Archive for the ‘Risk’ Category

Wells Fargo and KPMG – did KPMG fail the investors?

August 19, 2017 10 comments

My friend Francine McKenna recently had a piece (she is co-author) published by MarketWatch.

Where was KPMG, Wells Fargo’s auditor, while the funny business was going on? Is scathing in its discussion of the role played by KPMG.

I doubt that anybody would speak up in active support of KPMG, but is it fair to blame them and say they have failed investors?

This is how MarketWatch described the underlying fiasco:

The record of management failures at Wells started with revelations last year that millions of accounts had been opened illicitly. It got longer after the admission last month that the bank had also forced unneeded auto insurance on customers and neglected to refund optional guaranteed asset protection, so-called GAP, coverage for auto loan borrowers.

Politicians and regulators see the misbehavior as a pattern that should have been caught — and stopped. And there have been consequences for the bank. One CEO was forced to step down and forfeit millions of dollars in incentive compensation. Thousands of workers, including several executives, have been fired. Most recently the bank reshuffled its board, replacing its chairman and adjusting board committee memberships including on its audit and examination committee.

However, the authors continue:

But external auditors should serve as another line of defense. Each year, auditors offer an opinion on whether their clients’ financial statements are truthful. To do so, the auditors have to determine whether they have enough confidence in the company’s internal controls to offer that blessing.

In November, KPMG was questioned by a Senate committee. MarketWatch reports:

KPMG’s response to the senators in November acknowledged that its audits of Wells Fargo’s financial statements included procedures to identify instances of unethical and illegal conduct.

Those procedures included interviews with the company’s chief auditor, members of the bank’s Corporate Investigations Unit, bank financial executives, and attorneys inside and outside the bank, the auditor wrote. KPMG also reviews regulatory reports and reporting to executive management, the audit committee and the rest of the board from the chief compliance officer regarding investigations that related to accounting, internal accounting controls, auditing, and whistleblower claims and claims of retaliation.

KPMG wrote it did become aware, as early as 2013, of “instances of unethical and illegal conduct by Wells Fargo employees, including incidents involving these improper sales practices.” But the firm said it was “satisfied that the appropriate members of management were fully informed with respect to such conduct.”

Yet the auditor said nothing about these issues to investors, either in its audit opinion, its opinion on the bank’s internal controls, or elsewhere.

Instead, KPMG told the senators, its view is that “not every illegal act has a meaningful impact on a company’s financial statements or its system of internal controls over financial reporting. From the facts developed to date, including those set out in the CFPB settlement, the misconduct described did not implicate any key control over financial reporting and the amounts reportedly involved did not significantly impact the bank’s financial statements.”

The MarketWatch article is accurate but is it fair?

Sorry, Francine, it is not.

What is omitted from the article is that:

  1. The external auditors are engaged to audit and provide opinions on (a) the financial statements and (b) the system of internal control over financial reporting.
  2. The external auditors are obliged to assert in their audit report (included on Form 10K) whether the financial statements are free from material error and whether the system of internal control provides reasonable assurance that material errors will be prevented or detected.
  3. When it comes to fraud, the PCAOB’s Standard Number 5 directs the external auditor to consider only fraud that might lead to a material error in the financial statements.
  4. The external auditor’s responsibility beyond that is to disclose significant matters to the audit committee of the board.
  5. There is no requirement that the external auditor share any issues unrelated to material errors in the financial statements to investors.
  6. It is not the fault of the external auditors if the board fails to act on fraud that is not material to the financial statements. They do not assess the effectiveness of the board beyond where it may unacceptably raise the level of risk of material error in the financials.

Rather than blame KPMG, I would have preferred that Francine and her co-author suggest that the rules and standards that direct the work of the external audit firms be changed.

Should they disclose non-material fraud? I am not in favor.

Should they disclose concerns with the effectiveness of corporate governance? That is something worth debating.

What do you think?

I welcome your views.

Linking risk management to results

August 12, 2017 15 comments

COSO ERM 2004 defined risk management:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Taking out the middle part, you get:

Enterprise risk management is a process…… designed to….. provide reasonable assurance regarding the achievement of entity objectives.

This is mistaken and I am glad that the exposure draft of COSO ERM 2017 has removed this assertion. It redefines enterprise risk management as:

The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

The draft also says:

Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more closely linking strategy and business objectives to both risk and opportunity. The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value.

