Archive for the ‘Risk’ Category

Selecting software for risk management

November 30, 2020 1 comment

A number of people have asked me about the future of risk management.

I can tell you that I am seeing progress!

You won’t necessarily see this in surveys, for example those of the ERM Institute – which show no improvement, even possible degradation in the maturity of risk management programs.

But I am seeing it in a couple of areas:

  1. Practitioners who, based on their comments to my blogs, have not only embraced the need for change, but are on that journey. They are moving (or have moved) from the periodic review of a list of risks to a form of risk management that is more continuous, enables effective decision-making, and is focused on helping the organization succeed. This is what I talk about in Risk Management for Success.
  2. Software vendors are starting to see the light as well. Some have been in touch with me to tell me how they are moving their products in the direction indicated in my book. They are emphasizing the need to be objective-focused and help organizations understand the likelihood of achieving those objectives.

This latter is reinforced by my good friend Michael Rasmussen in his post from early November: Rethinking Risk Management RFP Requirements.

Here are some excerpts with my comments.

  • Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey.

I agree, but let’s also agree that a ‘risk management maturity journey’ is not about identifying and reviewing a list of risks every so often.

  • This involves a clear understanding of where you are now with risk management and where you want to be. 

Yes, find a solution that meets your needs for now and also for your future. It’s less about ‘risk management’ needs and more about the need for insight and information to fuel effective decisions.

  • There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. 

The key here is that it is all about ensuring people have the information they need about what might happen to make the informed and intelligent decisions necessary for success.

  • ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. 

Yes, although it would be interesting and beneficial to turn that on its head.

Objectives need to be understood in the context of risk (which includes opportunities).

  •  Risks cannot be understood and managed in isolation. 

Yet, everybody does that over and over again.


1000% correct.

My question is this:

Are you evaluating software based on how it will help people get the information they need for informed and intelligent decisions, or are you limiting your sights to what is needed for compliance purposes?

I welcome your thoughts.

Risk Management for Success – E-reader Version

November 30, 2020 Leave a comment

Initially, I only had a hard copy version available for my new book. The reason is that the maturity model section is extensive and has to be presented in landscape. Amazon’s Kindle software does not support a book that has both portrait and landscape sections.

A number of people told me that they wanted an e-reader version because of issues with Amazon delivery to their location.

I have now added that e-reader (Kindle) version and it’s available on Amazon.

I continue to recommend the hard copy for several reasons, including the fact that it presents far better in terms of format.

I had to make a compromise with the Kindle version. Since I cannot include the landscape maturity model in the same document, the Kindle version has a link so you can download it in PDF format.

I hope this works for everybody.

I am very interested in any feedback readers may share on the concepts and ideas in the book.

I am convinced that transformation is essential – and that the book portrays a vision for ‘risk management’ that will change the views of leaders from it being a compliance activity to avoid failure to one that makes a significant contribution to achieving success.

New Guidance from COSO on Compliance Risk. Is it of value?

November 22, 2020 3 comments

One of my good friends asked me to review the latest from COSO, Compliance Risk Management: Applying the COSO Framework, which was published this month.

My friend said it was one of the worst pieces of guidance released by COSO, but I tend to disagree. It has value but is incomplete.

I like these comments:

  • Compliance risks are common and frequently material risks to achieving an organization’s objectives.

ndm: It is refreshing to see the reference to achieving objectives.

  • Compliance risks are those risks relating to possible violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could result in direct or indirect financial liability, civil or criminal penalties, regulatory sanctions, or other negative effects for the organization or its personnel.

ndm: The publication includes not only violation of laws and regulations but also of corporate values, what OCEG refers to as mandatory and voluntary boundaries.

  • Although the underlying acts (or failures to act) are carried out by individuals, compliance violations are generally attributable to the organization when they are carried out by employees or agents of the organization in the ordinary course of their duties. The exact scope of acts attributable to an organization can vary depending upon the circumstances.
  • Compliance violations often result in fines, penalties, civil settlements, or similar financial liabilities. However, not all compliance violations have direct financial ramifications. In some cases, the initial impact may be purely reputational. However, reputational damage often leads to future financial or nonfinancial harm, ranging from loss of customers to loss of employees, competitive disadvantages, or other effects (e.g., suspension, debarment).
  • A series of events in the 1980s in the United States led to the U.S. Sentencing Commission publishing guidelines in 1991 for the punishment of organizations for violations of the law. Among its provisions, the sentencing guidelines for organizations provide for very significant reductions in criminal penalties if an organization has an effective compliance program in place. Important amendments were made in 2004 and 2010 to clarify and expand on the characteristics of an effective program.
  • Separately, the USSG also require that organizations periodically assess the risk of noncompliance and continually look for ways to improve their C&E programs.
  • The USSG do not mandate C&E programs for any organization; however, they provide an incentive for the establishment of such programs as a means of mitigating the significant penalties that can otherwise result when an organization is found to have violated federal laws.
  • A sampling of some of the guidance from outside the U.S. reveals a mostly consistent picture of what regulators expect from C&E programs. For example, the United Kingdom’s Ministry of Justice has provided guidance on the Bribery Act 2010, describing procedures that commercial organizations can put in place to minimize the risk of bribery.

ndm: I am pleased to see reference to other nations and also to the ISO standards.

  • …internal control is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of internal controls.
  • An important aspect of ERM is its focus on creating, preserving, and realizing value.
  • It is important to understand that although virtually every employee plays a role in managing risk, the management/ mitigation of compliance risk is primarily the responsibility of all management at all levels.
  • The role of the compliance and ethics officer is to help management understand the risks; lead the development of the program to mitigate and manage those risks; evaluate how well the program is being executed; and report to leadership on gaps in coverage, execution, or material instances of noncompliance, including those by senior leaders.
  • The board of directors is responsible for oversight of the organization’s C&E program, and management is responsible for the design and operation of the program.
  • Culture begins with a sincere commitment to compliance and ethics at the leadership level.

ndm: The commitment has to be sincere. Leaders have to walk and talk in a way that people believe in their integrity, morality, and ethical behavior. A leader is somebody you willingly follow, and a leader when it comes to compliance inspires all to be ethical.

  • When allegations of noncompliance or unethical behavior emerge, they must be taken seriously. This means that individuals should be required to report wrongdoing and have multiple avenues for reporting.

ndm: It is hard and legally questionable to require people to report suspected wrongdoing.

  • Context is critical to understanding and managing compliance risks. Business decision-making is one of the drivers of compliance risk; decisions can create new risks, change existing risks, or eliminate risks.
  • Risk interdependencies may also affect how an organization manages compliance risks. An organization’s responses to other risks (e.g., strategic, financial) may affect compliance risk in a positive or adverse way.

ndm: This is one of the areas where the guidance is incomplete. There may other sources of risk and opportunity that need to be considered together with compliance-related risk.

  • Organizations must also recognize that they cannot realistically eliminate all compliance risks or reduce the likelihood of occurrence to zero. This is simply not possible. As a result, engaging in discussions about risk appetite relating to compliance risks is a valuable tool in prioritizing efforts aimed at prevention and detection of specific compliance violations. Guidance from regulators is consistent with this concept: expecting organizations to reduce and manage, not necessarily eliminate, compliance risk.

ndm: This is similarly incomplete. You cannot discuss ‘appetite’ for compliance risk in a vaccum. More later. In addition, expressing a risk appetite for compliance risk is dangerous ground. Do you want to admit (and document) that you are willing to be in violation of law?

