Archive for the ‘Risk’ Category

Time to wake up to risk reality

April 2, 2020 38 comments

This is a post about news we should have known for a long time.

It’s time to recognize the truth about risk management.

For 11 years, the ERM Initiative at North Carolina University has surveyed executives (this year they were again all financial executives) about what they call “the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape”.

On April 1st, they published the 2020 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices – 11th Edition.

It is jarring to see how the authors continue to ask the wrong questions.

Consider how the Journal of Accountancy wrote about the study. This is their lead observation about the results of the study:

While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.


These are finance executives and you would expect more of them to see the value, if it existed, than other in the executive suite. In many cases, they are responsible for the risk management function! Other surveys have reported much lower numbers, such as that by Deloitte. In fact, the numbers are declining even as people get, arguably, more sophisticated.

Yet, the authors of the study persist in talking about the maturity of a program that, where it exists, is not seen as adding strategic value! They have this damning point sixth on their list of key findings.

Ask yourself why so many companies are not investing the resources and attention to bring their risk management program up to what the authors reference as mature.

I believe that executive teams are failing to invest in fully mature ERM programs and directors are not discussing the results of such a program because it is separate from how they run the organization for success. That is clear when risk discussions are distinct, even with different people, from strategy and performance discussions.

Practitioners and board members, ask each of your executives whether risk management at your organization is providing significant strategic value, whether it makes a marked and important contribution to the development and execution of strategies and achievement of success.

If they say no (or fail to enthusiastically say yes), ask why not. Listen and then make sure they get what they need.

If they say yes, make sure you are asking them about whether risk management contributes to their decision-making and success, not about whether it has ‘value’. It should have value, even if it’s limited to satisfying the regulators and avoiding (some) harms. If they continue to say yes, then celebrate and tell us all what you did different.

Yes, there are areas where traditional risk management is the right thing to do. For example, it is essential in project management, safety management, and the management of a financial portfolio. But putting together a list of top risks for the organization as a whole and the idea that you need to manager risks should be something done to satisfy the regulators, not how you run the business.

As for academics and consultants, PLEASE STOP preaching what doesn’t work, traditional risk assessments and reporting. START understanding what leaders of the organization need and how it can be provided efficiently and effectively. How can so-called risk practitioners help the organization increase the likelihood of success?

Where do you stand?

Are we getting the COVID-19 information we need?

March 26, 2020 15 comments

Like most people (I assume) I am following my local (county), state, and national public health agencies’ web sites for information on the spread of the COVID-19 virus. I also watch the PBS NewsHour TV program and read the news from the BBC and major newspapers.

I am retired, so I don’t have to worry about any corporate effects; I only have to worry about what my wife and I need to do if we are to stay safe. While I also worry about the health and safety of my family in Nashville and London, as well as my friends around the world, there is nothing much I can do for them. (They reassure me they are practicing appropriate social distancing when we chat.)

My question today is whether my wife and I are getting the information we need. Are we able to make the informed and intelligent decisions necessary for our health and welfare?

Each of us may have different questions to answer and different decisions to make.  Today I am talking about my personal ones – and later will make a more generalized point.

What are the questions I have to answer? Here are the first that come to mind:

  1. Do I need to stay in my house?
  2. When, for what purpose, and how often should I leave it?
  3. Do I need to do something different to stay healthy, like take extra vitamins?
  4. Do I need to buy something so that if I am infected I will be more likely to survive?
  5. If I need groceries, should I go to the store or order for delivery?
  6. If I get groceries or other supplies, how do I stay safe?
  7. If I order food for delivery, how do I stay safe?
  8. How long will this last?
  9. How will I know when it’s easing off around me?
  10. Should I cancel my trips in April and June?

If I look at the information provided by the county, state, and federal agencies, I get some information:

  • The county tells me the total of confirmed cases; the number hospitalized; how many have died; how many are infected because of close contact with known cases; and the number infected due to presumed community transmission. There’s also a breakdown of the age of confirmed cases by decade. They tell me that schools will remain closed until May 1st and the shelter-in-place order is through April 7. There’s an additional Frequently Asked Questions section.
  • But the county does not tell me how many have been tested; how many are waiting to be tested; the wait time to be tested; or the trend – the shape of the curve that people keep talking about.
  • The county also doesn’t tell me how many people have called their doctor to report symptoms and stayed home without being tested. They recently announced that the federal government has asked them to gather and report those numbers.
  • The state tells me similar information: the number of positive cases and deaths; how many were community-acquired; the number of health care workers infected; the age breakdown, but only in 5 groups rather than by decade; and the gender of those tested positive.
  • One of the frustrating aspects of the situation is that some reports say the risk is greater for those over 70, some say (as does the state) over 65, while others say 60.
  • As with the county, the state provides general guidance on how to wash your hands and the symptoms of the disease.
  • But neither shares the information that would help me to see the trend, the shape of the curve. Nor do they tell me how to be safe when it comes to grocery-shopping or food deliveries, or how else to prepare.
  • The federal government has some high-level data to share: total cases; total deaths; the sources of exposure (97.5% are ‘under investigation’ so that data is useless); and the trends in total cases, although they indicate that recent data is incomplete. That data doesn’t make it clear whether the rate of increase is slackening or not. Nor do they break the data down by region or state.

Does this give me all the information I need to make informed and intelligent decisions?

Not really.

There are many sources of additional information in the media and on the web. The question is whether that information is (a) relevant to my decision, and (b) reliable. US government and state officials hold frequent press conferences, but not everybody believes what they have to say – especially when they contradict themselves and each other.

A number of health professionals have addressed some of my questions in the media and on YouTube. But I check their credentials before considering them credible. For example, one of my friends shared advice from an MD and when I checked into him I found that he was a specialist in treating allergies.

I will share this important video on safe shopping because it’s important and credible.

So, I don’t believe I am getting all the information I need. I have to make decisions based on what I do know and what seems prudent.

Now to the more general point.

What is happening is that these agencies are sharing what they want to tell me. In some cases, they are complying with federal or state requirements.

They are not thinking about what each of us needs to know so we can make our own informed and intelligent decisions.

I call this ‘push’ reporting. What we need is ‘pull’ reporting, where the individual who has the data understands what the consumer of the information needs to know. He or she understands the decisions that have to be made and the information necessary to enable them.

As practitioners, we need to do the same.

What do the decision-makers need from us?

What does the executive team need from us?

What does the board need from us?

Don’t follow standard practice and give them a report that doesn’t help them make their important decisions.

If you don’t know what they need, even if you believe they don’t know themselves, find out!

Then execute and tell them the shape of the curve, and so on.

I welcome your thoughts.

How will risk management change as we emerge from this crisis?

March 21, 2020 17 comments

People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.

In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and today is no exception.

Keep Calm & GRC On! reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense.

GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

He spells out his vision, what he sees in his crystal ball, of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19.

But I have a different perspective.

It’s a tough line, but we need to face reality.

Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.

These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis – and whether it is helping them navigate through it now.

If risk practitioners (and internal auditors) are setting their prior practices, frameworks, and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.

But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.

Now is the time to prove our worth. Find out how we can help and then do it.

Later, we should change from what I call (in Lean terminology) a ‘push’ approach to one that is more of a ‘pull’ approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) – instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.

I explain this and more in a video call I did on Wednesday with Alex Sidorenko. (I come onto the call a few minutes after it starts.)

I welcome your comments.