The ISO 31000:2009 global risk management standard has a set of principles (IMHO, better than those in the draft of COSO ERM 2017). The first three are:

1: Risk management creates and protects value.

2: Risk management is an integral part of all organizational processes.

3: Risk management is part of decision making.

How does risk management create and protect value?

  1. By improving the quality of decisions by making them ‘risk-aware’, ensuring that decision-makers consider all the potential consequences of their decisions
  2. Helping to identify what might go wrong so it can be addressed if unacceptable
  3. Helping identify opportunities for things to go better than planned so they can be evaluated and pursued if justified

Some have decided that you can measure the effectiveness of risk management by examining the success of the organization.

If it were true that risk management provided reasonable assurance that objectives would be achieved (i.e., if COSO ERM 2004 was correct), then fine.

But risk management only provides reasonable assurance that decisions can be made on reliable information about what might happen. It provides reasonable assurance that risks to the achievement of objectives are at desired levels.

It doesn’t provide reasonable assurance that those things will actually happen. It will only help you assess that the likelihood of a particular benefit or harm is x%.

History has proven time and again that companies that take more risk than stakeholders might desire can be highly successful, even for an extended period. At the same time, organizations that have gone to great lengths to understand, analyze, and treat their risks have still failed. Just think of NASA and its few disasters.

Every organization is at the mercy of actors beyond their control, such as the weather, the economy, the health of their customers, the vagaries of regulators, and so on. A quality risk management program may make you aware of potential events and situations that might arise and cause you grief, but it won’t keep them at bay.

So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?


It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen.

The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.

Do you agree?

I welcome your thoughts.

Six principles for effective risk management

August 5, 2017 6 comments

In World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

I believe it is useful to assess your risk management activity against these principles.

As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.

Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.

With that in mind, I suggest a different definition of risk management in the book:

The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.

The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.

My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.

In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.

Two words to transform discussions of risk management

July 29, 2017 20 comments

I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.

I have urged practitioners to:

  1. Use the language of the business instead of risk techno-babble;
  2. Try to stop using the R word entirely! Try to talk instead about what might happen, is that OK, and what are we going to do about it?; and
  3. Focus on enabling intelligent and informed decision-making rather than a periodic list of risks (enterprise list management)

Now I have a new suggestion.

If you have to use the R word, add two more.

Instead of talking about risk, talk about risk to objectives.

Review of a list of risks to objectives and consider how much risk to objectives you are willing to take.

If you have to talk about risk appetite, talk instead about the appetite for risk to objectives.

Those simple two words make you focus, not on risk for its own sake, but how enterprise objectives might be affected.

Which objectives are “at risk”? Be specific if you want to drive the necessary actions.

Are you more or less likely to achieve them? Is that OK?

It’s not about managing risk – it’s about achieving objectives.

What do you think?

Would this improve the discussion?

It’s a simple thought but I think it can make a huge difference.

Do you agree?

Positioning risk management to succeed

July 22, 2017 12 comments

Jim DeLoach of Protiviti is an old friend. We enjoy discussing risk management over a meal, finding that we agree on far more than we disagree. Where we do disagree, it may be more by way of expressing ourselves, or due to our different positions and perspectives (he is a consultant and external advisor to boards and executives whereas I was an executive practitioner, now retired)

His work always, in my experience, merits our careful attention and reflection.

Jim recently wrote Positioning Independent Risk Management to Succeed: 6 Ways to Support the CRO. Here are some excerpts and my comments:

DeLoach: If the board, senior management and operating personnel believe that the CRO is the only person within the organization who is concerned with risk, the game is over before it begins. In these situations, there is a major source of dysfunction lying in the weeds, and it is merely a matter of time before the organization falls victim to it.

Marks: Absolutely correct and a good observation. Decision-makers need to understand and consider everything that might happen and make an intelligent and informed decision. Such a decision leads to taking the right levels of the right risks, that in turn leads to achieving objectives and success.

DeLoach: Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” In today’s environment, decision-making processes should be driven by objective assessments of the risk/reward balance, rather than by the emotional investment, management bias and short-termism that underlie dangerous organizational blind spots.