  • The compliance function should be involved in strategy discussions from the standpoint of (1) understanding the strategy so that the C&E program can be designed to manage compliance risks appropriately and (2) advising strategic decision makers about possible compliance risks associated with strategies under consideration.
  • If strategic decisions made by an organization involve merger or acquisition activities, it is important for compliance to be involved early in the process so that appropriate due diligence focusing on compliance risks can be performed.
  • Sometimes, performance metrics developed for business units can inadvertently create incentives to violate compliance requirements.
  • Developing a risk inventory for compliance risk is similar to the process of developing the ERM risk inventory.

ndm: Developing a risk inventory (or register) is fraught with problems, as you tend to end up managing the list of risks instead of managing the business for success. Later, COSO refers to and provides an example of a heat map – for which the best reaction is Yuk!

  • In addition to severity and risk appetite, some organizations consider other factors in their risk prioritization. Adjustments might be made to the risks on the basis of velocity, persistence, and recovery.

ndm: It’s refreshing to see recognition that other factors should be considered in assessing risk.

  • If risks are managed in isolation without consideration of other risks, inefficiencies — and possibly conflicts — can occur.

ndm: True, but what about opportunities?

There’s a great deal more information of value. These are just some of the highlights.

So what is missing?

  1. There is no answer to the question of how do I determine how much to invest in preventing non-compliance. What is reasonable, such that it would be accepted by regulators?
  2. There is no discussion of how to consider the fact that decisions involve multiple sources of risk, and making a decision without considering all the things that might happen is likely to have undesirable results.
  3. There is no discussion of how to factor in opportunities, the reason to take risks.
  4. The reporting is siloed rather than showing leaders in management and the board the big picture.
  5. The risk is portrayed as a point rather than as a range of potential effects on objectives.
  6. Even though there is reference to other nations, it is past time for COSO to be an international body with international thought leadership.

These and more are discussed in Risk Management for Success.

I welcome your thoughts.

Internal Audit in Crisis Times

November 16, 2020 4 comments

My friend, Hal Garyn, has shared his views on Internal Audit in these difficult times: It’s Crisis Time: Does Internal Audit Have a Say?

He makes several first class points and I strongly recommend this article to you. For example, he says:

  • Just because internal auditors want a seat at the table, doesn’t mean senior executives will automatically pull back the chair and gesture for audit leaders to sit. It must be earned. Once it’s earned, it must be retained. Auditors earn and keep a seat at the table by continuously providing valuable insights, making commitments, and delivering on promises.
  • Just because we think we have something important to say, does that information matter to our colleagues? Is it the right information, at the right time, delivered to the right people, and is it insightful?
  • Internal audit, even with its reliance on technology, data analytics, and electronic communication, will still be most successful because of the interpersonal relationships it has now and will develop over time.
  • Look at internal audit from the outside in, not the inside out: Focus on what the organization really wants from internal audit, not just what we believe we should provide.
  • Consider and prioritize the work that is absolutely necessary, even if it is outside the typical internal audit work, and leave the work that doesn’t address the immediate problems for another time.
  • Volunteer to help: Determine how you can help and figure out how to do it. Don’t wait to be asked. The four words every internal audit leader should be asking senior executives is: “How can I help?”
  • Be more flexible with risks to objectivity: While objectivity is fundamental to internal audit, in times of crisis, what the organization needs should potentially take precedence over preserving objectivity.
  • Move to a near-continuous risk assessment: Risk is dynamic, not static. Right now, risks are quickly evolving in terms of impact, likelihood, severity, duration, and velocity. If you are conducting risk assessments on a quarterly or, dare I say, annual basis, your assessments are yesterday’s news.

I usually end my posts with, if not criticisms, additional perspectives and suggestions.

I don’t want to dilute Hal’s article and leave you to read it in its entirety.

I welcome your thoughts

Talking sense about the Audit Committee

November 9, 2020 5 comments

I am tired of seeing nonsense written about the responsibilities of the audit committee when it comes to their oversight of risk, especially cyber risk. The latest (members-only, which may be a relief) is from Compliance Week; it says the audit committee must have an in-depth understanding of cyber risk – and pays no attention to whether a breach might affect either the integrity of the financial statements or the achievement of enterprise objectives. It also confuses the roles of management and the board.

McKinsey has a far better article, but still misses the mark.

It’s time to go back to basics!

What are the responsibilities of the audit committee of the board?

In 2018, Deloitte published a sample audit committee charter designed for US public companies. It said that:

The audit committee is established by and among the board of directors for the primary purpose of assisting the board in:

  • Overseeing the integrity of the company’s financial statements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] and the company’s accounting and financial reporting processes and financial statement audits [NASDAQ Corporate Governance Rule 5605(c)(1)(C)] • Overseeing the company’s compliance with legal and regulatory requirements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the registered public accounting firm’s (independent auditor’s) qualifications and independence [NYSE Corporate Governance Rule 303A.07(b)(i)(A) and NASDAQ Corporate Governance Rule 5605(c)(1)(B)]
  • Overseeing the performance of the company’s independent auditor and internal audit function [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the company’s systems of disclosure controls and procedures
  • Overseeing the company’s internal controls over financial reporting
  • Overseeing the company’s compliance with ethical standards adopted by the company

Note that there is no legal requirement (yet) in the US for the audit committee to oversee the management of risk, but we can certainly add that to the list above.

Let’s add to the above with the important section from COSO’s Internal Control Framework (2013) on effective internal control:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.

I will return to that definition at a later date.

Let me keep my advice for audit committee members and their advisors simple.

I will start with what we all know:

  1. The role of the board is not to run the organization. The role is to ensure it has the right management team and they are running the organization effectively. They have a governance and not a management role.
  2. The board and its committee should be focused on obtaining assurance that management prepares accurate financial statements and makes other required disclosures not only to the regulators (SEC, etc.) but also to other stakeholders (banks, etc.).
  3. In addition, it needs assurance that management has an effective system of internal control in place, not only for financial reporting and other disclosures, but also for the achievement of the objectives approved by the board for the organization.
  4. It also needs assurance that management is properly addressing the risks and opportunities (as called out in the King IV and other corporate governance codes) that might affect the achievement of enterprise objectives.
  5. Finally, the board needs assurance of the effectiveness of both the internal and external auditors.

Now here are my specific recommendations. They recognize the true role of the board as a governance body and not a management body, and the specific duties of the audit committee as described above.

When it comes to specific sources of risk of whatever color ask:

  1. Will this significantly affect the reliability and integrity of the financial statements?
  2. Will this significantly affect our compliance with required disclosures, including the effectiveness of disclosure controls?
  3. Will it significantly affect the effectiveness of internal control over financial reporting?
  4. Will it significantly affect the effectiveness of the system of internal control for other enterprise objectives?
  5. Will it significantly affect the likelihood of achieving our objectives?
  6. Is there a significant problem with relying on our systems and processes for managing risk to objectives?
  7. Will this have a significant adverse effect on our reputation?
  8. If this source of risk is not significant, given the answers to questions 1-7, why is it being brought to us for discussion? Why can we not rely on management to handle it?

I welcome your thoughts.




Apparently, there are legal minds who disagree with my statement that “The role of the board is not to run the organization.”. They point to the obligation of the board under Delaware law: “The business and affairs of every corporation organized … shall be managed by or under the direction of a board of directors.” 

There is a difference, as every lawyer would tell you, between the words “run” and “manage”.

Clearly, members of the board can be held liable (although I am not an attorney so its not a legal opinion) if the organization fails in some way.

But I am not talking about that. I am talking about running the company, and that is something the management team does with oversight by the board.

The board only has periodic involvement (at least the independent members) and it is totally unreasonable (in my lay experience and opinion) to expect them to run the company.

Instead, they appoint a management team and are entitled (given reasonable processes for hiring, reviewing, and terminating them) to rely on them to run the organization. However, they need (not a legal requirement in the US but a practical one everywhere) to have assurance on things like internal control and risk management.


IT audit and IT risk

November 5, 2020 3 comments

I have to admit, I was a halfway decent senior financial auditor with (what is now) PwC. I was no star. But my life as a recently qualified chartered accountant changed when I was given a couple of career choices.

