives. They can’t reasonably be expected to have experts on everything!

I have been suggesting that organizations should recognize that providing effective cybersecurity in-house is probably a futile exercise. Instead, they should strongly consider outsourcing as much as they can, with an in-house staff that oversees it, works with the enterprise risk function, and coordinates with management to understand the risk to the business and its objectives.

There is also that constant drumbeat that boards should have a cyber expert. I strongly disagree. I have spoken to board members who have a tech background, even an infosec background, but they cannot keep up with all the new threats and technologies.

Instead, boards should expect management to have the ability to understand – and explain, importantly – the threat that a breach might pose to the business and its success.

The CEO should be able to explain the business risk! If not, he or she has a problem!

So what is this new role for the practitioner?

Help bridge that gap!

  • Stimulate more attention on the effective understanding and monitoring of cyber-related risk. By that, I don’t mean risk to information assets – a term loved by NIST and ISO but meaningless to those running the business. I mean the risk to achieving enterprise objectives. Educate the board, management, and the practitioner. Report failures to understand the business risks as itself a huge business risk, and make sure it is discussed at both executive and board meetings.
  • Help the CEO and other top executives like the CFO and COO understand cyber risk in business terms.
  • Bring practitioners and management together in facilitated workshops to understand and assess how a breach could affect the business.
  • Help practitioners set aside their technobabble and replace it with language that makes sense to the business.
  • If we believe cybersecurity is underfunded, say so!
  • If we believe it is adequately funded, say so – and help the practitioners understand why. Perhaps they are allocating the funding they have poorly.
  • If we believe that leadership of cyber and information security needs improvement, say so!

Don’t stand on the sidelines watching failure in motion.

Get in the game.

I welcome your thoughts.

Risk, Agility, and Resilience

March 22, 2022 3 comments

These are three of today’s buzzwords. My good friend, Michael Rasmussen, has shared an article that was recently published by the Institute of Risk Management. (I am an Honorary Fellow of that institute and Michael has received other honors from them.)

I like what he has to say about agility:

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.

Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360 situational awareness to be agile.

To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.

Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.

Let me make one important and often overlooked point.

You can be ready and even able to move with agility, but if you don’t know when, where, how, or why you need to move, agility is somewhat useless.

Reliable, timely, and current information is necessary!

You also need decision-makers to be alert to changes in the information and use it!

I have seen surveys that say 80% of managers do not know what information is available. As a result, they fail to obtain the information before making a decision based on their gut instinct.

They also fail to understand that others may have the information they need, and/or may be affected by their decisions.

Have you asked your key decision-makers whether they have the information they need, when they need it? Have you asked whether they are included in decisions that affect them or where they could make a difference?

Some time back, I was presenting at the Harvard Club in New York to a group of CFOs. I asked them how long it would take them before they could put a number to their level of free cash, should their CEO call them right there and then asking for it. The answers ranged from a week to a month or even more.

Michael also talks about resiliency.

Now I have to tell you that the word grates for me. I had never heard it used until recently, as although it is acceptable, for me the proper word is resilience. There are several articles about the difference, calling ‘resiliency’ a “needless variant”. (Just as some people were talking about compliancy a few years ago instead of compliance.) Anyway I will let that pass for now and just talk about resilience.

As Michael says:

There has been a lot of focus on [resilience] in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. [Resilience] is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event.

What I like about this, based on my personal experience with IT disaster recovery and business resumption planning reporting to me when I was a vice president in IT, is that a focus on being resilient can help you be able to recover from the unexpected. It didn’t matter what caused the data center to be lost (e.g., a fire, earthquake, or terrorist incident), we had to be able to recover at speed to maintain the business.

In risk management (including opportunity management, or even my concept of success management), you are anticipating what might happen to affect your achieving enterprise objectives.

But surprises happen, coming at you in different ways and from different directions from anything you had anticipated.

If you think about being prepared for the unexpected, being resilient, then you are less likely to be seriously damaged.

From a business resumption perspective, which Michael also talks about in his piece, I believe the most important piece is a Crisis Communications Plan.

Who will you contact to address an issue, when, and how?

Michael loves the data: structured data and analysis. I am less enamored than he.

However, I agree that you need to use your imagination; for me that translates to setting aside what others have deemed ‘best practice’ and figure out what is best for your organization.

