Archive for the ‘Risk’ Category

COSO still believes in risk appetite statements

May 24, 2020 11 comments

My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.

He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).

Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!

Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.

Personally, I see the growing chorus as progress!

We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the informed and intelligent decisions necessary for success.

This is what the COSO announcement on May 20th said:

In an effort to help boards, executives, and managers recognize how a better understanding and communication of risk appetite will help their organizations succeed, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is releasing new guidance, “Risk Appetite–Critical to Success,” focusing on how organizations can promote risk appetite as an integral part of decision-making.

I have written extensively about the concept of risk appetite here and in my books. My most recent discussion was Do risk appetite statements add value? You should also consider “Should we tear up the risk appetite” statement? and Let’s talk about risk appetite.

The authors of the new COSO guidance are the same people who have written about risk appetite for COSO before. So it may be difficult for them to step back and challenge their own (and COSO’s) established thinking.

I have a few questions for them and anybody else who likes risk appetite statements.

  1. Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?
  2. What is your personal “amount of risk”? Do you have an amount of risk that includes the possibilities of family illness, job loss, auto accidents, problems with your home, serious family disputes, and so on?
  3. If you don’t need a risk appetite statement in your personal life, why do you need one in your professional life?
  4. How do you explain the act that an “amount of risk” is a concept that is wrong both logically and mathematically? Are you using the discredited formula of likelihood times effect? How do you come up with an “amount” when there are actually ranges of potential effects (not a single number) each with its own likelihood, as well as multiple sources of risk (such as compliance, cyber, human resources, treasury, and more)?
  5. Why are there no examples of how you calculate risk appetite and then use it to compare it against the potential for reward and make quality decisions? Is it because that is not as easy (or practicable) in practice as it sounds in theory?
  6. While COSO seems to recognize that what might happen includes not only harms (which they call risks) but also positive things (they call opportunities), the discussion of risk appetite only talks about the negative. How do you make intelligent and informed decisions without comparable information on both the positive and the negative? How can you weigh them against each other to see if the risk (negative) should be taken?
  7. Isn’t it far better to use techniques like Monte Carlo Simulation that considers all the possibilities, not just harms?
  8. Where is the guidance on how to measure the possibility of reward and then compare it to the possibility of harm, and do that for each option or scenario? Why only provide guidance on half of the equation? How do you ensure that the right risks are being taken and opportunities seized?
  9. The guidance talks about operationalizing the risk appetite using risk tolerance. How are they any different from the limits and standards that have been in place for many decades? In other words, why can’t I simply retain my existing standards and polices and forget about risk appetite?
  10. How do risk appetite statements help you ensure that you have an acceptable likelihood of success, whether that is measured by the achievement of objectives, strategy, purpose, or something else?

If you are still enamored with risk appetite, I hope you enjoy and benefit from this new guidance. Unfortunately, I find it of little use.

I welcome your thoughts.

Should we audit at the speed of risk?

May 22, 2020 4 comments

It’s quite a few years[1] since I first started talking about “auditing at the speed of risk”. Sometimes I also referred to “auditing at the speed of the business”.

The idea is that the world within which we live and work is dynamic and turbulent – even more so now than when I first started using the term to describe the impact of new technology.

If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice, and insight) to our leaders in executive management and on the board.

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen together with Sharon Lindstrom talk about the need for “agile auditing”. Here are some quotes. Note that the first quote uses that same phrase.

  • With regard to immediate needs, the question we as internal auditors are asking ourselves right now is, “How can we be most helpful at this moment?” We have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
  • Auditors should put aside worries about violating independence standards for internal audit when providing consulting to the second and first lines of defense and see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
  • While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves.
  • Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing….. But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
  • It is at this point that internal auditors may need to re-think their risk assessment
  • It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. [Note by Norman: It is NOT internal audit’s responsibility to identify or assess risk. That is a management responsibility. Internal audit should be assessing how well management does that, not doing it themselves.]
  • Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.

I have also been talking about Agile auditing for years[2]. I am encouraged to see this new focus by Protiviti on it.

What do I mean by agile auditing?

  • Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly
  • Being able to perform audit engagements at speed. If you think of an agile person, they move with quick steps. IA functions that take weeks or even a month to perform an audit are not agile
  • Being able to stop auditing when there is little value in continuing
  • Being able to accelerate and expand an audit engagement when new and significant issues or opportunities emerge (a.k.a., stop-and-go auditing, as discussed in Auditing that Matters).
  • Being able to communicate the results when they are needed by management or the board. If you take even a week to share the nature and extent of issues, you are not agile

One of the points I made in my recent webinar with Richard Chambers illustrates this. Richard asked me what I might include in my audit plan for the second half of 2020. I replied that “I don’t think that far ahead!” I said that today I would be working on what mattered right now and this week, anticipating what might matter next week and month, and later looking at how the business will be changing in future months. Our environment was and is changing very fast indeed, and where we should put our limited internal audit resources should be changing at the same speed.

In their CFO Signals for Q2, Deloitte makes a couple of interesting observations:

  • …many management teams remain focused more on ensuring viability and adapting for near-term performance than on evolving their company for success post-crisis. Still, teams’ focus varies greatly by industry, and many appear to be putting in substantial work on survival, adaptation, and evolution at the same time.
  • 60 percent of CFOs do not expect to return to a pre-crisis level of operations in 2020. Instead, 21 percent expect to reach this milestone in 1Q21, with 39 percent saying 2Q21 or later.

The speed of management is changing.

Decisions have to be made faster in response to changing conditions and in anticipation of what is around the corner.

We have to provide the assurance, advice, and insight that will enable the leaders of our organization to make intelligent and informed decisions at that higher speed.

So, I now suggest a number of ‘mottos’:

  1. “Audit at the speed of risk”
  2. “Audit at the speed of business”
  3. “Audit at the speed of decision-making” [NEW]
  4. All of these require “Audit with agility”

What do you think?

[1] Since at least 2002.

[2] Since at least 2010, and it is covered in Auditing that Matters.

The post-pandemic practitioner

May 16, 2020 5 comments

As Winston Churchill said, “To improve is to change; to be perfect is to change often”.

COVID-19 is disrupting life all over the globe.

Organizations are having to change to survive, let alone thrive.

For example we are seeing:

  • Changes in how people work
  • Disruption to the supply chain
  • A need to reconsider where we manufacture products
  • Shifts in how people purchase goods and services
  • and more

Whether we are talking about corporations, not-for-profits, or government agencies, leaders are changing how they run their organizations today and how they will run them tomorrow.

They face different challenges today than they did three months ago (or just last week) or will in three months’ time.

Here are some useful pieces for you to consider:

Some interesting quotes:

The coronavirus pandemic has radically changed demand for products and services in every sector, while exposing points of weakness and fragility in global supply chains and service networks. At the same time, it has been striking how well and how fast many companies have adapted, achieving new levels of visibility, agility, productivity, and end-customer connectivity—while also preserving their cash.

All over the world, companies are being challenged by the COVID-19 crisis to find new ways to serve their customers and communities. Many are rising to the occasion. Almost every leader we speak with has an inspiring story of radical, positive change in how work gets done and what it can accomplish.

Amid the fear and uncertainty, people are energized as companies make good on purpose statements, eliminate bureaucracy, empower previously untested leaders with big responsibilities, and “turbocharge” decision making. As one executive we spoke with observes: “Our senior team meets every morning for 30 minutes. It’s incredibly productive. We make decisions and go. We don’t have full information, but that’s OK—we can’t afford not to move.”

The speed of the pandemic surprised everyone. So, too, did the fast reflexes of some companies: even their own leaders were shocked at how quickly colleagues stepped up, made dramatic changes, and began performing at new levels.

In our conversations with operations leaders, we find that many are energized and inspired by the progress the crisis has forced them to make. Production lines have achieved record levels of availability and output: one automotive company found that manufacturing productivity actually increased when it introduced physical-distancing measures. After switching to daily planning cycles and gaining real-time visibility of their operations, managers don’t want to return to the old cadence of monthly planning and metrics that lag behind the situation on the ground. With physical stores closed, online and direct-to-customer sales are booming in many categories. That’s inspiring companies to upgrade their sales and distribution capabilities to meet this new type of demand.