The first was to follow my heart and relocate to the Paris office. I loved France (and French women, let alone the food), having spent multiple summers there with French families or working in a warehouse in the East of Paris.

The second was to follow my head.

I had been a guinea pig in an experiment involving flowcharting and evaluating the controls over a client’s computer systems. It was weird: I had done my best with the new purple Internal Control Questionnaires (ICQs), but both they and the flowcharts could hardly be seen under the barrage of critical review comments and corrections by the Computer Audit Group (CAG). When I met with the CAG Supervisor to hear in person what he had to say about my pitiful attempt, I have to admit being more than a little upset by his harsh words. He asked if I had listened to a word of the training – and I replied that I had not received any training at all! He went from my greatest critic to an admirer, saying that while I had messed everything up it was a great job for somebody with zero experience or training.

Shortly after that strange episode, I met with my manager and he told me that in addition to the opportunity to move to France, I also had an offer to join CAG as a senior computer auditor.

It was a tough decision but CAG was a life-changing experience.

The trainers at the introductory training (CAG College) saw something in me. Even though I had no programming background and was learning COBOL for the first time, they asked me to become the technical expert. In addition to helping others with their COBOL programs, I was to research new developments in technology and interpret how they might affect our clients and our audits.

I fell in love with technology and it changed my life. I was promoted to manager and then senior manager very quickly (I believe I was the youngest manager in the firm at that time).

After I left PwC, it didn’t take long before I was able to move from IT audit to a VP position in IT with responsibility for multiple areas including information security. I hoped to become a CIO. But life intervened and the company I was with outsourced IT and I moved to a new company as CAE.

As CAE, as much as 25% of my team were IT auditors!

I am sharing this to explain why technology, its management and audit, has always been dear to my heart. I am no longer the techie that I was; I now have more of a business executive perspective.

So when I see interesting articles on IT risk and IT audit, my passion resurfaces.

I have known Matt Kelly for many years from when he ran Compliance Week. He is now the Editor and CEO of Radical Compliance, a newsletter I enjoy.

He has penned a piece for Galvanize, a “GRC” software vendor. The article is A better approach to managing IT risk.

Unfortunately, I cannot recommend the article. It has far too much of a compliance focus for me (understandable, since that is Matt’s professional focus and background).

I will just pick out a few statements for comment.

The article starts with this assumption and following statement:

IT security is fundamental to achieving business objectives—which means that understanding and managing IT risk is also fundamental to achieving business objectives.

This is because IT risk evolves across two fronts:

    1. The constantly growing number of regulations that govern issues like privacy or system integrity
    2. The always-shifting design of IT systems themselves.

What is wrong with that?

  • IT security’s potential effect on business objectives varies from organization to organization. Unfortunately, most do not assess how a breach could affect those business objectives (which I why I wrote a book about it). For some, it is huge; for others, not so much.
  • IT risk is far broader than IT security. It includes any failure in the use (or misuse) of technology, including such issues as:
    • The availability of the systems and so on relied on to support business operations
    • The availability of the systems relied on for delivery of services to customers
    • The quality of both, including providing the functionality needed by the business
    • The reliability of those systems to deliver what is needed when it is needed, etc.
    • The ability to support an agile organization
  • Few perform the quality assessment of technology-related risk and opportunity sufficient to make informed and intelligent business decisions. They assess risk to information assets instead of risk to business objectives.
  • There is no such thing as “IT risk”, only business risk (to quote Jay Taylor, former head of IT audit and then CRO at GM).
  • Sometimes, taking more IT-related risk (because of the opportunities) is the right business decision.
  • There are many other factors that can change IT-related business risk, such as a change in the business or an acquisition, a desire for new software by the business, an increase in software purchased or subscribed to directly by the user, an increase in the volume of network traffic that threatens reliability, the loss of maintenance support by a vendor, rapid testing of application changes, operating system changes, the delay of a major systems project, and so on.

Matt doubles down with (emphasis added):

One way a company ends up with too much IT risk is to let those IT systems fall out of compliance with regulatory obligations. Even worse: as we look at the business landscape today, it’s also painfully clear that this is becoming the primary way a company ends up with too much IT risk, too.

Compliance is probably the least concern for CIOs outside financial institutions.

If you want to understand “IT risk” it starts with understanding the reliance placed on technology by the business. Ask:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

But management should be the one understanding and assessing risk, including risk related to technology.

While internal audit needs to understand technology-related risk (a far better term than IT risk, since technology is not managed only by the IT function), that is for audit planning purposes. It shouldn’t be for reliance by operating management – even though that is what Matt is saying in his article.

In fact, internal audit should be assessing how well management understands and addresses business risk, including but not limited to technology-related risks and opportunities.

IT audit and the understanding and management of technology-related risks and opportunities are very important (and dear to my heart).

But please, start with understanding the business and how it relies on technology.

Then ask those two questions:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

Obtain answers that are ‘valued’ based on how they might affect the achievement of business objectives.

IT auditors: the best ones are those who not only have technology skills but have a deep understanding of the business.

Above all, there is far more to technology-related risk than information security.

I welcome your thoughts.

From Risk to Success Management

November 2, 2020 7 comments

I have been talking (and writing) for a long time about the sad reality that leaders of organizations around the world see risk management as something they have to do rather than want to do.

Surveys say that:

  • Around 80% see risk management as a compliance activity.
  • According to Deloitte, only 13% see it as making a significant difference in setting the right strategies and objectives and then executing against them.
  • Only a very small number of board members and executives are willing to dedicate the time and resources necessary to bring risk management up to what people (such as the ERM Initiative at North Carolina State University) believe is fully mature. Just 3% told the ERM Initiative that their risk management program is “robust” – and the level of effectiveness is decreasing over time, not improving.
  • 3% told the ERM Initiative that risk management has “strategic value”.

How do we turn that around?

How can we make risk management into something that leaders want to do?

How can we help them see it as something that helps them succeed: what I call success management?


We need them to see it as something that helps them lead the organization to success: the achievement of objectives.

It needs to help them individually as well as the organization as a whole.


If they don’t see it as adding value, why should they do more than the minimum required to satisfy their compliance obligations?

Why should they spend time away from ‘making money’ for the organization to discuss a list of things that might be a problem?


How do we do that? How do we make them believe risk management is worth the investment of their time and resources?


We need to upgrade or transform risk management into something that helps them make the informed and intelligent decisions that lead to their taking the risk risks (and opportunities) necessary to achieve objectives.

It is not enough to avoid risk – that leads to being risk averse and passing up opportunities for success.


I am far from the only person to talk about the need for risk management to:

  • Help set the best strategies and objectives for success. Some call this the integration of risk and strategy-setting.
  • Enable effective decision-making.
  • Help both create and protect value.

For example, COSO ERM 2017 says:

An organization needs to identify [the] challenges that lie ahead and adapt to meet those challenges. It must engage in decision-making with an awareness of both the opportunities for creating value and the risks that challenge the organization in creating value.

The ISO 31000:2009 global risk management standard (which I prefer to the updated version) has these principles:

  • Creates and protects value
  • An integral part of organizational processes
  • Part of decision-making
  • Dynamic, iterative, responsive to change
  • Tailored

People talk about the need.

It is time to talk about the how.


I have shared three books until now on risk management:

World Class Risk Management has been very well received and I am grateful for the compliments people have shared. It remains my go-to book that explains not only the primary frameworks and standards but also why there is so much more to risk management than the periodic review of a list of risks.

Risk Management in Plain English was targeted at executives and board members, explaining in a more concise way that we are better off if we can find a way to talk about managing what might happen for success instead of using the 4-letter word, risk, that automatically makes people think it is just about avoiding failure.