That is a great topic for facilitated workshops and table-top drills. Gather line management to discuss how they would be affected and how they would respond, moving on to how they can improve preparedness. In my IT shop, in addition to a disaster recovery plan and a business resumption plan, we also had a disaster preparedness plan.

What do you think?

Do we need a risk management framework?

March 18, 2022 16 comments

A single word can change so much.

For example, the traditional way of thinking about responses to risk includes the expression “accepting risk”. (The options are avoiding, transferring, or mitigating. The idea of taking more (!) is ignored.)

That is so passive!

In order to succeed, whether in life or in business, people need to take risks! Active, not passive!

The key is to do so intelligently with reliable information about where you are (so often overlooked) and what may happen in the future.

Life and business are not about managing or mitigating risk(s). They are about making decisions that will help you get where you need to go, be what you want to be, and achieve the success you desire.

How about changing the expression “risk management framework” to “risk taking framework”?

This is a much more active way of thinking.

It focuses on the decisions you are making, not only understanding the bad things that might happen but why you may want to take the risks of them happening.


  • Understand where we are
  • Anticipate (another wonderful word) what might happen
  • Do something if that is not desirable (better than ‘acceptable’)

If you were asked to change from helping with a risk management framework in a risk management activity, to helping with a risk taking framework in a risk taking (support) activity, what would you do?

Would that add more value to the organization?

I welcome your thoughts.

Useful work by COSO on managing at speed misses the point

March 14, 2022 3 comments

I enjoyed COSO’s latest publication, Enabling Organizational Agility in an Age of Speed and Disruption. This is how COSO described it:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals, according to new guidance issued today from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enabling Organizational Agility in an Age of Speed and Disruption is intended to serve as a guide to help organizations succeed by being more anticipatory, agile, and adaptable. The guidance highlights many of the COSO ERM risk principles and how they relate to an agile business environment, and numerous ways are identified that show how the COSO ERM principles link to agile approaches.

Frankly, while COSO has to support its own ERM framework, the important message in the document has little, if anything, to do with developing and maintaining the risk inventory (another term for a list of risks) advocated in the COSO framework.

I suggest reading the publication and setting aside the references to COSO ERM.

In fact, the overall message is correct and is quite different from maintaining a list of risks, even if that list is linked in some way to strategic objectives. To quote again:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals.

The way to do this, IMHO, is to recognize that when organizations are moving at speed and with agility, it has to make decisions at speed. It also means being willing to take more risk – because it is justified on business grounds.

If you want your speedy decisions to be right (given constraints), you need quality, reliable, current, and timely information about where you are and what may lie ahead.

Risk management is all about providing decision-makers with the information they need about what might happen, and then helping them evaluate the situation and alternative actions (balancing opportunities and potential harms).

While the new COSO paper says a lot of good stuff, a search for “decision” gives you just ten mentions, while “decision-making” returns just three.

  • A few ERM leaders have been pushing the identification of risk into decision-making and an agile organization seems to be a good place to continue doing that.
  • Operating structures could be redone to reconsider traditional hierarchical approaches and traditional decision-making processes and replace with agile practices.
  • Part of the past bureaucratic problem was too much of a silo approach within the organization that limited collaboration and slowed down decision-making.

In other words, COSO’s new guidance essentially ignores the need for quality, informed and intelligent decisions.

That is surprising and disappointing.

It also continues the focus on managing and mitigating harms, without pressing the risk practitioner to apply the same principles and techniques to opportunities – let alone helping management weigh one against the other to determine which risks should be taken.

The publication does have a lot to say, and I recommend reading it carefully. Here are a few quotes with my emphasis.

Note how the document quotes CEOs saying there should be a focus on taking risk!