As uncomfortable as it feels, leaders are finding that they can make decisions faster than they thought possible—and with imperfect information. The aha moment for some executives is the realization that when urgency and uncertainty collide, the time spent waiting to decide is a decision in itself.

Inertia is clearly riskier than action right now, so companies are mobilizing to address the immediate threat in ways they may have struggled to when taking on more abstract challenges, such as digital technology, automation, and artificial intelligence (all of which still loom). Bold experiments and new ways of working are now everyone’s business.

..the post-pandemic reality will likely be very different. Businesses may find, for example, that their trading partners have been undergoing changes too and that relationships may change. Vendors they used in the past may no longer be available, or may be available on different terms. Customers that were loyal before the pandemic may have shifted to new providers. Consumers may have developed new habits that will inform their preferences and behavior when the pandemic is over.

Planning has never been a particularly easy task, but the spread of COVID-19 has made it even more difficult. Finance professionals are used to accuracy, consistency, and relatively predictable planning cycles, not the unclear economic conditions and time horizons of a global pandemic. As one executive told us: “The five-year plan that we would be sending to the board right now is completely out the window. How do we plan in this environment when we don’t know what is going to happen?”

What leaders envision for their enterprises today may change with new information or new, yet unanticipated behaviors in the market. An organization needs not only a reemergence plan but also a framework for updating this plan in a way that does not generate confusion or uncertainty.

Amid the terrible human toll of the pandemic, some organizations are finding that, by working differently, they can rise to the occasion and help their employees, customers, and even their communities.

Across industries, companies are realizing that they can aspire to much more than simply a safe return to work. They want to take what they have learned during the COVID-19 crisis and create a new kind of operational performance.

As business operations make the transition to the next normal, speed will continue to be of the essence. Companies that are willing to maintain their momentum while also setting new standards and upending old paradigms will build long-term strategic advantage.

The organizations we serve as practitioners are changing.

Surely, we should be at least open to changing ourselves: changing how we work, the services and information we provide, and even our own self-image.

I suggest that we all set aside what has worked for us in the past, even the professional standards and guidance that we have followed.

Instead, let’s challenge ourselves by answering this question:

How can we best help our organization survive and then thrive today and tomorrow?

Here are some clues:

  1. How has the organization changed in the last couple of months?
  2. How is it likely to change over the next few months and into next year?
  3. How has management of the organization changed?
  4. What are the issues and challenges consuming management and board attention and how are they different today and into the future?
  5. How have essential business activities changed?
  6. How has the board changed in its activities?
  7. What information do your leaders need, especially what information do they need but are either not getting or are not getting reliable data promptly?
  8. What do they need to know about how the organization is behaving?
  9. What do they need to know about the capacity of the organization to meet demands over the next months or so?
  10. What can you do?

Now ask and answer that question again:

How can we best help our organization survive and then thrive today and tomorrow?

I welcome your thoughts and ideas.

How have you changed?

Should internal audit perform a risk assessment?

May 9, 2020 28 comments

This is a simple question that has many non-simple aspects.

I am not going to deal today with the issue of whether internal audit should be performing a risk assessment when there is a perfectly adequate risk assessment made by management. I have shared my view before that internal audit should (after auditing management’s processes) rely on management’s work as much as possible. However, even when it is excellent, more needs to be done to determine what engagements to perform, as explained in Auditing that Matters.

I am also not going to deal today with the word “a” in the question. I have shared in this blog and in that book why any assessment has to be continuous. It is refreshing that the majority are moving away from relying on the obsolete annual assessment process, instead updating the assessment and the audit plan quarterly or (in a growing number of cases) monthly. But it needs to be continuous. Auditing at the speed of risk (or of the business, if you prefer that term) means updating your plans at that speed as well. Otherwise, you are likely to audit what used to matter, not what matters today or tomorrow.

Today, I want to talk about the four-letter word ‘risk’ in the question.

For most people the four-letter word refers either to events that might happen with an adverse effect on objectives; for others it’s the adverse effect itself. It doesn’t really matter which definition you choose. Both talk about adverse effects.

The point is whether we need to be identifying and prioritizing the possibilities only of significant adverse effects.

What are we trying to accomplish?