I am proud of the further thought leadership (in my humble opinion) in Making Business Sense of Technology Risk. The book explains that most top executives and boards don’t understand technology-related risks and cyber risk in particular – because it is not explained in terms of the impact on the business. Therefore, there is a chasm between those responsible for cyber and those holding the purse strings.

The book talks about how to bridge the divide. In the process it expands on the thinking in the two earlier books and takes on, in more detail, the need to consider the potential effect of an event or situation as a range rather than a point. It also takes on the primary frameworks for assessing cyber risk and explains how they don’t meet the needs of business leaders. It suggests a better way, based on assessing the likelihood of achieving objectives.

Unfortunately, Making Business Sense of Technology Risk has not been picked up as often as my other books. It may be because it is seen as limited to technology risk specialists. In fact, it is for all practitioners, not just those who specialize in technology. After all, technology is a major source of both business risk and opportunity.

I continue to recommend it highly.


But now I have a new addition to my (and I hope your) bookshelf!


Risk Management for Success takes everything to the next level, building on (rather than replacing) what I have shared in the three previous books.

It explains how risk management should be about understanding and addressing what might happen.

It talks about how this relates to the Purpose or Mission of the organization and helps set the best strategies and objectives for achieving them.

In the process, it details how many organizations have failed to do that well, especially when they don’t cascade those objectives down and across the organization so everybody is working towards the same enterprise goals.

Then it addresses how risk management is an integral part of decision-making. It talks about the attributes of effective decision-making and how and why it so often fails.

One area that the book covers that never seems to be addressed is the level of confidence those performing a risk or opportunity assessment have in their assessment. I believe this is important information that should be considered in making use of assessments in business decision-making.

A major part of the book is a discussion of how to assess the effectiveness of risk management. It includes a detailed maturity model that addresses points from strategy and objective-setting through decision-making to risk oversight and more. I have also provided two forms for surveying management to get their views of the value and effectiveness of risk management.

Rather than list the other topics in the book, here is the Table of Contents:


We have a problem.. 5

Chapter 1: Introduction. 7

Who is this book for?. 7

Why this book?. 10

What is risk management?. 13

Risk management is constantly moving. 21

Risk management for success. 22

Your definition of risk management 25

Language. 26

Perfect risk management 29

Chapter 2: Strategies and objectives. 31

The Mission or Purpose statement 31

Strategic plans. 34

Objectives, strategies, plans, projects, and goals. 38

Risks to objectives. 42

Success is a team effort 44

The likelihood of achieving objectives. 47

Risk, opportunities, and objectives. 53

Comparable. 54

Aggregate. 56

Reporting to management and the board. 58

Agile, dynamic and flexible. 61

Lower level objectives and their management 62

Chapter 3: Informed and Intelligent Decisions. 65

Chapter 4: Understanding and assessing what might happen. 81

What to assess. 85

How to assess: the goal 89

How to assess: the methods. 99

Confidence in the assessment 100

Risk assessment failures. 108

Monitoring. 109

Chapter 5: The risk office. 115

Chapter 6: Risk governance. 123

Is risk management effective?. 123

When the board takes risk. 124

Risk and the board’s agenda. 125

Chapter 7: Risk culture. 127

Assessing risk culture. 131

Chapter 8: Assessing risk management 135

The value of a maturity model 138

Tailoring the model 141

Capturing the results. 143

Using the model 144

The Maturity Model 146

Surveys. 175

Management’s Assessment of the Risk Office. 176

Management’s Assessment of the Risk Management Program.. 178

Acknowledgments. 180

Additional reading. 181

About the Author. 182


The book is now available on Amazon. It is only in paperback form as the e-reader version doesn’t support the landscaped maturity model. (Let me know if you have a problem with Amazon and want a PDF version).


I hope you will enjoy it and look forward to hearing your thoughts.


By the way, I want to publicly thank my esteemed reviewers[2]:

Brian Barnier

Martin Davies

Jim DeLoach

Peadar Duffy

John Fraser

Brian Hagen

Hans Læssøe

Tim Leech

Grant Purdy

Alexei Sidorenko

Paul Sobel

Rick Steinberg


[1] There’s a special version of the book, World-Class Risk Management for Nonprofits, with co-author Melanie Herman, published in 2017

[2] The fact that they made an important contribution to the book does not mean that they agree with everything I say in it.

A simple risk-driven decision technique

October 29, 2020 5 comments

Even as a youth, I was told to consider my options when I was making an important decision.

My parents taught me to take a piece of paper, draw a line down the middle, and write down the “pros” on one side and the “cons” on the other.

Pros and Cons

This simple tool can be very effective.

Imagine we are considering opening an office for our business in Poland.

There are both risks (bad things that might happen and their effects) and opportunities (good things and their effects).

We fill in the table:

  • The Pros might include additional revenue over the first year, with a springboard built for continued growth in Eastern Europe over the following years. We might also include the possibility of hiring additional talent in cybersecurity that could help us with some global challenges.
  • The Cons could include risks related to cyber, trade compliance, ethics, reputation, and more.

But before we make a decision, we need to have more than a description of each of the Pros and Cons. We need some form of measurement.

We also need clarity on our overall objective: what we are trying to achieve. Let’s say that the overall objective is to increase enterprise revenue by 5% and that opening a new office in Poland is one option, one strategy we are considering.

We could add traditional measures of forecast revenue dollars for the first year and subsequent years to the Pros, and put some value on the possibility of hiring cyber talent.

We could add traffic light (high – medium – low) ratings to the risks in the Cons column.

But those measures are not really helping us with our decision.

So we add a likelihood estimate to the revenue forecast numbers. If we are sophisticated, we change the single point revenue numbers to revenue ranges with associated likelihoods.

We also change the risk ratings to some valuation of the potential effect and indicate the likelihood – again, upgrading from single point effects to ranges if we are sophisticated.

We are now getting close, but how do we weigh the Pros and Cons?

Weigh pros and cons

Maybe everything is now quantified so you can determine whether there is a net positive (Pro) or negative (Con) to opening the office.

The next question is whether that net is sufficient for you to achieve the overall enterprise objective.

Maybe there is a positive return, but is it sufficient? How does any ROI compare with other uses of the necessary funds?

Are there better options?

What would happen if you accelerated the opening, perhaps increasing some Cons but also increasing the Pros?

…and so on.

I suggest that this simple technique is one we should always consider when making important decisions.

A risk register or heat map simply doesn’t come close to adding the same value to a decision-making process.

The risk practitioner can help with the Pros and Cons in many ways, from facilitating the identification of the Pros and Cons, to assessing each of them in a way that enables them to be aggregated and compared, and then with tools and techniques to weigh everything together and determine whether they are likely to satisfy enterprise objectives.

In fact, the sophisticated practitioner can take a simple Pros and Cons list and transform it using models and tools like Monte Carlo.

What do you think?

Agile Risk Management

October 25, 2020 7 comments

Peadar Duffy of Solux[1] has shared a marketing piece that contains some valuable content, although it is (IMHO) incomplete.

He explains the need for risk management to be agile – with which I totally agree. By the way, I recommend reading pieces by McKinsey on Agile Organizations. To quote their headline,

“New ways of working are needed to survive and thrive in a fast-moving, technology-driven world.”

These excerpts from the Solux piece, Agile Risk Management (ARM): Continuous & Dynamic Decision Support, help us understand the need:

  • …an environment where the speed of disruption across multiple fronts is on the increase demands of organisations that they similarly need a comparable speed in decision making.
  • 21st century levels of uncertainty mean that there is zero chance that decision makers can reasonably expect to consistently plan perfectly and predict the future accurately. For this reason, organisations need to be prepared to fail fast and learn quickly such that scarce resources can be preserved and re-directed to where lessons learned, and continuous improvements increase the chances of success as soon as possible.
  • Organisations clearly need to be more agile than resilient. Put simply resilient football teams don’t win championships as preparing and responding to opposing team tactics is a defensive play. It is akin to asking players to run onto the pitch with a given number of set-pieces in mind. Alternatively, anticipating opposing team tactics, being agile and bouncing forward ahead of less responsive players is what wins games. Agile players run onto the pitch with a game plan in their minds, thinking of winning with set pieces and rules of the game so embedded in their state of being that it is instinctive.