  • Astute leaders get this and know that long-term strategic plans and assumptions are not the best approach in times like this. Examples of this are everywhere. A recently appointed CEO at a Fortune 100 company changed the company’s motto to “Faster, stronger, and better.” A chief strategy officer of one of the world’s largest energy companies declared, We’ve given up trying to predict the future. We just want to be agile. A new CEO of a not-for-profit adopted a strategic vision focused on speed, adaptability, and taking risk. Other headlines in the news have CEOs telling employees to make mistakes and Wall Street analysts warning companies, “Disrupt yourselves, or else!” Further, this occurred before the pandemic, social unrest, political climate, continued calls for climate change, or ESG (environmental, social and governance) action — plus a host of other globally challenging uncertainties. It is not surprising that companies are looking for ways to improve, adapt, and become more agile as they also search for the new normal.
  • The new normal likely includes new anticipatory risk skills and new agile and adaptability skills. For those responsible for understanding and managing risks — including business owners, enterprise risk management, internal audit, senior leadership, and boards — the new normal includes a rethinking of when, how, and where to apply strategic risk thinking and ERM.
  • Adopting agile practices at the organizational and strategic level encompasses a few key concepts. The obvious first concept is speed. Companies believe that their world is changing, and they must adapt more quickly. A second and related key concept is direction. The combination of speed and direction is known as velocity. In guiding an organization, leaders cannot just move fast; they must also have a sense of direction. Note that this direction can be a broad window. There can be a sense that the future is fairly clear and the organization just needs to compete in that future. It can also mean that the direction is completely unclear. In this case, direction and steering the organization, even moving fast, must account for a wide variety of options and business models that could play out. This leads to other key concepts, including the ability to pivot, the ability to adapt, and the ability to accelerate (when needed). Pivoting, adapting, and accelerating all are about managing strategic and business risk but they also can create risk.
  • Board members are critical in helping organizations see and understand the necessity and importance of new strategic and organizational approaches and the related risk. It is also important that the business leaders, those who provide products and services, be involved and aligned with the change and agile efforts. This could require broad acceptance and a culture change and might even mandate that the business units adopt agile practices. When external parties, senior leaders, and others are pushing agile methods, the ERM function can feel completely out of sync with the business and will need to rethink its approaches and methods. ERM leaders will be more likely to stay in sync with the business when they regularly rethink and improve their ERM approach.
  • The ERM function can provide normal ERM tools to enable teams to properly understand, identify, and manage all related risks. Such tools may need to be customized and other tools may become necessary, but the basic ERM tools, technology, framework, risk cadence and reporting, risk identification templates, and action plans are still valuable and should be made available. The tools can help provide consistency. At some point, it is important that the ERM function provide the context and help others connect the risks to other risks and to the broader spectrum of risks and emerging risks facing the organization. Knowing and linking the velocity of emerging risks and other organizational risks that impact the agile teams can increase the teams’ chances of meeting objectives.
  • Companies that take an agile approach of speed and empowerment in innovations can improve risk-taking and ideation by encouraging this risk and opportunity mindset. When companies define the desired culture as one that accepts and allows for failure, they are building a culture that encourages new ideas and encourages risk-taking. Companies that do not accept failure or limit creativity create a culture that is risk-averse. If the strategic environment necessitates risk-taking, speed, and new ideas, then this risk-averse culture is the wrong fit to compete in that environment.

Now contrast that with an excellent post by an esteemed friend and practitioner, Hans Læssøe. In Effective Risk Reporting he explains how the focus should be on achieving targets or objectives (very similar to what I wrote about in Risk Management for Success and elsewhere, and what Tim Leech also advocates as objective-based risk management).

As he wisely says:

Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

I believe management should be focused on whether there is an acceptable likelihood of achieving each of their enterprise objectives. Hans says the same thing:

… shows a 40% likelihood of meeting the revenue target based on a 45% likelihood of having the targeted customer base.

Such a chart is certain to invoke a management discussion on whether or not this is satisfactory or something must be done to enhance the likelihood of meeting certain targets.

With this, risk management (reporting) affects decision making, which is paramount according to both the COSO and the ISO 31000 standards.

While COSO has shared some good advice about speed, I believe risk practitioners need to adapt on two fronts:

  1. Focus on how they can help decision-makers, ensuring they not only have quality information but are able to use it effectively.
  2. Partner with performance reporting staff to help management and the board understand whether there is an acceptable likelihood of meeting targets. At the same time, help management understand when the targets need to be moved as situations change.

I welcome your thoughts.

Listen to an eminent board member

March 11, 2022 4 comments

Words of wisdom are spoken in an interview in Board Intelligence of Vindi Banga. As the article explains, “He is the chair of UK Government Investments and Marie Curie, as well as a non-executive at GlaxoSmithKline and The Economist Group. Prior to this, Vinda sat on the board of the Confederation of British Industry, Thomson Reuters, Marks & Spencer, the Mauser Group, and spent 33 years at Unilever where he was a member of the Executive Board.”