Our objective should be to perform the audit engagements that will deliver the greatest value to our organization.

Let’s break that down a little further.

The value we deliver from our work is derived from the assurance, advice, and insight we provide on the issues that matter to the leaders of the organization (hence the title of my book, Auditing that Matters). We provide them with information that helps them run and lead the organization for success. We don’t provide them with information that doesn’t matter to them, points they can leave to middle or lower levels of management; that has little positive value.

In other words, we want to perform the engagements that will provide leaders with assurance that the organization’s people, processes, and systems will function as needed to both create and protect enterprise value – so that the objectives of the enterprise are achieved – and advice and insight to make improvements where needed.

What is the relationship between ‘risk’ and the engagements we seek to perform?

In theory, you start with objectives and then identify risks to those objectives. From there, you see where those risks may arise and which are the controls that address them. At that point, you can decide which audit engagements to perform because you are assessing and testing the controls over the risks; you are not really auditing the risks per se.

But this is exclusively focused on the harmful things that might happen.

What about providing assurance over the good things that might and must happen if the organization is to succeed?

Why should we only provide assurance regarding preventing or mitigating bad stuff, in other words protecting value?

What can’t we provide assurance that opportunities to create value will be taken?

The IIA’s suggested Mission for Internal Audit starts with this key phrase:

“To enhance and protect organizational value….”

Do our ‘risk’ assessment processes help us define engagements that will provide assurance that organizational value will be not only protected but enhanced?

As CAE, I talked about a ‘risk and value’ assessment rather than simply a risk assessment. By value, I meant to identify the engagements that would have the greatest value to our leaders. What I had in mind was that for some high ‘risks’, management was not only well aware of them but was actively working to address them. In those cases, an audit engagement would be of little value. In addition, my plan included audits of the controls relied on to create value, not just protect it.

That’s better than a straightforward and traditional ‘risk’ assessment.

But there’s a better approach.

  1. Understand the business
  2. Understand the goals and objectives of the board and the management team
  3. Identify the challenges facing the organization today, tomorrow, and going forward
  4. Define the audit engagements that will provide the assurance, insight, and advice leaders need – the ones that will provide the information they need, when they need it

That approach doesn’t use the ‘r’ word at all.

What do you think? Do you agree with me that we need to stop thinking about a risk assessment; that instead we should be thinking about which audit engagements will provide the assurance, advice, and insight that leaders of the enterprise need?


After reviewing and responding to comments (thank you) here and on LinkedIn, I want to add some points:

  1. While value is created by an internal audit risk assessment in many cases, our objective is not a perfect risk assessment (however you define it). Our objective is to identify the audit engagements that we need to perform if we are to add the most value to our organization.
  2. If we focus on the identification of the best audits to perform, we might avoid spending unnecessary time creating and then updating a risk assessment.
  3. One of the challenges voiced by many in making sure we are focused on audits that address risks/opportunities/challenges facing the organization today and tomorrow is the need to update the risk assessment continuously. But if we replace questions about the risk assessment with questions about which audits should we perform next (considering changes in the business, both internal audit external), we can minimize that additional work.
  4. In my organizations, we replaced a static audit plan with one that had a fair degree of certainty up to three months ahead, but recognized the uncertainty in what might change in the business and therefore in our auditing further out. This was communicated to the audit committee; as experienced and sensible people, they acknowledged its wisdom.

SOX risk assessment in 2020

April 30, 2020 1 comment

We are living in a turbulent world. But the SOX compliance requirements remain fairly static. It’s not as if the SEC is going to relax the requirements for companies to assess the condition of internal control over financial reporting, or that the PCAOB will reduce the requirement for the external auditor to provide their independent assessment.

Yet, there are issues and challenges that we need to consider.

Protiviti has done a decent job summarizing some of them in SOX Risk Assessment in the Time of COVID-19. (The text in italics is my addition to the author’s writing.)