Time to read a good (practitioner) book

March 17, 2020 4 comments

Every so often, I get a question about how to advance a practitioner’s career or which of my books they should read.

Others have written good books (for example, Hans Læssøe has just this month published Decide to Succeed, and several other friends have books worth reading), but I am going to try to answer the question about my books. (All of my books are available on Amazon and you can find more details here.)

If you are a ‘risk’ practitioner:

My best-selling World-Class Risk Management should be essential reading for anybody who calls themselves a risk officer, internal auditor, IT auditor, information security professional, or ‘GRC’ practitioner. (There’s a special edition for those in Non-Profits.) The book is on the mandatory reading list for a number of risk management college classes.

I wrote Risk Management in Plain English: A Guide for Executives for both practitioners and the leaders of the organization, including board members. It explains how the ‘risk’ word interferes with productive discussion and practice. My intent was that practitioners who like what I have to say would give copies to executives and board members to frame a constructive discussion.

Making Business Sense of Technology Risk is, again, for all practitioners and not just for those who specialize in technology-related matters. After all, technology is at the heart of what we do and how we do it. The book explains how the frameworks developed by the techies don’t provide business leaders with the information they need to make informed and intelligent decisions for the enterprise, and suggests a better approach. It takes the thinking in World-Class Risk Management to another level.

If you are an internal auditor:

My seminal book, which I recommend to every internal auditor from junior to CAE, is Auditing that Matters. It covers a lot of ground and challenges traditional practice and thinking. Some CAEs have purchased copies for their entire team.

Building on Auditing that Matters is Is Your Internal Audit World-Class. The book contains a sophisticated and detailed maturity model for assessing the quality of your internal audit function.

If you want a more entertaining book, try World-Class Internal Audit: Tales from my Journey. It’s a collection of short stories from my career that led me to the thinking and practices reflected in my books. It has received rave reviews both for its humor and for its insights into what world-class internal auditing is all about.

If you are involved in SOX:

Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization – 4th Edition, published by the IIA, is considered the best book on how to run a SOX program.

If you want to know about GRC:

I recommend How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners.

If you go here, you will find more details and also links to Amazon.

I would appreciate your sharing:

  1. Your experiences with my books
  2. Other books you recommend and why

What are you doing different because of COVID-19?

March 13, 2020 21 comments

Please share how you are responding to COVID-19, whether in your personal or professional life.

I am especially interested in people sharing their ideas and practices so others can benefit.

Toss out traditional risk management thinking

March 7, 2020 16 comments

I live in San Jose, which is in Santa Clara County where a number of coronavirus cases have been identified.

My wife’s church has canceled tomorrow’s services as a precaution.

A local bridge center (I am an avid player) has closed down until further notice. One of my bridge partners placed himself in self-quarantine after his wife returned from a cruise where individuals tested positive for the virus. Another bridge player remains in Colorado, hospitalized and recovering after his cruise.

What has this got to do with my perennial rant that traditional risk management, considering only the potential for harm, doesn’t help organizations succeed?

Consider the decisions that people and businesses now have to make. For example:

  • Should an airline cancel all its flights, not only to places like China but also to Seattle? After all, these are ‘hotspots’ and if you are only managing the possibility of infecting your employees or being involved in the spread of the virus you can best minimize that risk by not flying where passengers might bring it on board.
  • Should a hotel in Seattle close down for the duration, for similar reasons?
  • Should an organization in New York, which today declared a state of emergency because 75 people there have tested positive, tell all of its employees to work at home?
  • If you have an outstanding purchase order for critical materials with a vendor in China or Korea, which is delayed due to temporary measures imposed by the government there, should you cancel it and buy instead from a US vendor at a far greater cost?
  • As the head of sales, should you cancel a visit to a major customer that would involve a long flight, touring their plant, and meeting many people?
  • As an individual, should you go to church or to a flower arrangement class? Should you even go to work or the grocery store?

These are real life decisions, decisions that have to be made by weighing all the things that might happen, not just the potential for harm.

  • Can you afford not to go to work?
  • Can you afford to move to a US vendor instead of one in Asia, not only at a greater cost but also taking on an unproven partner?
  • If you close down part of your business, what does that do to your cash flow? Will you lose customers or even employees?

It’s time to recognize that managing a list of potential harms is not helping the organization make the informed and intelligent decisions necessary for success.

Informed and intelligent decisions depend on the right people having the information they need about where they are and what might happen, and the ability to weigh all the options and their effect on success.

Why do so many still plug traditional thinking about risk management? I asked a professor, formerly at Harvard and now in Lausanne this question. I should point out that she has been awarded a prestigious prize for her “research into risk management” and has been called a “pioneer in the field of risk management”. Yet, she writes books and lectures on traditional ERM: the management of a list of things that might go wrong.

Her answer, which is what I have heard from consultants and other so-called risk thought leaders, is that traditional risk management is what people are familiar with and they think they need. She writes about what people are doing, not what they need to do (her words).

Consider a February 28th post by my good friend, Jim DeLoach. Risk Realities and Enterprise Risk Management in 2020 focuses on a study by Protiviti and the ERM Initiative at North Carolina State University.

Jim is a smart man, but even his magic cannot save the idea that boards and management need to focus on a list of things that might harm the business.

The study identified these as the so-called ‘top risks’ in 2020:

  1. Impact of regulatory change and scrutiny on operational resilience, products and services
  2. Economic conditions impacting growth
  3. Succession challenges; ability to attract and retain top talent
  4. Ability to compete with “born digital” and other competitors
  5. Resistance to change operations
  6. Cyber threats
  7. Privacy/identity management and information security
  8. Organisation’s culture may not sufficiently encourage timely identification and escalation of risk issues
  9. Sustaining customer loyalty and retention
  10. Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees (new in 2020)

Does this list apply to your organization in 2020? Does it apply to any organization in the world, given the trade and economic shocks we are experiencing?

In his post, Jim has a number of questions board members should ask. Think about them. They include:

  • Is our risk management process well-defined, repeatable and understood by stakeholders?
  • Is there a process for identifying emerging risks? Does it allow sufficient time for management to consider response plans to these risks?
  • Does our management dashboard system include robust key risk indicators that enable our leadership team to monitor shifts in risk trends?

At the same time Jim was publishing his article, Alfred Rodas was asking me a question on LinkedIn:

I’m reaching out to you because I hoped you could offer me some suggestions about something. This year, we wanted to try and limit the number of questions we ask senior management from 5-8 questions to 3-4 key questions.  Thank you Norman, regards, Alfred

This was my reply:

OK, that’s a good idea. How about these?

  1. When you make important decisions, what is your process? How do you make sure you consider all the things that might happen, both good and bad?

  2. How do you measure your success? As you go through the year, how do you see whether you are on track? How do you assess the likelihood of being successful, considering all the things that might happen?

  3. How do you know whether everybody is taking the right risks, the ones you need taken if you are to be successful?

  4. Does everybody have your enterprise objectives in mind as they run the business and make decisions? Do they know what they are and how their actions and decisions might affect them?

I think these four questions should be asked by board members and top executives as well.

When it comes to coronavirus, the first question becomes:

  1. When you make decisions about coronavirus, what is your process? How do you make sure you consider all the things that might happen, both good and bad?

Then board members and the CEO can ask specific and more detailed questions to probe management’s decisions.

Isn’t it time to stop managing a list of potential harms and instead focus on how we can make more intelligent and informed decisions – including whether and how we respond to issues like the coronavirus?

I welcome your thoughts.

How can we help with Coronavirus?