Here are a few excerpts of note, with my emphasis:

  • A great meeting does four things….. First, it spends the bulk of the discussion time on the maximisation of opportunity, rather than on the minimisation of risk. Risk is the “comfortable topic” that boards naturally default to, and having it on the agenda is obviously necessary, but it’s not what drives a business forward.
  • Second, it balances long and short-term. The urgent will always creep onto the agenda, and it shouldn’t be allowed to crowd out the important. As a rule of thumb, at least half of a meeting’s time should be spent on long-term issues.
  • Third, it’s well-managed. Yes, you need board material to stimulate the conversation, but it’s a colossal waste to use your meeting to simply share information. So, demand papers that are concise and available before the meeting — because there’s no point putting information together if you don’t give board members time to read, digest, and probe it. Keep presentations snappy. And give the floor to the discussion.

There is more, but I want to focus on the first and third points.

I love the point about focusing on the “maximization of opportunity”. Talking  about risk absent the context of how you will achieve objectives is missing the point. Organizations need to take risk to succeed, but it needs to be the right level of the right risk so you can succeed.

Management consistently, in my experience, fails to provide the board with papers that are “concise and available before the meeting”. It was a constant struggle to get the CFO and his team to send the audit committee the materials at least a week (and preferably more) in advance of the meeting. As Mr. Banga says, it is a waste of the board’s time to be reading the papers during the meeting, when the members should be discussing what they mean and what actions, if any, are appropriate.

Board members told me that they routinely would receive board packages of well over a hundred pages, packed with detail, only a day or so before the meetings. If they were lucky, they could read them on the flight to our offices.

Practitioners contribute to the problem when they:

  • Share details the members don’t need to know
  • Use their allotted time to talk about their work (assuming, perhaps accurately) that the members have not read and considered everything they sent in advance, rather than giving the board members all the time they need to discuss with management what it means and what should be done

My advice to practitioners is to:

  • Discuss with the board members what they need to know
  • Provide them with that information in a concise form, at least a week and preferably two in advance
  • Ask the members to contact you before the meeting with any questions so you can explain before the meeting
  • Keep your presentation short and help the members understand what is needed by them, such as a decision or other action. If you are providing information just so they are informed, make sure they really need to be informed, explain that its for information only, and make it easy for them to consume it.

Our job is to help the board members discharge their governance and oversight responsibilities. Do what that takes and then stop.

I welcome your thoughts.

How do you assess this risk?

March 7, 2022 27 comments

A risk practitioner is working with operating management to assess the risk of inventory losses due to theft at either or both of its two satellite warehouses.

These are the facts:

  • The two warehouses are in industrial areas of Sydney, Australia and Paris, France.
  • Crime and policing levels are approximately the same. Neither is considered a high crime area.
  • Inventory levels fluctuate but are comparable, as are the sales they support.
  • The Security department has inspected and evaluated security measures at both sites. They are considered up to industry standards and appear to be operating effectively.
  • Background checks are performed for all new hires, and quarterly drug tests are mandated.
  • Employee turnover at both locations are within normal ranges for the industry and the local economies.
  • Your recent inspections of the fencing around the sites found one small hole in each where a child could get through.
  • Losses due to employee or other theft are considered acceptable if they remain below 10 units per month, as industry research has shown that additional measures would cost at least as much as any reduction in losses.
  • It would take shortages of 50 units to seriously affect the ability to fulfil sales orders and generate revenue. At that level, customers might consider moving to a competitor. Loss of any major customer would have a significant effect on revenue and the ability to meet annual corporate targets.
  • Sydney reported shrinkage of 100 in one month. An investigation did not determine how the units had been stolen. One employee (who left the next month) was suspected of being involved.
  • Inventory losses over the last twelve months at each location have been:
    • Sydney: 1, 100, 3, 2, 0, 0, 2, 3, 0, 4, 2, 1 (a total of 118, or just below 10 per month)
    • Paris: 2, 5, 2, 8, 1, 10, 8, 3, 10, 10, 22, 37 (also a total of 118)

How would you go about assessing the risk?

There are no tricks in the question. If you need, state any assumptions you are making.