Marks: If the leaders don’t know, why is that? The CRO should help all decision-makers think about all the things that might happen, and do so in a disciplined manner. Teach them to fish rather than giving them fish. In addition, the CRO should question the analysis of the potential for reward – not to tear it down but to ensure it has the same rigor as exercised on the potential for harms. Finally, it’s not about “balance”. Any decision will have multiple ramifications and the CRO can help facilitate the consideration of all of them, not singly but as a combination.

DeLoach: In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function.

Marks: In many organizations, setting up an independent risk management function creates an atmosphere of mistrust and impairs success. The CRO and his team must consider themselves as aides to management rather than the police function that prevents them taking too much risk.

DeLoach: Tension within an institution between its market-making and control-related activities is inevitable and should be encouraged. Striking the appropriate balance between the two is fundamental to what a CRO attempts to achieve.

Marks: A system of internal control enables success, not just prevents harms. Thinking of the risk function as limited to preventing harm prevents it from achieving its potential.

DeLoach: The Champion” CRO advances and enables the organization’s risk management framework and plays the roles of coordinator and integrator (to ensure consistency across operating units and functions), educator (as a provider of insights), facilitator (of risk assessments and formalization of risk mitigation plans), consultant (regarding application and execution of the risk management framework), communicator and reporter. Champion CROs often establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques; facilitate risk-related meetings; and work with risk owners to provide transparency into the capabilities around managing the priority risks across the institution.

Marks: Agree, but let’s add the role of mentor, helping decision-makers understand how to identify, assess, and respond to all the things that might happen as they make decisions.

DeLoach: the CRO establishes and communicates the organization’s risk management vision.

Marks: It’s not about managing risk for its own sake, but knowing when and how to take the right levels of the right risk. Risk management vision is a myopic view that focuses solely on limits to harms. Sometimes, it is right to go all in!

DeLoach: To serve as a second line of defense, a CRO must have sufficient stature with business line leaders and across the organization. Stature comes from the authority, compensation and direct reporting lines that command respect.

Marks: Stature comes from consistently producing results, to the extent that leaders across the enterprise recognize the CRO and his team as helping them and the organization succeed.

DeLoach: the CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it.

Marks: Agree, and this is achieved by acting as a partner in and to the business, helping them succeed rather than policing them.

DeLoach: The CRO should have open and free access to the board (or a board subcommittee).

Marks: Yes, but this should be seen as required only in an emergency. If the CRO cannot work constructively with management, he is failing.

DeLoach: If there isn’t a CRO (or equivalent executive) and/or an independent risk management function, executive management and the board of directors may want to inquire why, in the context of the nature of the entity’s risks inherent in its operations.

Marks: Sorry, Jim, but that’s the wrong question. Let’s get the board to ask the CEO whether and how he has confidence that the right risks are being taken and that decisions across the extended enterprise are intelligent and informed. Further, ask whether the reporting of performance against strategies and objectives includes the likelihood of their success and what might happen to limit or extend success. The CRO doesn’t have to be totally independent to be effective!

Please contrast this article and comments with my other blog on From Risk Management to Risk Leadership.

I welcome your comments.

Internal audit and ERM accused of failing to hit the mark

July 15, 2017 8 comments

The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag.

It has been used recently to support an argument by a critic that both internal audit and ERM are failing. This was said in the last few weeks on Twitter:

  • “CEB survey focuses on some key failings of traditional internal audit and ERM.”
  • “CEB survey report does a good job describing problems with IA/ERM but not as good with its prescription to fix the problem.”
  • “CEB/Gartner report puts the spotlight on assurance silo overload.”

Leaving aside the fact that it is a 2014 product based on 2012 and 2014 analysis (and therefore should not have been used to discuss the current situation), how good is the CEB piece and what does it say about (a) internal audit, and (b) risk management? How accurate and relevant are its observations today?

Unfortunately, the critic mistakenly conflates internal audit and risk management. Both have their challenges, but they are different – different challenges for different organizations.

One is part of management and the other is independent.

Lumping to them together confuses and distracts from addressing their individual challenges.

The CEB piece gets off to an awful start with this sentence:

In the present day, when those types of risks [financial and hazard risks such as the effects of a typhoon] can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that assurance functions and business leaders must identify and manage themselves.

First, practitioners know that you cannot really “transfer” a risk. That is dated thinking (sorry, insurers). Instead, you are sharing it more often than not. For example, there is always a possibility that the insurance claim will be denied, the insurer will fail, or not all the effects will be fully compensated.