February 28, 2020 6 comments

Carrying on as if nothing has changed makes no sense to me.

We should be asking “how can we help?”

The answer for risk practitioners should be clear: work with management to ensure that the organization is prepared and capable of responding promptly and appropriately to:

  • A breakdown in the supply of materials
  • An inability to deliver products or services to customers
  • The forced closure of a part of the business, such as a factory or a call center
  • The loss of key personnel who come down with symptoms
  • The inability of a competitor to deliver products or services (an opportunity!)
  • A surge or drop in demand
  • …and so on

It may not be as easy for internal audit to know its place today, even for the next months.

But carrying on as normal is unacceptable.

What was identified as the top risk when you did your audit planning and risk assessment, what you are auditing as your read this, is almost certainly not the top risk today.

So set your audit plan aside.

How can we help management (and the board, but less directly)?

For example, when I was CAE, members of my staff were part of the crisis response team. Some:

  • … stepped into temporary operations roles to supplement the management team
  • … helped with the communications process, calling members of the emergency response team
  • … acted as secretaries and scribes during meetings of the emergency response leadership
  • … got out of the way. We didn’t ask management to stop planning for or responding to an emergency so they could answer our audit questions

We also were not shy about working with management to upgrade their response plans and procedures. If the plans were lacking, and the best people to upgrade them were my audit staff, I told them to go ahead. We can draft the plans and let management review and approve. You can question whether that stepped over the independence line; my answer is that I did what was right for the organization and management still made all the decisions. The board approved warmly.

Sometimes, we facilitated meetings to review, upgrade, or even develop response plans.

We should be talking to management and asking “how can we help?”

Perhaps we can review some of the planning that has been done, not to find fault but to make sure everything has been thought through.

Maybe we simply call around and collect information about preparedness and response so we can collate and report it to management.

If management in a location is understaffed and having trouble putting a plan together, we can often help. We may know of another location that has a good plan and can help the first one modify and adopt it. If they simply have no idea what to do, we don’t stop to write an audit report; we get to it and help them write the plan.

What we don’t want to do is perform an audit of Coronavirus responsiveness and deliver a report in six weeks.

We need to act with agility to help the organization get through this, making informed and intelligent decisions now.

We may have a business card that says we are internal auditors. But we are part of the management team and our first duty is to help the organization succeed.

I welcome your thoughts.

By the way, my friend Richard Chambers will be sharing his thoughts on this topic next week. Check him out at or

Everybody should be familiar with this

February 21, 2020 2 comments

When you make a decision, whether in your personal or professional life, you should be asking:

If I do this, what might happen?

If I do that, what might happen?

Which is the better option?

If you are faced with the unwelcome news that your primary competitor has reduced their prices by 15% and is going after your customers, you have to decide what to do about it.

There will be options, each with a range of possible outcomes. In fact, for each option, there will in all likelihood be multiple things that might happen.

For example, if you match the price increase, that might (and might not) prevent your customers fleeing to the competition. There’s an outside but unlikely chance that you might be able to snatch a customer or two of theirs. You might be able to gain the customers of other competitors who, until now, have competed based on price alone. But it’s almost certain that your revenue will drop and your cash flow will ebb. The domino effect of a reduction in cash flow might be significant in several ways. Maybe you will have to slow or cancel other business projects, such as the purchase of a new system for trade compliance. Maybe your sales representatives will see the potential loss of commissions as an incentive to leave.

Several things might happen, and work has to be done to assess the range of effects and likelihoods of those effects on your business objectives.

But there are other options, such as to ignore the price increase, cut your prices more than the opposition, or to stress your product quality or service as deserving the higher price.

You can rely on your experience and knowledge to make the decision, or you can look to improve its quality using the sort of tools available to practitioners.

If used carefully, these tools can provide quality analysis of what might happen in a way that you can compare the options and make an informed and intelligent decision.

A recent article in Security Management, How to Use Scenario Analysis to Manage in Uncertain Times is worth reading.

It is written for information security practitioners, but has merit for everybody, including those on the board and in the executive suite.

Here are a couple of useful excerpts:

  • Every single decision in an organization is made under a certain degree of uncertainty…. Often, leaders make these decisions based on anticipated events, along with corresponding best-case and worst-case predictions about what might happen. Whether or not these predictions will actually come to pass is unknown at the time the decision is made.
  • …it is clear that no one future path is inevitable for any organization. A wide range of potential outcomes is possible and subject to unforeseen events and random occurrences. But this does not mean that all forecasting efforts are fruitless. The business world is dynamic and competitive, and because the external environment often drives the need for change, organizations need to hone their abilities to manage uncertainty. Thus, wrestling with future possibilities is crucial, especially for reasons of preparedness, possible expansion, and strategic planning.

The article continues with an introduction to Scenario Analysis:

  • Scenario analysis is a method for creating responses to various future events with the aim of reducing uncertainty and maximizing the chances of achieving a desired outcome. This process requires investments of people, time, and money. Imagination also comes into play as managers use scenario analysis to determine or invent possible courses of action to take so the organization can reduce its overall risk and maximize its value.
  • Historically, scenario analysis arose out of military planning during World War II. During the war, it was a means to offer specific descriptions of different futures; summarize and synthesize variables into a coherent picture for each possible future; suggest multiple and distinct choices that each future would entail; and increase the likelihood of achieving desired outcomes by exploring a range of responses or solutions.
  • In conducting a scenario analysis, specific future uncertainties and corresponding realities are evaluated by exploring different possible ways to arrive at a desired outcome. This requires assessing internal capabilities, such as the strengths and weaknesses of the operation, and external factors, such as the existing and future opportunities and threats in the business environment.
  • Scenario analysis does not reveal one exact road to successful decision making, nor does it assume that historical data patterns and past observational findings will replicate themselves in the future. The process will never erase all uncertainty, and it does not predict the future….  Instead, when done well, the process brings to light many possible future developments and turning points, which present several alternative paths to the desired outcome. It can provide a clearer understanding of what is plausible and should be taken seriously, and what is not. In the end, it is about describing various futures or different outcomes. This analysis results in the option to make advance decisions that are either strategic (planned actions) or tactical (immediate responses) in nature, depending on the event.

The example in the article is excellent. Even though it is written for information security practitioners, it describes an analysis led by the risk practitioner of the options available to address a business operations problem.

The authors point out, as do I in my books and blogs, that there is a range of possible effects, each with their own likelihood, not a single point risk level (let alone having multiple effects, some positive and some not). They describe how IBM misguessed the PC market 40 years ago because they used a single point estimate for the number of PCs that might be sold.

I thoroughly recommend the article for a careful and thoughtful read.

The only additions I would make is that all decisions should consider how the achievement of enterprise objectives might be affected, and some tools like Monte Carlo Analysis should be part of every analysts armory.

I welcome your thoughts.

Risk-based cyber risk reporting

February 15, 2020 6 comments

I encourage you to subscribe (free) to McKinsey’s frequent reports. Their latest, Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity has some good observations. Unfortunately, their ideas for addressing the problem don’t work for me.