I will come back to points of difference, even omission, later. Here are some highlights:

  • “Though forecasts may still be in the process of being reworked, they may prove to be the more suitable starting point” in determining materiality and which accounts and locations should be in scope. Note: that has always been best practice.
  • “Usual measures such as net income before tax are likely to be substantially lower for FY20 and even negative for some companies. In such situations, other measures such as EBITDA or revenue may need to be used and several materiality scenarios assessed.” This should be discussed with the external auditor. There is existing guidance on what to do when results are abnormal, including when there are losses.
  • “With the results of the materiality calculation likely being lower than in recent prior years, there may be financial statement elements or perhaps even locations that will” have to be brought into scope.”
  • “…if materiality has significantly decreased, thresholds or tolerances applied in controls, particularly for management-review controls, may need to be calibrated to the unique circumstances of FY20.”
  • “This new environment we are living in will push us more than ever toward real-time risk assessment rather than an annual update.” The best practice that I teach has always been to check the materiality level and program scope quarterly.
  • “…it will be important to closely communicate updates to filing calendars and coordinate with the Legal, Investor Relations and Financial Reporting departments.” If the SEC makes changes to annual reporting and filing requirements, they should be studied to determine whether they change the timing or nature of year-end and other procedures.
  • “…technology that may have been hastily deployed to a newly remote workforce but perhaps without the normal diligence to ITGC coverage or with a mind-set of enablement rather than restriction regarding user access. Organizations should consider the impact of these new exposures in a robust fraud risk assessment.” While it is possible, even likely, that the nature and magnitude of fraud schemes may have changed, the same fraud risk assessment process as in prior years should be performed. The author highlights access controls, which should merit increased attention. However, the focus remains on the possibility of fraud that leads to a material error or omission in the filed financial statements – and this remains unlikely for most companies, even with a lower materiality level.
  • “Management should review and obtain external audit agreement with the risk assessment conclusion and establish practical cadence for updates in FY20. Additionally, management should discuss how the timing and extent of audit procedures will be impacted and coordinate on the impact of any filing extension.”

I only disagree with the author on one minor point: she says that April is when 12/31 year-end companies start their SOX planning. I teach best practice as starting no later than January. The earlier you plan and then start walkthroughs, the more time you have to perform them and a first round of testing.

What is missing that matters?

Just one point, with consequences.

The way in which people work has changed and probably will still be different for the rest of this year, if not longer.

That means that controls may be performed differently. The information needed by control owners may not be provided the same way, for example, when people are not working in close proximity.

It is important, therefore, to have every control owner revisit their controls and update the documentation now and as it changes during the year.

The changes in how controls are performed needs to be shared with the SOX team so that an assessment can be made as to whether they remain adequately designed. For example, will evidence of the control being performed be recorded the same way; how will work be reviewed?

In addition, the way in which the controls can and should be tested may have to change. It may not be possible to perform walkthroughs or tests of operation by observing how an individual works at home.

Common sense and thinking about what we are seeing now and are likely to see in the future will help us succeed this year, as it does every year.

We need agility in our thinking as well, being prepared to adjust as everything changes.

We are living in a turbulent world.

I welcome your thoughts.

Let’s talk about Deciding

April 25, 2020 7 comments

The focus today among leading ‘risk’ thought leaders, including at COSO, is on decision-making. For example, COSO ERM says: “From day-today operational decisions to the fundamental trade-offs in the boardroom, dealing with risk in these choices is a part of decision-making”.

Think about it. How can we or our organizations be successful without sound decision-making?

How can we, as practitioners, help leaders make informed and intelligent decisions that consider all the things that might happen?

Some years ago, Grant Purdy (the grandfather of Australia/New Zealand’s risk management standard 4360, the precursor to the global standard, ISO 31000) told me that when he is engaged to help an organization upgrade its ERM program, he doesn’t talk to management about risk. Instead, he asks:

“How do you make decisions?”

Grant has teamed up with a fellow Aussie, Roger Estall, to bring us Deciding: A Guide to Even Better Decision-Making.

The book is an interesting read, with some useful perspectives and advice. It will help you challenge your and others’ decision-making processes.

Over the years, both Grant and I have been on a journey of discovery. We have both moved away from what I would call traditional risk management, recognizing that it really is not helping leaders make those all-important strategic and tactical decisions. It’s a compliance activity.

We haven’t always been in sync on our journeys, reaching points at different times. In addition, we have different background and experiences, so we sometimes use different language.