Secondly, assurance providers do not “identify and manage” risks – that is the responsibility of operating and executive management with oversight from the board.

CEB recovers somewhat when they talk about how the increasingly extended enterprise and the growing volume of data captured by any enterprise has changed at least part of the risk landscape.

But then they start to categorize risks, saying:

With shareholder value as the barometer, the most potentially damaging types of business risks are the strategic ones, such as competitive incursions or declining demand for a core product. CEB’s analysis of significant market capitalization declines in the past decade shows that 86% of them were caused by risks that were strategic in nature—with operational risks as a distant second place.

Risk is the effect of uncertainty on objectives. That means that to properly assess any source of risk you have to consider how it could affect the achievement of specific objectives.

So, the only risks that rate as “high” would be those with a significant potential effect on the achievement of objectives.

Operational miscues can have a dramatic effect on objectives, leading to customer dissatisfaction and loss, product failure, and so on. Just think of Deepwater Horizon.

Compliance failures can similarly impact objectives when they are so severe that operations are constrained or even closed. Consider the Novartis problem in Japan.

CEB’s analysis by categorization is fallacious and misleads more than it helps.

If you say that strategic risks are those that might have a significant effect on objectives, which can include operational and compliance risks, then it is only to be expected that these are the ones that result in failures to execute and deliver on strategies.

Then there is the paragraph that has drawn the attention of the critic:

At most companies, however, assurance departments with the formal responsibility of identifying (and sometimes managing) risks—such as with Internal Audit in the following graphic—consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.

This is simply a misreading of the situation.

While it is true, based on other surveys and my own observations (the CEB offers no evidence to their observation) that many internal audit functions do not include all significant risks to enterprise objectives in their audit plans, it is not because they consider them “out of scope”.

All risks are potentially auditable. CEB gets that 100% wrong.

Further, all risks are business owners’ responsibility, so the statement about strategic risks being business owners’ responsibility carries no weight.

IMHO, it’s true that many internal audit functions don’t include all significant sources of risk to strategies and objectives in the audit plan. But the reasons lie elsewhere.

It may be because:

  • They don’t have the resources or ability to address them and are unwilling to ask for those resources.
  • They simply didn’t think of them.
  • The audit committee doesn’t support their auditing these issues.

That’s all that is said by CEB about internal audit. The rest is about risk management.

The following CEB assertion may be true (again, no evidence is offered but I believe it to be often true):

Operational executives know risk and strategy go hand in hand, but they struggle to address them together. Similar to how enterprise risk management (ERM) efforts rarely link cohesively into corporate strategy, typical strategic planning processes run by line executives do not do enough to incorporate and address risks.

I entirely agree with these excerpts:

  • Too much focus on risk versus reward can encourage “risk aversion,” resulting in lost growth opportunities.
  • The risk prevention activities (i.e., eliminating any chance of risk) that are appropriate for other kinds of risks can lead to avoidance or aversion of strategic risks that companies would be better off taking. When companies overemphasize the risk (not reward) of strategic decisions such as developing new products, entering new markets, or selecting merger and acquisition targets, they can inadvertently foster indecision or inaction among executives and frontline staff by making them too cautious.
  • Leading companies view every decision they make as a risk decision; they explicitly link risk to overall corporate strategy and deliberately choose their risks with great calculation.
  • In short, leading companies win because they empower their employees to take and manage risks, not because they do a better job preventing them
  • Incorporating multiple perspectives on both risk and opportunity removes biases in the planning process and improves confidence in strategic decisions.
  • Scenario planning is a common approach that incorporates strategy and risk. Leading companies are increasingly conducting scenario analyses on hypothetical strategies to identify potential outcomes, associated risks, and alignment with corporate risk thresholds.
  • Embedding risk in strategic planning, and vice versa, is most effective during planning months and for a short time afterward. But during the rest of the year, risk-comfortable executives who lack clear understanding and guidance on what is, and what is not, an acceptable level of risk will expose the company to greater risks through their day-to-day decisions.
  • From our experience, leading companies that ensure a risk-based context for strategic decisions improve decision quality by as much as 42%, and companies that effectively reduce risk aversion can accelerate executive action by 34%.
  • Companies’ greatest risks are their people. Instead of focusing disproportionately on risk processes, leading management teams and assurance groups anticipate and manage the root cause of most risks: human behavior and judgment.