Here are some excerpts I like:

  • …cyberrisk reporting at many companies is inadequate, failing to provide executives with the facts they need to make informed decisions about countermeasures.
  • Because of the information gaps, managers often apply a standard set of controls to all company assets. As a result, low-priority assets can be overprotected, while critical assets remain dangerously exposed.
  • In one survey, more than half of executive respondents said cybersecurity reporting was too technical for their purposes.
  • Cyberrisk reports were compiled by IT specialists for other IT specialists. As a result, the reports were very technical in nature and provided little to no guidance for executive decision making. Executives found that the reports did not help them interpret how cyberrisk is related to other risks the institution faces, such as legal or financial risks.
  • The reporting was structured by systems, servers, and applications rather than by business units, business processes, functions, countries, or legal entities.
  • The executives had no clear sense of the overall magnitude of the risk from cyberattacks, malware, and data leaks.
  • Cyberrisk managers found it difficult to decide on the areas of focus for cybersecurity investments or to justify their ultimate decisions to the board.

This is why I wrote Making Business Sense of Technology Risk.

The people running the business need to know how technology-related risk[1], especially (but not limited to cyber-related risk) might affect the achievement of their objectives. They need to know how to include it with other sources of risk and know where to spend scarce resources.

For example, should they budget an additional $1,000,000 to address what the CISO says are high risks, or should they spend that money to address trade compliance risk (which could result in their being shut down in an important region) or on a marketing campaign to drive revenue?

What if the cyber-related risk created by a new office appears to be acceptable, but when you realize that there are multiple new (non-cyber) risks that should also be considered, the right decision is to delay opening the office?

By the way, this last point illustrates one of the problems with the concept of risk appetite as promoted by COSO and others. In the last example, cyber-related risk is deemed to be acceptable. Let’s say there are potential customer relationship, compliance, and financial reporting issues as well. Each individually may be acceptable, but when management looks at the big picture (which requires that the information on each is not only comparable but can be aggregated in some way – I prefer based on their individual and cumulative effect on specific objectives), they decide the total potential downside is not justified by the potential upside.

My point is that all assessments of what might happen (aka risk) should be made based on how the achievement of business objectives might be affected. (This is discussed in detail in the book, far more than I can put in a blog post.)

But McKinsey falls into the same trap as some of the standards written by techies for techies (in other words, not written for leaders of the organization; not written to provide decision-makers with the information they need to make informed and intelligent business decisions. In fact, I have yet to see a standard or other guidance that tells you to ask them what they need).

Here are some excerpts (my highlights), where they go astray:

  • Make the cyberrisk status of the institution’s most valuable assets fully transparent, with data on the most dangerous threats and most important defenses assembled in a way that’s accessible and comprehensible for nonspecialists. [ndm: the last point is good, but the focus is on information assets instead of on enterprise objectives.]
  • Provide decision makers with a risk-based overview of the institution so they can focus their cybersecurity investments on protecting the most valuable assets from the most dangerous threats. [ndm: protect the business and its objectives, not just information assets.]
  • The company subjected only its most critical, most vulnerable assets (class one) to the full arsenal of controls—from multifactor user authentication to deleting, after 24 hours, the accounts of anyone who left the company. By contrast, it applied only basic controls to the least critical assets.

McKinsey follows this up with a heat map! Of course, it is going to be interesting information for techies, but fails to relate how any incident (or series of incidents) might affect the business and its objectives. There’s no way this information can be added to other sources of risk to help leaders make sound business decisions.

McKinsey rails about techies developing reports for techies and then does the same thing.

Instead, figure out what leaders need to know about cyber-related risk if they are to make informed and intelligent decisions?

  • Should they invest in cyber vs marketing?
  • Should they proceed with opening that new office?
  • How likely is it that a breach would seriously impair the achievement of enterprise objectives – including how it would affect the metrics on which the analysts rate the company and the board determines their bonuses?

I welcome your thoughts.

[1] I hate to use the 4-letter ‘r’ word, but am doing so to help people understand this particular issue.

New ERM Guidance from COSO

February 8, 2020 28 comments

It’s is very hard to talk or write intelligently about risk and its management when your language gets in the way.

A new COSO paper, written by two individuals I have known a long time and for whom I have great respect, is trapped by one awful word, a true four-letter word: ‘risk’.

Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management is based on COSO’s 2017 update of its 2004 ERM Framework. Their intent is to explain how effective ERM can add value to an organization, and to give some guidance on how to implement or upgrade it.

But it is bedeviled by this four-letter word.

There is no common and shared understanding of what the word means. Is it:

  • The possibility of something bad happening?
  • The effect of uncertainty on objectives? (ISO 31000)
  • The effect of what might happen on the achievement of enterprise objectives, effects that can be good, bad, or both? (Marks)

Let’s start with some excellent language from the document. They say (my highlights):

  • COSO’s 2017 Framework, Enterprise Risk Management – Integrating with Strategy and Performance, defines enterprise risk management as: “The culture, capabilities, and practices, integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value.
  • …in today’s risk environment, improved risk management processes are needed to ensure that organizations are successful.
  • …the role of ERM [is] not just that of a separate staff function but [is] integral to how an organization creates and preserves value.
  • …improved risk management practices can contribute to improving performance and helping the organization create and enhance value.
  • The 2017 Framework clearly positions ERM as an activity whose role and objective are helping the organization to create and protect value. It accomplishes this by helping the board and management make better informed decisions…. The overall objective of ERM is accordingly, enhanced performance of the organization. It is not a separate activity with its own objectives but an integral part of the organization’s strategy setting and performance processes.
  • its benefit is improved decision making and ultimately improved performance of the organization as it strives to meet its mission and achieve its strategies and business objectives.

I have noted these because, as COSO states, the objective of ERM (or whatever you want to call it) is helping the organization succeed. It is not limited to protecting value from harm. It includes enabling the organization to create and realize value.

Focusing on avoiding failure is not the path to achieving success.

The authors note that the benefits of ERM include:

  • Increase the range of opportunities by considering both the positive and negative aspects of risk
  • Increase positive outcomes and advantages while reducing negative surprises

This is spot-on from the authors:

Another way to look at the benefit and value of ERM is its contribution to better decision making. Boards and management are constantly faced with decisions ranging from strategy decisions to day-to-day decisions. An ERM process provides additional risk information related to the strategies to enable them to make better informed decisions to create and protect value.

But then language impairs the message as the authors continue.

They are sucked into focusing their total attention on the possibility of harm. Even though they have talked about achieving success, and that there are possibilities of both loss and gain from events and situations, they limit ERM to addressing things that might happen to impair (i.e., ignoring the possibility of enhance) the achievement of strategies and objectives. They are concerned only with protecting and not creating value – despite the title of the paper.

More excerpts:

  • Following the updated Framework, the organization is trying to identify those events that might impair its ability to achieve its strategies and business objectives.
  • The key risks that ERM is focused on are those events, and the resultant outcomes, that could impair the organization’s ability to implement its specific strategies.
  • It accomplishes this by helping the board and management make better informed decisions that enable them to effectively manage those risks that could impair their ability to achieve their strategies and business objectives.
  • ERM helps not only identify risks but also assesses which risks are significant enough to impair the organization’s ability to achieve its objectives.

When the South African Institute of Directors updated their code of corporate governance, providing us with the excellent King IV code, they changed from talking about ‘risk’ to talking about ‘risk and opportunity’. That is better, but still doesn’t entirely get us to where we need to be: talking about the ability to increase the likelihood of success.

Manage success, not failure.

Here’s a simple example of why focusing exclusively on the possibility of harm will lead to the wrong business decision.

The company is considering making an acquisition. The acquisition is expected to increase the potential for credit loss for the post-acquisition enterprise by $5 million based on the prior experience of the acquired business. The risk manager worked with the company’s Credit Department to assess the total company credit risk and says that there is a 10% likelihood that the company will exceed the defined risk appetite.