Let me put this in my words:

  1. The world in which we live and work is not only massively disruptive but the speed and volatility of change are increasing.
  2. Decisions need to be made at speed if organizations (and people) are to both seize opportunities and navigate risks.
  3. Those decisions are dependent on reliable, timely, and current actionable information about what might happen.
  4. That information is derived, at least in part, from risk management activities.
  5. Those activities, risk management, need to function at the speed of change – the speed of risk and the speed of the business.
  6. Risk management also needs to adapt and change to meet the needs of a changing business and environment.

Hence, there is a need for agile risk management.

Peadar explains the relationships between the Purpose or Mission statement, objectives, and the taking of risk. After all, it is supposed to be ‘risk to objectives, not risk for its own sake.

  • Purpose is determined by stakeholders. Founders, shareholders, boards and their management teams determine core purpose given the needs of customers, society and employees as well as the partners, suppliers and most significantly those statutes and regulations which organisations need to observe. Thereafter corporate objectives, business and operating models required to deliver corporate purpose are selected as appropriate.
  • Purpose to risk management is what true north is to navigation. Why? A risk is simply a thing which can stop you or slow you down on your journey to a given objective. For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
  • Clearly when decision makers know why their organisation exists/what it is there to achieve, they are better equipped to do the right thing (making a decision) in the right way (process) as the organisation moves forward.

This is all excellent.

The next step, not addressed in his article, is weighing the pros and cons (the positive and negative effects) to see whether it is right to take a risk or not.

To repeat a quote:

For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.

How do you know whether to speed up (take the risk), slow down (minimize a risk), or even stop if you don’t understand all the things that might happen? You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable.

I will continue to share and write about this (especially when I announce my new book).

I welcome your thoughts.

[1] It has not affected my writing, but I have an emerging business relationship with Peadar. He is one of the reviewers of my upcoming book.

Death of the Audit Report

October 18, 2020 7 comments

I have known my friend Hal Garyn for a long time. He is a gentleman for whom I have great respect and we usually are in full agreement on topics of mutual interest.

But I am only in partial agreement with his recent article, Death of the Audit Report: It’s Time to Reconsider How to Convey Internal Audit Findings.

As usual, I will point to some of his excellent comments:

  • …why do we issue audit reports? Are we required to do so? And are there other options? Does the return on investment outweigh the time spent drafting, editing, reviewing, and issuing traditional internal audit reports? We’ll explore these questions in depth, but the short answer is a resounding “no!”
  • When most internal auditors consider why they issue audit reports, far too many say it is because “the Standards require us to.” Well, that is not true at all. The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing states the following regarding reporting the results of internal audit work:

“Internal auditors must communicate the results of engagements.” – IIA Performance Standard 2400.

  • So, if the Standards do not say, “you must issue an audit report,” why do we do it? Another common response to the “why” question, beyond erroneously thinking that we need to, is: “Because that’s the way we have always done it.” If we are unwilling to accept a statement like that as an answer from an audit client, then that cannot be an acceptable answer for why we continue to issue standard audit reports.
  • Jason Mefford, president of Mefford Associates and CEO of cRisk Academy, agrees that it’s time to rethink the traditional audit report and instead focus on the best way to achieve its objectives. ”We all need to rethink how we communicate the results of our audit work,” he says. “The typical long, jargon-laden internal audit report may not be the most effective way to do that any longer. In fact, if you want to find an extra 30 percent of time in your budget, quit wasting time writing reports,” he asserts. In a time when efficiency matters, the audit report process may be long overdue for an overhaul.
  • Remember when our high school writing teachers advised us to begin with the end in mind.
  • The report, in the end, is just a means of communication. Communication only has value if what the author wants to say is completely and accurately understood as intended by the recipient of the communication. The communication is in a form that is most easily digested so it can be acted upon in some way by the recipient, in the manner originally intended.
  • In a recent poll conducted on LinkedIn of internal audit leaders, 22 percent of respondents said the average length of their standard audit report is more than 10 pages, and another 48 percent said the average length their audit reports ran 5 to 10 pages. With these lengths, it is possible that such reports are not easy to read or digest. Some internal auditors will readily admit that they are not written with the reader in mind.
  • Improving our audit reports starts with considering your audience and asking a few simple questions: What information do they need to know?

Hal sets the table well.

The traditional and long audit report needs to be transformed.

It starts, as he says, with understanding:

  1. Who the intended audience is, the recipients of your communication
  2. What they need to know
  3. What the best way is to communicate that information. It has to be in a way that gets their attention, tells them concisely what they need to know, and enables appropriate actions
  4. How to eliminate what is unnecessary so that the necessary stands out and is easily consumed

My first and perhaps most important disagreement with Hal, and it’s a strong disagreement, is around the purpose of the communication.

I disagree with each of these quotes:

  • “The ultimate objective of internal audit reporting is not to describe what we found or to make recommendations for improvement. It should be to persuade readers to take action,” Richard Chambers
  • “The goal is risk mitigation and operations improvement, not reports,” Amanda “Jo” Erven
  • “Communications must include the engagement’s objectives, scope, and results.” – IIA Performance Standard 2410.

He also makes these statements, with which I strongly disagree:

  • What is the best way to sufficiently document the work that was completed? And, most importantly, what is the best way to convey the findings that, when addressed, will make the biggest impact on the organization.
  • Regardless of how we communicate the results of our audit work, each ‘finding’ must cover certain elements that are fundamental to good internal audit reporting. There are great articles and other material covering the details, but be sure that each finding addresses these elements if you want to completely cover the matter at hand: condition, criteria, cause, effect, and, in most cases, a recommendation.

This is a vitally important topic and I cover it in detail, with examples and practical suggestions, in Auditing that Matters.

Let’s go back to the point that this is about communicating, not writing an audit report.

It is vital that we realize that our obligation is to communicate the results of our work and to whom that communication will be.

We need to communicate to increasingly senior levels of management and then to the audit committee of the board.

As I say repeatedly in the book, we need to communicate:

  • what they need to know rather than what we want to say (and there’s a huge difference)
  • when they need to know it (typically at the speed of decision-making)
  • in a way that is actionable, eliminating the unnecessary that makes the communication hard to receive

What do they need to know?

As we say in the Core Principles and the Definition of Internal Auditing, we provide:

  • Assurance
  • Advice, and
  • Insight

If you are seeking assurance from a doctor, auto mechanic, or other specialist, do you want a formal report? Isn’t it better to talk to that expert and listen to what they have to say, with an opportunity to ask questions, perhaps (and only perhaps) supplemented by a written report? Maybe the written report can summarize the communication for later reference or sharing.

If you want advice from a parent, attorney, tax accountant, or other authority, do you limit the communication to a formal report? Again, isn’t a real discussion better for you? Maybe a formal report with detail can help, but it is usually not sufficient by itself and may be unnecessary. I don’t want to pay an attorney to write a formal report that summarizes what he or she has just told me.

The whole point of insight is that it is typically not included in formal reporting. It’s the enormously valuable professional opinion of the auditor that may be hard to prove with solid evidence. For example, I have discussed both individual managers and the structure of the organization with executives.

Similarly, when have you ever tried to persuade somebody to do something by writing a report when you can talk to them?

I could continue with challenging the need to document our work (we have working papers for that) or to include all the details such as scope and objectives, criteria, condition, and so on. Our customers don’t need to see all of that. It’s for our benefit – or for history (and only regulators and historians will care).