But we have always agreed far more than we disagreed. Neither of us like the word ‘risk’ any more, but it has taken us time to get there.

For example, I talk about managing the likelihood of success instead of focusing on the potential for harm (which is unfortunately what most ‘risk’ practitioners do). Grant and Roger talk about achieving a sufficient level of certainty of the outcome of the decision.

Those are essentially the same idea. The way I think about it is that leaders (both executives and board members) are looking for an acceptable level of certainty/likelihood that they will achieve the objectives/goals of the organization.

If we can help them understand where they are against their objectives and how what lies ahead might affect their success, we are adding huge value. What lies ahead is what some call ‘risk’ or ‘risk and opportunity’.

Grant and Roger help us understand a number of things, including what they call a global process, about making informed and intelligent decisions.

One area I like is the discussion about assumptions.

Far too often, people make assumptions without thinking of how uncertain they are. I have seen many proposals and plans that list assumptions without any thought to assessing the likelihood that they will in fact happen.

Grant and Roger talk about how it is important to understand how critical each assumption is so that the most significant can be monitored. This way, as soon as it looks likely that an assumption will not hold, actions can be taken – including revising the decision.

As I said, it’s an interesting book and it should make you think about how you and those in leadership positions make or should make informed and intelligent decisions.

Are you concerned about the quality of decision-making?

What are you doing about it?

Integrating cyber and enterprise risk management for success

April 21, 2020 5 comments

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. It has provided guidance on the assessment of cyber-related risk that is followed by many information security and cyber professionals.

In March, it published a draft, Integrating Cybersecurity and Enterprise Risk Management (ERM).

One of the problems, a serious constraint on NIST, is that it operates in an environment that has required the traditional practice of ERM, where the final product is a risk register (or a risk profile, which is simply a prioritized risk register). Federal (US) agencies[1] have published authoritative guidance that mandates this approach.

Most leading practitioners and thought leaders have recognized that risk registers and risk heat maps are without significant value. They might enable leaders of the organization to manage individual risks, but they neither help see the big picture nor run the organization for success.

As I have said before, such as in Time to Wake Up to Risk Reality, leaders of organizations around the world have consistently said that traditional risk management is not helping them set and then execute on enterprise objectives.

Traditional risk management is not helping leaders make the decisions necessary for success.

Avoiding failure is not the same as achieving success. In fact, if all you do is manage risk instead of the likelihood of success, then you will almost certainly fail to achieve your goals.

I believe it was the FAIR Institute in their adaptation of NIST guidance that recognized that a prioritized list of cyber-related risks did not provide leaders of the enterprise with the information they need. They recognized that fact but offered no suggestions.

In Making Business Sense of Technology Risk, which was written specifically to provide some ideas on this topic, I suggested that leaders need to know how to answer questions like these:

  • Should I invest $1 million in cyber or in new product development? I can’t do both.
  • If I open a new office in Belarus, I have significant upside possibilities but will also increase the possibilities of damage from regulatory compliance issues, currency volatility, cyber intrusions, and more. How can I know whether, on balance, I should open now, in six months, in a year, or not at all?
  • How likely are we to achieve our targets for the year, given all the things that might happen over the next months, including the possibility of a data breach?
  • Should we take our new product line to market now, given the revenue it might bring and the vulnerabilities we are aware of?

Neither a risk register, nor a prioritized list of information assets, helps answer these or pretty much any other business decision.

The most these lists of risks do, IMHO, is help prioritize investments between cyber vulnerabilities. They don’t help leaders of the enterprise – as evidenced by the views of those leaders in survey after survey.

Where we need to go, as explained in my book, is to provide leaders with the information they need.

  • Information on how a breach would affect enterprise objectives, being specific about which ones
  • Information that can be aggregated with other sources of risk (both positive and negative) so that all the possibilities can be weighed together and an informed and intelligent decision made
  • Similarly, information that can be aggregated so that performance reporting can show the overall likelihood of success for each of the organization’s goals and objectives
  • Information in the language of the business

I welcome your thoughts.

(This post is being shared with NIST as a comment on their draft.)

[1][1] Such as the OMB and GAO, in additional to previous NIST standards.