The CEO correctly points out that while he doesn’t want to incur additional credit losses, the acquisition is 80% likely to deliver an additional $50 million to the company’s bottom line.

The point is that the acquisition will not only increase the possibility of harm, but the possibility of reward.

Effective risk management (in my world) is about providing decision-makers with all the information they need on all the more significant things that might happen, both good and bad, so they can make an informed and intelligent decision.

I’m fine with the idea of starting an ERM program with the ways in which the enterprise can deliver value to stakeholders.

Then, ‘what might happen’ is factored in when setting objectives and related strategies. It’s not after-the-fact. It’s an integral part of objective-setting and then deciding which strategies to adopt to achieve the objectives. (In other words, don’t assume that the right objectives are set, which is what COSO ERM does.)

Once objectives and strategies are set, understanding and monitoring what might happen is appropriate. But don’t monitor only the possibility of bad things happen; make sure you are able to take advantage of the good, the opportunities that may arise. For example, will you know when a competitor stumbles or a customer has a greater than expected need?

When you consider the possibility of harm, weigh that against the possibility of reward.

Ongoing decision-making should be based on am understanding not only of what could go wrong and what needs to go right (glad to see the document using my language here), but also what could go even better than expected.

But limiting ERM to managing a list of risks is not effective management of the organization for success.

My advice:

  • Stop using the awful four-letter word. Instead, think about how you should consider what might happen so that you have an acceptable likelihood of achieving your objectives: being successful.
  • Talk about how you can increase the likelihood of success; talk about what might happen. (Read my books)
  • Don’t monitor and address only the possibility of harm but also the possibility of greater than expected reward.
  • Weigh all possibilities and make informed and intelligent decisions.
  • Make sure that all decision-makers know how to make the informed and intelligent decisions necessary for success.
  • Make sure all decision-makers know how their decisions might affect the likelihood and extent of success. (Risk appetite is generally less useful than people think because it focuses exclusively on the possibility of harm, without considering the possibility of reward.)

Read more…

Boasting about internal audit value

January 30, 2020 11 comments

Richard Chambers, President and CEO of the global Institute of Internal Auditors, is a friend whose leadership at the IIA and of internal audit practices I value and respect.

Recently, he wrote a blog, One Mistake Internal Audit Cannot Afford to Make in 2020.

Please read it and then consider an alternative view.

If we are focused on communicating what we consider to be our value, are we not boasting?

Do you respect people or organizations that boast about their value?

I 150% agree with Richard that internal audit should “obsess about the value we deliver”.

I also agree that there are “countless internal audit departments that were simply ‘checking the box’ in executing their mission”.  If they are checking the box and not focused on delivering what they are capable of, they are not going to be valued by the board and executive management of the organization. They will be a target for downsizing, or at least unable to get the funding they need even in good times, because leaders don’t see the business benefit.

But what is that value? How should it be identified and valued?

The value of internal audit can only be measured through the eyes of our customers!

The value of anything is only what the customers would willingly pay for it, because of the benefit it provides.

Richard gets this right when he says:

“Your key stakeholders have the last word on whether you are doing your job well. And they judge an internal audit function not by how well-run it is, but by the value it generates for them.”

When I finish a speech or training class, the organizers often ask me how I think it went. My answer is always that we will find out when we hear from the audience, my ‘customers’.

Do I tell my customers how much value I just gave them? No. I ask them how much value they derived from my presentation.

The same thing applies to internal audit.

If you feel you have to tell the board and top management how much value you have delivered, it seems obvious (and sad) that they don’t already know.

They don’t already know:

  • The value of the assurance you have provided them of the adequacy of the systems for managing risk and internal control, and whether the more significant risks are addressed by effective and appropriate internal controls
  • The value of the insights and advice you have provided, both formal and informal, to management (at all levels) and the governance body
  • The value of the actions that your work has stimulated; not the recommendations in your reports but the actual change that was made. Recommendations that are not seized by management as opportunities have little value. In fact, recommendations that are ignored because they don’t seem ‘right’ to operating management have a negative value on the reputation and standing of internal audit.

While we might have an idea of where we have added value, even some idea of the magnitude of that value, only the customer can place a value on our work with any degree of accuracy.

Providing a report or other communication to leadership that tells them our valuation of the work we have done is not only boasting but lacks credibility.

Your value is what people would be willing to pay for it. It is not what you say it is.

So let’s turn the question around for a minute.

Instead of asking whether the board and top management know what our value is, ask DO WE KNOW what our value is to them – in their eyes? If we do, are we maximizing that value? If we don’t………

Richard talks about the fact that different people in leadership judge the value internal audit delivers based on their “value premise.”

But instead of telling them what we consider to be our value, we should find out how we can be of greatest value to them.

If they don’t understand the value we can contribute, we should have a conversation with the objective of obtaining a mutual understanding of how internal audit can and should add value to the organization as a whole and to each of them individually.

Don’t just tell them. Discuss, listen, tell your story and your ideas, and agree. Help them see what you can do while understanding what you can do (differently, perhaps) to create value in their eyes.

We should obsess about delivering that value, rather than on promoting (boasting) how good we are.

The best way to make sure the board and top management understands the value is to:

  • Deliver the value (i.e., execute) and
  • Have happy customers who boast about it.

I remember a time when the retail arm (primarily Circle K stores) of my company (Tosco Corporation) was going through some tough times. I was at an executive committee meeting when somebody asked if internal audit was going to be asked to cut our budget. Several executives spoke up, telling the CEO and others that rather than cut internal audit, they wanted to increase our budget.

When we had an audit committee meeting to discuss a serious issue, I had the operating unit executive attend and we jointly communicated both the severity of the issue and the actions that we would or have already taken. (I say ‘we’ because internal audit is part of the organization, despite what some assert or imply about our independence.) Both executive management and the board members can see us adding value – but only they can place a value on it.

That’s not to say I don’t make sure that my customers get the information they need to understand our value.

I don’t think we can put a value ourselves on assurance, advice, insight, or even business process change.

But we can ask the customers if we are adding value; often we can find a way to have them put a value on it. Then we can ensure that information is summarized for top management and the board.

At Tosco, I had a large part of my organization (28 people) auditing contractors. The team agreed with our customers on the value of each contract audit, generally the monies returned or costs avoided, and this was summarized in periodic reports to management and the board.

I close with three stories.

At Tosco, I asked the CFO for his assessment of the team’s performance and value over the last year. Jay Allen, a brilliant man with a dry sense of humor, said, “Keep it up or your fired”. He then gave me a huge bonus, so I could value my work.

I asked the chair of the Tosco audit committee about the team’s performance. He said, “You help us sleep through the night”.

The CEO of our largest division told the governor of the state of New Jersey that internal audit gave Tosco a competitive advantage.

I value those appraisals, as well as the fact that our customers continued to fund internal audit faster than the rest of the organization.

What do you think?

Obsess about communicating value? Or, obsess about understanding and then delivering the value our customers want – and letting our customers understand and appraise it.

How good is your SOX program?

January 30, 2020 1 comment

For several years, I have led two-day training sessions for SOX leaders who want to make sure their programs are both efficient and effective.

The SOX Masters Classes are an opportunity to learn (or re-learn) what a top-down and risk-based approach is about, and how to ensure you have cut out all unnecessary and expensive work.

Over the years, most organizations have fallen into bad habits and their SOX scope has expanded way beyond what is necessary.