So I repeat:

  • Tell them what they need to know, when they need to know, and in a form that is readily actionable.
  • Put in writing only what our customer will want in writing.
  • Communicate, communicate, communicate – but don’t forget to LISTEN!

If you focus on listening and talking to management and the board, with a thoughtful discussion of the situation, not only will your objectives be achieved but you will have credibility with them.

This is not going to be easy for everybody – but it will pay off in spades.

I welcome your thoughts.

Identifying the risks for 2021

October 12, 2020 7 comments

Richard Chambers has shared his valuable insights in another post.  In Europe’s Internal Auditors Are Already Identifying the Risks for 2021 he makes a number of excellent observations, especially his opening paragraph:

As we enter the fourth quarter of a historically difficult and disruptive year, internal audit leaders around the world are looking to next year with some degree of trepidation. If the COVID-19 pandemic has taught us anything, it is that new risks can emerge at lightning speed and have profound impacts on our organizations and lives.

I also like that he pointed out that internal auditors (at least in Europe, which is where the data is from) are spending their time addressing what were perceived as the top risks.

While he references a report from a consortium of European internal audit associations (ECIIA) that sought to understand what practitioners believed were the top five risks to address in 2021, he said:

As the COVID-19 marathon continues to reshape the risk landscape, internal auditors must be keen to the changing needs of the organization and pivot to address those quickly and effectively.

It’s not just COVID that could be “reshaping the risk landscape”. Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.

Organizations and practitioners need to have:

  • the ability to sense and anticipate what might happen and how it could affect the organization (this is the essence of risk management); and
  • the agility to respond promptly and effectively.

Risk management needs to be continuous (at the speed of risk and the business) and internal audit planning similarly agile.

To some extent, this makes any survey that purports to identify risks further into the future than a quarter, let alone for all of 2021, prima facie ridiculous – especially as the survey was completed at least 4 months ago, six months before the start of 2021.

But the report has some interesting points to make.

Perhaps the most stunning is that neither in this nor in the 2020 report was risk management identified as one of the top five risks.

If you can’t anticipate and address the risks and opportunities ahead, how do you expect to succeed?

Similarly, there doesn’t seem to be any attention paid to the organization’s ability to react when conditions change. While we are talking about internal audit agility, why are we not also talking about the ability of our leaders to change strategies, objectives, and tactics as needed? Do they continue to be rewarded for achieving goals set and agreed with the board during a different time?

Information security remains at the top of the priority list, but I wish that auditors would place a higher level of priority on determining whether the organization has actually assessed the risk to the organization (i.e., not just to information assets). Are they putting sufficient resources or too many towards cyber?

The question posed by the report is totally inadequate:

Has the business performed a risk assessment to identify possible network weaknesses and data assets whose susceptibility to attacks and theft has increased in the last 12 months?

The questions should be:

Has the business performed a risk assessment to understand how a breach might affect the business and the likelihood of an unacceptable effect?

Are prevention, detection, and response measures appropriate to the level of risk?

Is the investment in prevention, detection, and response appropriate to the level of risk?

I am encouraged that liquidity was identified as one of the top three risks for non-financial companies. I would go one step further and include capital and credit risk and I like how a CAE in Belgium referred to ‘financial resilience’.

I said earlier that “Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.”

The ECIIA report talks about “macroeconomic and geopolitical uncertainty” and I am pleased to see 33% of CAEs rated it as a top five risk – while disappointed that 67% did not. I encourage you to read the section from page 35 to 41, including supply chain disruption.

Overall, the ECIIA report is an interesting read for internal auditors.

But our attention should be on continuous audit planning.

I suggest meeting with the CEO and other executives at least monthly and keeping eyes, ears, and noses open and alert.

What are the risks and opportunities that leaders are (or should be) focused on today and expect to be focused on tomorrow?

How can we help with assurance, advice, and insight?

I welcome your thoughts.

Auditing in a turbulent and dynamic environment

October 5, 2020 4 comments

There’s little doubt that this year has brought many challenges to organizations and their internal audit teams in every corner of the world.

It has been both a challenge and an opportunity: an opportunity to sit back and consider whether there is a better way for internal audit to work.

For example:

  • How often should we update our understanding of the risks and opportunities facing the organization?
  • How often should we update the audit plan?
  • How do we make sure we know about new or changed risks so we are in a position to update the plan?
  • If we update the plan at the speed of risk, how do we communicate that to management and the audit committee? Do we continue to measure ourselves based on completion of the annual audit plan?
  • Do we have the right people and resources to address all the issues that matter to the success of the organization?
  • Are we auditing issues that are not worth our time? Do our audits include in their scope issues that, should we find deficiencies, would not be significant to top management and the board?
  • How do we change from full-scope audits to those that only focus on things that matter?
  • Are we lean in our approach? Do we include activities, such as careful and extensive documentation, that we could and should cut back?
  • Can we audit faster, using fewer resources?
  • Do we have the people capable of doing sufficient work to reach an opinion at speed?
  • Do we know how to stop when we have done enough and accelerate when we have not?
  • Are we timely in sharing our assessments and insights?
  • Are we agile?

Every CAE and audit management team should be asking these and similar questions – and being prepared to change.

Nobody likes change, especially if you might be giving up something that has served you well in the past.

But now may be the time to embrace it.

Richard Chambers has a short video that I recommend on having an agile mindset.

But while an agile mind is very important, the body has to be able to respond with agility.

If you take a month or more to complete an audit, are you agile?

If it takes you a couple of weeks before you issue the audit report, are you agile?

If your process requires two weeks of planning and such before you even start, are you agile?

If you are leaving many important risks untouched every year, are you sufficiently agile? I am not referring to the size of your budget but your ability to make the best and most efficient use of limited resources.

To quote Richard, are you smart and fast enough in your auditing?

For more on this, read (or re-read):

I welcome your thoughts.

Are you hungry for a better approach to risk appetite?

October 1, 2020 23 comments

Recently, Chris Burt of Halex Consulting sent me a copy of a paper he had written, Feeling hungry? A simpler, more intelligent approach to risk appetite.

There’s a great deal to like in his approach:

  • Your organisation is clear on its purpose and values, has a clearly-defined corporate strategy and has even set SMART strategic objectives for the executive. But how much risk should the organisation take in trying to achieve its objectives and deliver its strategy?
  • Unfortunately, the generally accepted approach is to develop a board-level risk appetite statement. Such statements tend to be theoretical, static documents that jump through the hoops of addressing how much – or how little – of key types of risk the organisation is willing to accept or avoid.
  • What about Board decision-making? Ideally, it should be informed by risk appetite. But how many boards consult their own risk appetite statement when considering major decisions, including changes to strategy? The answer is, unsurprisingly, very few. And the reason: board-level risk appetite statements tend to be difficult to understand and impractical to use in real-world decision-making situations.
  • The key weakness of the current approach to risk appetite (including risk appetite frameworks derived from the Board’s risk appetite statement) is that it places undue emphasis on risks, rather than focusing on outcomes in decision-making.
  • What this approach fails to recognise is that successfully achieving an objective relies not just on preventing bad things from happening (mitigating risks), but also on making good things happen. That is, taking active steps to deliver the objective. Current approaches to risk management tend to gloss over the importance of this activity, paying lip-service to exploiting ‘opportunities’ while focusing on lists of risks.
  • The Board should clearly prioritise and set targets for certainty of achievement for each primary objective across a range of categories – such as strategic, operational, financial, compliance, CSR/ESG and viability. Those objectives most critical to the organisation – and thus requiring a very high certainty of achievement – should receive more Board attention and management resources than less important objectives.
  • Current risk management thinking requiring definition of a risk appetite is flawed and unhelpful. A better approach is to focus on the certainty of achievement of objectives.

All of the above is, IMHO, 100% correct. It is very much in line with a new book I am finalizing that will be published (hopefully) before the end of the year. The working title is Risk Management for Success and talks about how organizations can change from using risk management to understand potential harms to using it to increase the likelihood of achieving objectives, i.e., success.