So overall, the CEB has some good stuff. I really like much of their language, especially in the points above about risk aversion and indecision. There is more in their document that has merit, especially about human bias and how it affects judgement and risk-taking.

But does it capture all or even the more significant problems with either internal audit or ERM practices? Does it offer the right solutions?

I am not persuaded that it does on either count.

I am not going to conflate the two separate activities. Let’s take them one by one, starting with internal auditing.

First, I have to say that while there has been significant progress in internal audit practices over the last several years, problems remain. As I have written before, the majority of board members and executives report that they do not believe internal audit addresses the risks that matter to them, the more significant risks to enterprise objectives.

This is critical!

In addition, many internal audit functions:

  • Only update their audit plans annually. They should instead, as recommended by Richard Chambers and me, be updated continuously – at the speed of risk.
  • Do not provide assurance on the management of risks to objectives. Instead, they assess and rate controls without indicating which objectives might be affected and by how much.
  • Do not provide actionable information, helping leaders know not only what might be wrong but whether strategies and even objectives might need to be changed.
  • Limit the insight they provide to what is written in the audit report. It’s so much better to have a conversation.
  • Make it difficult for leaders to find the nuggets of valuable information in their audit communications by burying them in a mountain of trivia in their audit report. Auditors need to communicate what leaders need to know, not what they themselves want to say, and do it clearly, concisely, and promptly. Leaders need actionable information now.

If CAEs and their teams focus on these six points, they are on the way to success.

Turning next to risk management, the CEB identifies some important points.

But there is a huge disconnect between practitioners and leaders at many if not most organizations.

Here are some of the problems, all of which I have written about before. Too many risk management functions:

  • Focus on the possibility of failure instead of how to succeed.
  • Think that the periodic review of a list of risks is risk management. It is not. It is enterprise list management (DeLoach). Risk needs to be managed continuously.
  • Focus on risks out of context instead of the possibility and degree that an enterprise objective might or might not be achieved.
  • Do not set as a goal helping decision-makers make the informed and intelligent decisions necessary for success.
  • Apply their discipline only to the possibility and magnitude of potential bad things, not to both good and bad.
  • Fail to recognize that an event or situation can have multiple effects, some of which are good and some not so much.
  • Talk in their own technobabble (i.e., risk) instead of the language of the business. It is better by far to talk about what might happen and is that ok.
  • Do not understand that risk is taken or modified with every decision. Relying on a corporate-level risk appetite statement doesn’t guide every decision and taking of risk.

There is more, but if risk managers address these eight points, they should be on the way to success.

I discuss both issues, internal audit and risk management effectiveness, in separate books: Auditing that matters and World-Class Risk Management. There is more to be said and done on this topic and hopefully both practitioners and their critics would see value in reading them.

What would you add?

I welcome your comments and perspectives.

What does your risk management activity seek to achieve?

July 8, 2017 4 comments

From time to time, I am asked to help an organization take its risk management to the “next level”.

I strongly believe that, as ISO 31000:2009 says in one of its principles, risk management needs to be customized to meet the needs of the organization (and changed iteratively as the business and its needs change).

An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.

An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.

It is essential to understand what the organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

That is why I like a feature in Enterprise Risk (the official magazine of the Institute of Risk Management) where Iain wright was interviewed. In Living on the Ceiling, Iain describes how he defined a vision for his risk management function at Old Mutual Wealth.

First, it needed to provide the business with consistent insight and challenge. Second, effectively advise and support the business and strategic decision making. Third, give assurance that customer and shareholder interests are protected. Finally, build trust with internal and external stakeholders through consistent delivery and high performance.

It is simply stated, meaningful, and sets the bar high.

If achieved, Iain’s team should be seen by the board and top management as having great value, helping them make informed and intelligent decisions that drive the successful achievement of objectives.

Before you can determine whether your risk management activity is effective, you have to know what the organization needs from it. Then you set objectives and strategies to achieve them before executing on them, monitoring performance, and adjusting as needed.“

It’s just like managing any other part of the business or the organization as a whole.

Is it clear what risk management needs to deliver at your organization for it to be successful?

I still like the question Deloitte asked of board members and executives: does risk management help you set and then execute your business strategies?

I welcome your comments.