Often, this is because the external auditors insist on scope increases where, in fact, there really isn’t a significant risk. The likelihood of a material error or omission in the financial statements is less than reasonable possible.

The classes are limited in size so that we can have constructive discussions and learn with and from each other.

The next one is in Chicago on April 30th.

Which comes first, risk or control?

January 24, 2020 24 comments

I think the relationship between risk (what might happen to affect the achievement of objectives) and internal control (what you do to ensure things are done the way you want) is not very well understood.

Here’s my attempt to explain it.

  1. You have controls to ensure that risks (the effect on objectives of potential events, situations, actions, or decisions) are at desired levels. (Note that I said ‘desired’ instead of ‘acceptable’. There’s an important difference.) So you can’t know whether you have the right controls or that the system of internal control is effective if you don’t have a reliable understanding of the more significant risks to objectives today and for the manageable future. You may have a lot of controls that are working just the way you want. But are they the controls you need when the future is shifting and the risks have changed?

Conclusion: any assessment of the system of internal control is predicated on an assessment of the systems around the identification and management of risk (again, what might happen).

  1. You cannot have effective management of risk if you don’t have effective controls around their identification, treatment, and so on. The processes around identifying, assessing, and acting on risks (what might happen) include a number of critical controls. For example, if you rely on analytics to identify emerging risks, you have controls over the development and use of the analytics. If you rely on workshops to debate and assess the potential effects of likely events, you have controls over workshop attendance, conduct, and actions taken. If you have a potential for bad debt, you rely on controls over credit approval.

You fool yourself if you believe risk is at desired levels if you have not assessed and obtained confidence in related internal controls.

Conclusion: any assessment of the effectiveness of risk management depends on the assessment of related controls.

Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.

What you can do is provide an overall assessment of the system of internal controls as it relates to the more significant risks that were addressed by completed audit engagements.

Can you assess risk management without considering related internal controls? I don’t think so.

What you can do is provide an overall assessment using a risk maturity model (such as I describe in World-Class Risk Management) or indicate that your assessment is subject to the system of internal control being effective.

In World-Class Risk Management, I describe a number of risks to the effective management of risk. For example, the wrong people might be assessing a risk, or individuals might be influenced by their cognitive bias when assessing and acting in response to a risk. If there aren’t effective internal controls to address those risks to the management of risk, how can you assert that risk management is effective?

I strongly encourage both management and risk and audit practitioners to assess both their systems of internal control and of risk management (including, especially, the quality of decision-making) formally, every year.

Boards should demand such assessments, both from executive management and the CAE and CRO.

But, such assessments should recognize their interplay and mutual inter-dependence.

I welcome your thoughts.

A new code sets back the status and practice of internal auditing

January 16, 2020 6 comments

The Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.

But their latest publication, Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors steps backwards from the progress made by the IIA in its Definition and Core Principles.

Here are my more significant criticisms:

  1. The first and most important failure (and I mean just that) is when they define the Role and Mandate on internal audit:

“The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organization.”

The IIA’s Definition of Internal Audit is right when it says that internal audit should help the organization achieve its objectives.

Internal audit should help an organization both create and protect value.

Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness. It implies that internal audit should not address whether:

    • Customers are billed the full price
    • The company takes full advantage of available vendor discounts
    • Management bids effectively for new business
    • Decision-makers are taking the right risks for success
  1. While risk management practitioners are beginning to recognize that effective risk management is far more than a review of a list of the more significant risks, the Code does not:

“It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management.”

  1. Quite disturbing is the fact that the antiquated notion of cyclical auditing is included in the guidance.
  1. The Code says that internal audit reports should focus on “significant control weaknesses”. The global IIA rightly explains that internal audit provides assurance; that is not the same as the Code’s emphasis on reporting weaknesses – it’s a great deal more! Internal audit reports should inform leadership whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well. Internal audit should explain which enterprise objectives might be affected by identified control weaknesses and by how much.

I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity.

I welcome your opinions and comments.

Risk and Consequences

January 11, 2020 11 comments

I like to think that effective risk management helps the managers of an organization, at all levels, make the informed and intelligent decisions necessary for success – reliably achieving enterprise objectives considering all the things that might happen, both positive and negative.

It’s not about managing the possibility of harmful events or situations.

It’s about managing the likelihood and extent of success.

The likelihood and effect of harmful events and situations, including the consequences of decisions, have to be weighed against the positive outcomes that may arise, and the right risks taken for success.

Let’s consider the things that might flow from a decision.

Imagine we are thinking of raising the sales price of our flagship product. A number of things might happen:

  • Revenue is likely to increase in the short term, especially until customers are willing to change suppliers because our competitors have not increased their price.
  • The additional revenue could fund further investment in our product line, with positive longer-term revenue increases.
  • But, customers might also be unwilling to pay the higher price, impacting revenue. The change might be immediate but it could also be longer-term.
  • There might be an impact on our reputation, with both short and, especially, longer-term consequences. Perhaps we are no longer seen as a low-cost provider. Perhaps we are seen as a company that takes advantage of its customers. The likelihood is greater that this will harm our reputation than benefit it. Revenue could be impaired, particularly in the longer-term.
  • On the other hand, our competitors might increase their prices right away. Any negative effect would likely disappear, leaving only the positive revenue and cash flow impacts.
  • But, they might seek to take advantage, perhaps with an aggressive marketing campaign, seeking to steal customers and revenue.

Multiple things might happen if we increase our prices.

The effects are not all immediate, with some potential longer-term and even permanent impacts on our business.

We can change their effect if the price increase is lower, raise them if the increase is greater.

But we need to look further and deeper.

Each of the scenarios that can be envisaged leaves us in a changed situation. Before we can decide whether and by how much to change our prices, we need to consider whether those situations would be acceptable. If not, what can and should we do?

The options facing us to treat unacceptable situations flowing from our initial price decision will themselves have a range of effects, often a combination of potential and negative consequences. They will lead to another set of situations where we might have to make decisions and act.

For example, a price change now might change our perception in the marketplace as a low-cost supplier of quality products. If that will have a negative effect on revenue, what are we going to do about it? Can we modify our own marketing campaigns? Can we justify it based on quality or other factors like customer service or warranty periods? Can we take advantage of it to reach premium customers?

Let’s say we decide to increase our marketing budget to counter any reputation impact. That money has to come from somewhere. Perhaps our budget for marketing our other products and services will be impaired.

Where am I going with this?

A so-called risk assessment that only focuses on shorter-term effects (even if it includes both positive and negative effects) is limited in its value. Some effects occur later. We may need to act either to address those negative effects or take advantage of opportunities. All of that needs to be considered before an intelligent and fully informed business decision can be made.

There’s a domino sequence of situations that flow from any potential decision. Making a decision now without considering longer-term consequences can have disastrous results.

Consider the US invasion of Iraq. If we were to use all the benefits of hindsight to see what might happen, a series of situations and responses to them, we would probably question the initial decision.

A gives rise to B (after consideration of options), which gives rise to C (again, after considering options), which gives rise to D – and so on.

Are decision-makers thinking through the full range of potential consequences, including those over time and the responses and effects of the responses to them – and so on, for a long period of time?

Is the risk manager helping people make these considered decisions, not only with information and analyses but with quality decision-making processes?

If there is a lack of quality in decision-making, shouldn’t internal audit be drawing attention to it?

Which is the greater risk or threat to an organization, a data breach by outsiders or an inability to make quality decisions?

I welcome your thoughts.