Unfortunately, I think Chris has not taken the argument to the next logical step. He stumbles instead.

He suggests that:

The organisation’s aim should be to increase the certainty of achieving its objectives through minimising residual risks to the point of residual risk/cost of control equilibrium and taking active steps to deliver the objective – i.e. ‘making good things happen’

While the cost of control is certainly something to consider, there are times (many, many times) when more risk should be taken because of the potential for increased reward. For example, organizations will introduce a new product to the market to drive new revenue even though they know that it is not 100%  perfect. Waiting until it is perfect (which may never be achieved with certainty) may mean losing the opportunity. It is worth taking the risk.

Yes, organizations should seek to have an acceptable likelihood of achieving their objectives. That requires making informed and intelligent decisions and taking the right risks.

A better approach to risk appetite? Do what you need to comply with regulations and then run the organization for success.

I welcome your thoughts.

When a technologist is a business leader

September 28, 2020 1 comment

I have had the privilege of working with and for a number of superb technologists, many of whom were Chief Information Officers (CIO) or equivalent.

I am going to pick just one: Ron Reed.

I first met Ron when I was a vice president, internal audit, for a large financial services company. He was the senior vice president for IT (i.e., CIO) for the insurance subsidiary.

Although it was polite and professional, our first contact (a data center audit of that organization) had friction. He didn’t believe the facts behind our finding; but, we worked together to understand and then appreciate the reality and he then moved quickly to implement appropriate corrective actions.

A year or so later, he moved to the primary business unit as senior vice president responsible for all IT functions apart from application development and maintenance, where I got to work with him closely. (I ended up working for him.)

Now Ron’s background is deep in technology. He probably knew more about the operating system and related products than our systems programmers. But he was able to rise to leadership within the company because he also made sure he had a deep understanding of the business.

Ron spent time with the business leaders, getting to know them, the operation, and how it was run.

By understanding the business and knowing what it needed to be successful, he ensured the leaders of the business had the right IT services and functionalities.

He didn’t try to sell them what they didn’t need.

A friend of mine told me that I should buy a Tesla. (He owns one and loves it.) He gave me several reasons, including:

  • It’s fast – he can beat any car from a standing start at a traffic light
  • It’s fast – he can safely pass other cars
  • It’s economical because you don’t have the expense of gasoline
  • It’s green
  • It’s fun
  • You can afford it, Norman

I continue to drive my Acura TSX.

I don’t need a Tesla and cannot justify buying one when I don’t drive a lot now that I am (mostly) retired.

Having set the table, let’s place a dish on it.

The Harvard Business Review is an excellent source of challenging and insightful thought leadership. In November, they published Companies need to rethink what Cybersecurity leadership is.

The author (a senior manager with Boston Consulting Group) is clearly a smart guy. As far as I can tell, he has lived within the technology field and has not led an IT or business operation (other than consulting).

The article gets a number of things right, such as:

  • Yet for all the investments they’ve made to secure their systems and protect customers, companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture.
  • Cyber leaders have the monstrous and all-important goal of securing a business, but when companies make big, strategic decisions — about business models, digital strategy, product mix, M&A — cybersecurity is an afterthought.
  • Business leaders must thoroughly analyze their “why” for cybersecurity and be very clear regarding their choice.
  • …your best cyber leader might be a proven non-cyber executive who knows the business, has key relationships throughout the company, and has a general appreciation for technology.

But, I have a serious problem with his solution.

  • Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead.
  • Giving the cyber leader and program proper authority is … vital; they must have political sway and a top-level mandate to orchestrate change across the business.
  • …business leaders need to incentivize the right stakeholders to work closely with the function.

The solution reminds me of the Tesla salesperson.

A better approach is for the CISO (or the CIO, to whom I believe the technologist CISO should report) to have a deep understanding of the business and help them with the information security they need. Give them what is justified on business terms, not what is fast, green, and sexy.

Help them understand, from their business point of view, how much security they need, why, and what it is worth spending on it.

Forcing people to buy stuff they don’t need, or costs more than it is worth, will not get you accepted by them as a business partner.

Boards and executives have some tough choices to make, including how much money and resource to allocate to cyber.

Is $100 million too much? How about $75 million, $50 million, $20 million, or even just $5 million?

Does it make sense to invest $50 million when there is only a 5% (hypothetically) chance of a breach that causes losses of that amount or more?

It’s a business decision that business leaders should make, not the CISO. (Even better, it’s a decision made together – recognizing that the business leader has the casting vote.)

If the CISO, perhaps in partnership with the CIO, can work with the business leaders to give them the security they need (an Acura instead of a Tesla), they will be given a place at the executive table.

People only get invited to participate in strategy and other discussions when they make a positive contribution to the decision-making process. That requires understanding what they really need, not trying to sell them what they don’t believe they need and are unwilling to invest in.

Companies are not giving the CISOs the support and resources they want because the leaders are not convinced it’s a good way to spend their limited resources.

Talk to them about the business, not about breaches and vulnerabilities.

Sometimes, leading requires understanding and listening more than anything else – but that is not what the author suggests.

For him, leading starts with authority and incentives for others to listen.

I welcome your thoughts.

Risk in two rooms

September 24, 2020 10 comments

The twins, J and K, want a hot tub. They decide to approach their parents, A and Z, but separately rather than together.

J finds A washing the car in the driveway. A is interested in the idea and they share dreams of soaking in the hot tub after a long day at work and school (after homework, of course). They think about the possibilities of inviting friends and family over for a party with the hot tub at the center. Ahhh!!!

Meanwhile, K is chatting with Z in the garden. Z immediately thinks about the cost. They will have to cancel the planned purchase of new laptops for the twins. Then the hot tub will have to be cleaned, and that will fall to J and K. As they talk about how disruptive it would be to have new water and power lines installed for the hot tub, they hear a car – their car – driving away.

A and J are on their way to the store, excited at the opportunity to buy a hot tub with installation included. After all, there’s a sale on that ends today!

Did anybody make an informed and intelligent decision?


Each pair only considered one side, either the risks or the opportunity. Nobody considered both or found a way to see whether one side weighed heavier than the other.

This is what happens with traditional risk management. It provides a list of risks. It doesn’t help you figure out which risks to take.

This is what happens with the traditional board. The risk or audit committee talk about risks while another group talk about strategy and performance.

I am working on a new book that will talk about moving from managing risks to managing for success.

Is this something you do? Is it something you want to do?

I welcome your thoughts.

The latest information on cyber

September 20, 2020 1 comment

The Australian Cyber Security Center (ACSC) has published its annual Cyber Threat Report. The ACSC is an operational arm of the Australian government. It is responsible for “strengthening the nation’s cyber resilience, and for identifying, mitigating and responding to cyber threats against Australian interests. The ACSC also manages ReportCyber on behalf of federal, state and territory law enforcement agencies, providing a single online portal for individuals and businesses to report cybercrime.”

Over the year ended June 30th 2020, they “responded to 2,266 cyber security incidents and received 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes.”

Of the cyber security incidents, 803 (35.4%) were reported by government agencies. Healthcare was the sector with the next highest level of incidents at 164.

To put those statistics into context, according to the Australian government, as of June 30, 2019 there were “2,375,753 actively trading businesses in the Australian economy”. Of those, 141,628 were in healthcare.

So there was roughly 0.6 security incidents reported per thousand businesses, 1.2 per thousand in healthcare.

Cybercrime is a very broad category, including not only fraud but also online bullying and the sharing of intimate images or videos. It is not clear from the report how many of these targeted individuals rather than businesses or government agencies.

It is also unclear what the impact has been of cyber breaches, ransomware attacks, etc.

The ACSC report references a Microsoft-commissioned study from 2018. That study said:

…more than half of the organisations surveyed in Australia have experienced a cybersecurity incident (55%) in the last five months while 1 in 5 companies (20%) are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

…a large-sized organisation (over 500 employees) in Australia can incur an economic loss of AU$35.9 million if a breach occurs. The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

Fear and doubt surrounding cybersecurity incidents are undermining Australian organisations’ willingness to capture opportunities associated with today’s digital economy, with 66% of respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Microsoft says “the potential direct economic loss of cybersecurity incidents on Australian businesses can hit a staggering AU$29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. Direct costs refer to tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.”

But that is simply the potential, a projection of some sort. But is that a credible or a scare number? What is the likelihood of losses that high? You can decide for yourself, but I just don’t see 2% of a nation’s GDP being lost to cyber.

Microsoft bemoans “fear and doubt” but they are stoking it!

We need, as I have said many times, to assess for ourselves how a breach could affect our businesses and the achievement of our objectives.

There will be a range of potential effects, from trivial to major. Each point in that range has its own likelihood.

Don’t assess cyber or any other source of business risk using a single point in that range. Consider that entire range and whether it is acceptable.

If it is not acceptable, then consider what defense, detection, response, and preparedness you need to bring it down to where you are willing to take the risk. Consider whether the cost is justified based on the risk reduction – given that there are other uses for those resources.

Everybody should gauge the level of resource that should be applied to cyber based on their organization’s specific circumstances.

Don’t spend more than the risk merits – but spend enough.

What do you think?

When risk management began

September 15, 2020 4 comments

Recently, I read an article that said risk management had been traced back to around 2,000 BC when there had been some commodity trading in India.

I think it dates back to at least the dawn of the human era, and was probably practiced in some fashion before. (I am not getting into the question of whether God thought about what might happen when he created the heavens and the earth.)

Consider the first people to discover fire. They soon realized not only the opportunities it presented for heat and safety but also for cooking. They also learned what happens if you are not careful and get burned by it.  They acted accordingly.


The fire discoverers had objectives: safety, food, heat, etc. They considered the current situation and what might happen, then decided whether or not to take the risk.

That was risk management.

Arguably, it was more effective than some practices today as the potential for harm was weighed against the potential for gain, and a calculated decision made.

They were not listing all the things that can go wrong with fire, holding a meeting to discuss them, and comparing each harm to a risk appetite.

Instead, they decided that if they were careful the benefits outweighed the risks.

How can we move risk management practices forward, away from enterprise list management to enterprise success management?

I welcome your thoughts.

The State of SOX Compliance

September 11, 2020 5 comments

For 5 years, the software company Workiva has partnered with a LinkedIn group, SOX and Internal Controls Professionals Group to survey companies about their SOX compliance program.

Their 2020 State of the SOX/Internal Controls Market Report has some interesting content. 428 professionals responded, making it quite credible.

One of the early observations in the report is about the number of key controls and how many are labeled as ‘entity-level’.

Unfortunately, while they say “there is a correlation between the number of controls and the size of the company’s revenue”, their graphic makes it hard to see the average number of key controls for different size organizations.

One of the points I make in my SOX Masters training[1] is that as revenue grows, so should materiality. As a result, the number of ways in which an error could occur that would cause a material misstatement of the consolidated financials shrinks. The correlation between the number of key controls and revenue should not be anything like a straight line.

While 48% of the respondents have 250 or fewer key controls, 15% have more than 1,000.

No wonder that one of the observations in the survey is that people are looking to drive efficiencies into the program.

In my book and class, I talk about the fact that there are multiple levels in any organization. Each may have controls that can be relied upon, whether at corporate, business unit, country, or location. So the term ‘entity’ level can take you in the wrong direction.

There is a section on deficiencies, but it does not help us understand the cause of material weaknesses or significant deficiencies.

59% had no significant deficiencies and 83% no material weaknesses. That indicates, IMHO, too many had issues that had to be reported to the board or, worse, led to an assessment of ICFR as ineffective.

As you might expect, there is a section on the use of technology.

It is interesting that 12% say they have implemented continuous control monitoring for SOX and 56% are considering it.

I hope they realize that there’s a huge difference between monitoring data and activities and monitoring controls. If their software does not provide assurance that the controls are performing consistently as intended and are adequately designed, they have a problem. Just because the data is without error doesn’t mean that any controls were performed.

The role of internal audit is confusing to me. They say 45% are in charge of managing the SOX compliance program but only 33% are in charge of project management.

Setting that inconsistency aside, 77% have internal audit performing the testing.

One highly troubling result is that 31% of internal audit teams are spending more than half their time on SOX. That may be OK if they are still able to perform audits on the more significant sources of risk to enterprise objectives. 44% of companies have very small audit teams (less than 5) and 74% have fewer than 10 auditors. So it is not possible to draw any conclusions from the survey’s figures on the number of ‘operational audits’ (presumably all the non-SOX audits, but that is a misuse of the term ‘operational audits’).  If they have 5 auditors performing 10 audits, that may be appropriate.

As I said, I am encouraged that the respondents recognize the need for improved efficiency. 60% say they are focused on control optimization and 53% on control rationalization.

Overall, this has a few good points but the survey and its analysis have significant deficiencies.

I welcome your comments – and ask that you consider my upcoming virtual SOX class. I recommend (of course) the IIA’s book on SOX.

[1] The next course will be a virtual one in October. Please see the link for information.

What do you think of heat maps?

September 8, 2020 12 comments

Heat maps are one of the most popular ways of comparing individual sources of risk.

A heat map is suggested as a way of reporting in the COSO ERM Framework.

But I dislike them, as do many practitioners. My reasons include:

  • There is a range of possible effects from a possible event or situation, not a single point, and each point in the range has its own likelihood.
  • It doesn’t help you to determine whether to take a risk, because it is without any context of potential reward.
  • Decisions should be based on the big picture. An objective may be affected by multiple sources or risk and opportunity (things that can happen with positive and/or negative effects). Making decisions one source of risk at a time is clearly sub-optimal.
  • It focuses on risks while I want to focus on achieving objectives, what I call success management.
  • There are better methods, which I have described in this blog and in my books.

Grant Purdy shared an article with me (he dared me to write about it) that takes a more satirical view.

An exciting new lexicon for the professional risk manager has a different way of describing heat maps.

What do you think?

Let’s talk about assumptions and risk

September 4, 2020 13 comments

When we make a decision, we normally make a number of assumptions about what we expect to happen.

My view of risk management, or should I say risk management that adds value and helps an organization succeed rather than just avoid failure, is all about what might happen.

Anticipating what might happen, evaluating and assessing it, then taking appropriate actions through informed and intelligent decisions, leads organizations to success.

It helps them take the right risks, considering both upsides and downsides, to achieve enterprise objectives.

An assumption is made when you state that you think this or that will or will not happen. If you are smart, you define what event or situation that is, how it could affect your objective, and your assessment of its likelihood.

In other words, you are assessing a risk (if adverse) or opportunity (if favorable).

A forecast is also an assumption, or at least based on a set of assumptions about what will happen.

What we should do with assumptions is monitor them.

But, as Estell and Grant say in Deciding, not all assumptions are equal.

There are some that are incidental and some that are critical.

Critical assumptions are those that, should they not bear out, mean that your objective will probably not be achieved.

Other things are often documented as assumptions, but the desired outcome is not dependent on them.

Monitor the critical assumptions and be prepared to respond at the first indication that they will not hold up. If you want, you can refer to this as the monitoring of key risk indicators (KRI). But KRI normally refer to things that might happen to hurt you, and you should also be monitoring for things that might help you.

If the assumption is that a new product will be ready for market on June 1st, you need to be prepared to take action not only if readiness is delayed but also if it is early!

Understanding assumptions that have been identified as critical to achieving an objective is essential to effectively managing for success.

Do you agree?

Is this what your organization does?