10 Years of Progress

December 17, 2019 6 comments

Its 10 years since my first blog post in December, 2009; Is there value in talking about GRC? remains a relevant question especially as so many vendors put a GRC label on their software.  I’ve written about GRC 97 times since then.

But, thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC”. Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cyber, etc. Sometimes, but not always, one software solution will be the best choice for several areas; but almost never will it be the right choice for every area of GRC.

Of my 689 posts (not including this one), the most viewed is from 2011, Just what is risk appetite and how does it differ from risk tolerance?, which has been viewed a massive 69,617 times (10% of which were in 2019).

But I want to talk about progress in practices since that first post. These will just be highlights.

Risk management

While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number recognize that this is a failing practice and have moved on. They recognize that risk management should enable decision-makers to make informed and intelligent decisions that will enable them to take the right risks and achieve enterprise objectives.

Boards and top management teams are similarly starting to ask for more. They recognize that discussing a list of risks is not helping them run the organization for success. It only helps identify potential problems. The focus should be on having an acceptable likelihood of achieving objectives (a better way of thinking about ‘risk appetite’) instead of an acceptable level of risk.

Corporate governance codes and frameworks similarly talk about both risk and opportunity. However, there is little guidance on how to weigh all the pros and cons so you can make those informed and intelligent decisions.

The future is not clear, especially as regulators continue to press traditional practices that might help avoid failures (emphasis on might) but don’t contribute to success.

We need to stop the focus on the management of risk and replace it with a focus on the management of success.

That will take time.


Internal audit

I am pleased by the progress I have seen, especially the move away from a rigid annual plan that is out-of-date even before the first audit. Instead, there is a growing recognition that you need to audit at the speed of risk (or at the speed of the business, if you prefer). That requires a far more flexible audit plan. A majority of functions now update their plan at least quarterly, while leaders are using a continuous planning approach to ensure they address the risks of today and tomorrow rather than of the past.

Compared to 10 years ago, far more are providing their stakeholders with opinions. Most include opinions in their audit reports (micro opinions), while a growing number provide an overall assessment of how enterprise risks and related controls are managed (macro opinions).

But there is still work to be done.

Too few have limited their audits to issues or risks that matter to the success of the organization as a whole (defined by the achievement of enterprise objectives). They may start with an intention of auditing such enterprise-level risks, but then bloat their scope by including areas that, if the controls failed, would not require the attention of top management or the board; in other words, their scope includes issues that don’t matter to the success of the organization as a whole. That time, the time spent on issues that only matter to middle management, can be better spent on other enterprise-level risks.

If you want to be agile, which enables you to pivot promptly to new or changed risks, you can’t afford every audit to be a leviathan. Think of how long it takes to turn an oil tanker.

The other area that I see improving in the future is in communicating the results of the audit.

While executive summaries are getting shorter, they are still written in the language of the auditor and say what the auditor wants to say. Leading functions realize that they need to tell their stakeholders what they, the stakeholders, need to know. For example, what is the effect of any control deficiencies on the ability to execute successfully on business strategies to achieve enterprise objectives? Which objectives might be affected and by how much?

I believe the future is bright and salute the achievements of the past decade.

What do you think?

FYI, in 10 years those 689 posts have been viewed a total of 1,256,639 time!

New guidance for risk committees

December 10, 2019 5 comments

A new publication by the Risk Coalition (a group of organizations in the UK that includes their Institute of Directors, a couple of risk management associations, and the organizations for internal and external auditors) merits our attention.

Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services Sector has some interesting content. For example, it says:

  • In financial services the real risk is to take no risks. We are in the business of managing financial risks.
  • While the concept of the Three Lines of Defence continues to provoke much academic and professional debate, the Risk Coalition believes the basic principle of requiring independent oversight and challenge of management risk-taking remains sound.

In addition, I like that the guidance talks about ‘risk taking’ instead of simply managing risk. It also defines risk as not purely a negative effect on objectives:

The possibility that events will occur that affect the likely achievement of an organisation’s corporate strategy or strategic objectives. Commonly considered as negative events (downside risk), there may be occasions where risks may be exploited to an organisation’s advantage (upside risk).

Its definition of risk culture is also useful:

The combination of an organisation’s desired ethics, values, behaviours and understanding about risk, both positive and negative, that influences decision-making and risk-taking.

There are some key phrases in its definition of a risk appetite framework (which I highlight):

A key, board-approved framework designed to aid effective management decision-making, risk monitoring and reporting, and through which aggregate risk appetite is translated and cascaded into meaningful, calibrated risk thresholds, limits, metrics and indicators aligned to strategic objectives, and embedded throughout the organisation.

I highlighted these sections because in my experience very few risk appetite statements or frameworks are developed in such a way that they influence risk-taking and decision-making at all levels of the organization. For example, how does an HR manager know how his or her decision on which candidates to present might affect enterprise strategic objectives? How does saying that the organization has no tolerance for compliance or safety failures affect decisions on investments in those areas?

The guidance says is it “evolutionary, not revolutionary” and I must agree.

It provides more clarity to traditional thinking about risk management, but doesn’t suggest how to step up to real value-add activities.

In other words, there’s quite a lot missing!

I set up a risk committee when I was CAE and CRO at Business Objects. The first question that had to be addressed was:

Why do we need a risk committee?

If the answer is that we need one to comply with the expectations of the regulators, then we are unlikely to get the full and enthusiastic support of the management team. The team is focused, as should be the board, on achieving the strategic objectives for the organization – in other words, they are focused on the success of the organization, not just its compliance obligations.

I vividly remember a conversation I had many years ago with a senior executive. He was responsible for the company’s trading desk and told me that he couldn’t spend much time answering my questions because he had to get back to running the business and making money.

We get the executives’ attention and support when they appreciate how what we are doing helps them do both – make money and run the business for success. In time, this executive learned how my team and I could help him do both and he became a huge supporter.

The answer to the question should be that the committee helps the board be assured that management is taking the right risks, seizing opportunities wisely, as a result of informed and intelligent decisions.

The answer should not be limited to any form of blinkered focus on managing the possibility of downside events and situations that ignores the need to weigh ALL the potential things that might happen. In other words, is management weighing ALL the pros and cons before making decisions, or is simply looking at the cons out of context? Even the COSO ERM framework explicitly recognizes that when justified by the opportunity, risk appetites should be exceeded.

So the next question is:

How does the risk committee contribute to success?

I struggle with this myself, in particular the next question:

Why do I need a separate risk committee when strategy and performance are discussed elsewhere?

Separating risk and strategy, or risk and performance management, makes little sense to me – unless your risk committee is there as window-dressing for compliance, rather than helping the organization both protect and create value in its pursuit and achievement of objectives.

I recall a panel discussion at an event years ago in Canada. The CEO of the Hudson Bay Company told us that his board had a Risk and Strategy Committee. I think this is a world-class practice.

So, what do you think? Does it make sense to have a committee that only focuses on the downside? If it is charged with assuring the board that due consideration is given to all the things that might happen during decision-making and risk-taking, how does that work?

I welcome your thoughts.

Guiding Principles of Corporate Governance

December 6, 2019 2 comments

The IIA should be congratulated for its recent publication, prepared in collaboration with the Neel Corporate Governance Center at the University of Tennessee, Knoxville, of Guiding Principles of Corporate Governance.

I still prefer the King Code IV from the Institute of Directors, Southern Africa, because it is more thorough. But the IIA document is definitely worth reading.

One area that I think is weaker than I would like is in defining requirements for the information provided so that the board can monitor performance. Principle 6 doesn’t go nearly far enough for me. The board needs to know promptly when there is an obstacle in reality or likelihood to achieving objectives. It should know about significant events or situations that could affect the interests of stakeholders, whether it be a reputation or perception issue, activities by competitors, and so on.

A report like this would benefit significantly from a study of the incidence and severity of governance failures. Has anybody seen something reliable and recent?

I welcome your thoughts.

What do you like in the IIA guidance? How could it be improved?

Is it sufficient to use as a foundation for a model of governance practices?

A risk case study

December 2, 2019 7 comments

I returned this week from a vacation in Mexico, including a day at the Copper Canyon.

Our tour guide took about 20 of us down the mountain side to see some Tarahumara Indian homes. I decided that I wanted to come back ahead of the group, finding my way back up the path and steps to our hotel at the top.

Let’s walk this through.

My objectives were:

  • Get back to the hotel ahead of the group. Many of the members were slow and I would find it frustrating keeping to their pace instead of mine.
  • Do so safely. While the path was not bad, it also was uneven and unpaved with a lot of rocks and steps to climb. The likelihood of a severe injury was very low indeed and I could accept a slight stumble. But if I moved too quickly, I could fall and bruise myself or worse.

What might happen along the way? In other words, what would a risk manager put on a list or heat map?

  • I might fall. The range of pain and injury went from slight (perhaps 5%) to severe (less than 1%).
  • I might get lost. There were multiple paths and I could easily take the wrong one. If I did that, I was confident (>90%) I could either find my way back and take the right path, continue on the (well-worn) path that would eventually take me back to the hotel, even if the arrival would be delayed, or ask one of the other people that I could see on the paths.

But there was also an opportunity: the chance to enjoy the walk back more than if I were in the middle of a muddling-along group.

I assessed the overall picture and decided that the opportunity outweighed the possibilities for harm.

I started walking, enjoying the faster pace and the fresh air.

But soon I caught up with another member of the party who, unbeknown to me, had also decided to head back early. He was older, with a walking stick, and I was faced with my first decision.

Do I try to pass or do I slow down and follow?

If I tried to pass, the possibility of injury would go up quite a lot. I didn’t try to calculate it, just decided quickly that it was not a ‘risk’ I wanted to take. At the same time, the possibility of getting to the hotel before the crowd was receding. I had to accept that, while looking for an opportunity to pass safely.

The opportunity came a few minutes later when the gentleman stopped to take a rest. I stepped past him with care, but was then presented with a dilemma.

There’s a saying that when you come to a fork in the road, you should take it. That’s what I saw: a fork.

To my right, the path went steeply up the hill. It looked a bit rough, while the path on the left continued straight and level and was clearly well used. There was no sign indicating which way led to the hotel, and the older guy remarked that he had no idea which was the right path to take.

I flipped a mental coin and decided to go left. I was swayed by the fact that the path up the hill presented a greater possibility of falling. It seemed steeper and more uneven than my memory of how we came down. I doubted that was the right way.

The path continued straight and level for a while. Soon, I was wondering whether it was the right path because I couldn’t see where it would start going up the mountainside.

An Indian lady approached. My Spanish is not very good, but I pointed ahead and asked whether it went to the hotel. She said it did. Si!

But after a few more minutes I was starting to believe it was the wrong way. I didn’t think I was lost, because all I had to do was retrace my steps back to the fork.

The foliage cleared and I was able to look up the mountain and see the hotel – which was behind and above me. Now I knew I had gone wrong.

I had to make another decision. Do I continue to where this path might find its way up the mountain (I hoped), or should I turn around? I considered the likelihoods of harm and opportunity and decided that, on balance, it was better to go back.

A few minutes later, I was a second path leading up. Decision time! This was definitely not the way we came down, but it looked like it should work. Do I take the new option or continue to retrace my stapes back to the fork? I weighed the possibilities of getting lost or delayed and the opportunity to get back faster than going all the way back. In addition, the path looked less steep that the way we had come down, so it should be somewhat safer (if my guess was right, since I couldn’t see all the way up the path to the top).

I decided to take the path up. Soon, I saw a path joining mine – with the rest of the group climbing it.

I got to the top, where my wife was waiting for me and asking where I had gone.

What can we learn from this?

  1. The levels of ‘risk and opportunity’, or the effects of uncertainty on my objectives, changed often and without warning. Relying on a list of risks at the start of the journey back would not have been useful.
  2. My ‘risk management’ was iterative and continuous. A periodic assessment, even every few 10 minutes, would not have been of great value.
  3. To make my (hopefully informed and intelligent) decisions, I needed to consider all the things that might happen and see which way the scales were tipped.
  4. Trying to assess likelihood and impact with any level or precision was unnecessary. Common sense was sufficient. Many practitioners may have a problem with that, but in real life it’s very often quite clear when the possibility of severe harm is unacceptable.
  5. We do this all the time. ‘Risk management’ is neither new nor a separate process from running our business, making as intelligent and informed decisions as reasonably possible.

I welcome your comments.

Why does internal audit need to be agile?

November 18, 2019 7 comments

You don’t have to go very far to hear an internal audit leader talk about agile. Richard Chambers, President and CEO of the IIA, shared this:

A lot is being said about the need for internal audit to be “agile.” My definition of agility is simple: “Internal audit’s ability to pivot swiftly to address emerging risks and changing stakeholder expectations.” It’s critical to our success!

Why does internal audit need to be agile?

We live in a world where business conditions are changing all the time and the pace of change is accelerating. That is universally accepted.

Internal audit needs to be able to respond to those changes promptly.

When new risks of significance to success are identified, internal audit needs to be able to update its plan and provide the assurance and insight that leaders need – when they need it, not when a static plan provides.

This is why Richard and I both talk about auditing at the speed of risk. I also talk about auditing at the speed of the business, which perhaps more clearly identifies that we need not only to be agile in our audit planning, to add and then perform the audit of a new area promptly, but also provide the assurance and insight that is needed at speed.

If the CEO comes to you, as the internal auditor, and asks for your thoughts on a new strategy, can he wait weeks or months until there is a gap in your audit schedule? No.

If the CEO asks for your thoughts as you complete the fieldwork, is it appropriate to make him wait until everybody has blessed a formal audit report? No.

It starts with an agile audit plan, where you can ensure each audit project is focused on what is needed now, for today and tomorrow.

But then you need:

  • Every audit project to be as short as possible. It’s very hard to move quickly to a new topic when the audit team is tied up on month-long (or longer) projects. If you limit each audit to the enterprise risks that matter, eliminating the work that would only matter to local or middle management, you can keep the great majority of audits within my target of 60-100 hours.
  • The ability to complete every project quickly. When you have done enough work to determine your opinion, stop. Don’t keep working to fill the time available/budgeted. Don’t work just to complete the audit program or checklist when the results are already known.
  • Eliminate unnecessary documentation. Only document your work to the extent that there is value, not just to comply with department standards. If documentation is required by regulators who may audit your work, or if the results are disputed by management, then ensure your documentation is sufficient. But otherwise, challenge the need for every hour spent.
  • Auditors who can think, not only performing work at speed, but are able to know when they have done enough and can stop.
  • The ability to know when you need to change the audit plan. You need to know when business conditions and plans change, either downgrading and removing projects that are no longer high risk-rated, or adding new ones.
  • A relationship with management where you can discuss the results of your work and agree on necessary corrective actions quickly.
  • An audit committee that understands the need for agile auditing.

I welcome your thoughts.