Archive for the ‘Risk’ Category

A new code sets back the status and practice of internal auditing

January 16, 2020 6 comments

The Chartered Institute of Internal Auditors (the UK affiliate of the global Institute of Internal Auditors) is usually a thought leader, promoting and explaining best and leading internal auditing practices. For example, they have done excellent work on [enterprise] risk-based auditing.

But their latest publication, Internal Audit Code of Practice: Guidance on effective internal audit in the private and third sectors steps backwards from the progress made by the IIA in its Definition and Core Principles.

Here are my more significant criticisms:

  1. The first and most important failure (and I mean just that) is when they define the Role and Mandate on internal audit:

“The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organization.”

The IIA’s Definition of Internal Audit is right when it says that internal audit should help the organization achieve its objectives.

Internal audit should help an organization both create and protect value.

Talking about protection and not the creation of value is a severe limitation of internal audit effectiveness. It implies that internal audit should not address whether:

    • Customers are billed the full price
    • The company takes full advantage of available vendor discounts
    • Management bids effectively for new business
    • Decision-makers are taking the right risks for success
  1. While risk management practitioners are beginning to recognize that effective risk management is far more than a review of a list of the more significant risks, the Code does not:

“It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management.”

  1. Quite disturbing is the fact that the antiquated notion of cyclical auditing is included in the guidance.
  1. The Code says that internal audit reports should focus on “significant control weaknesses”. The global IIA rightly explains that internal audit provides assurance; that is not the same as the Code’s emphasis on reporting weaknesses – it’s a great deal more! Internal audit reports should inform leadership whether the more significant ‘risks’ to the objectives of the company are being effectively managed, and that should include not only harmful ‘risks’ but the optimization of performance as well. Internal audit should explain which enterprise objectives might be affected by identified control weaknesses and by how much.

I have high expectations from this UK organization. I expect to see thought leadership that moves practices forwards. This moves them backwards and is a lost opportunity.

I welcome your opinions and comments.

Risk and Consequences

January 11, 2020 11 comments

I like to think that effective risk management helps the managers of an organization, at all levels, make the informed and intelligent decisions necessary for success – reliably achieving enterprise objectives considering all the things that might happen, both positive and negative.

It’s not about managing the possibility of harmful events or situations.

It’s about managing the likelihood and extent of success.

The likelihood and effect of harmful events and situations, including the consequences of decisions, have to be weighed against the positive outcomes that may arise, and the right risks taken for success.

Let’s consider the things that might flow from a decision.

Imagine we are thinking of raising the sales price of our flagship product. A number of things might happen:

  • Revenue is likely to increase in the short term, especially until customers are willing to change suppliers because our competitors have not increased their price.
  • The additional revenue could fund further investment in our product line, with positive longer-term revenue increases.
  • But, customers might also be unwilling to pay the higher price, impacting revenue. The change might be immediate but it could also be longer-term.
  • There might be an impact on our reputation, with both short and, especially, longer-term consequences. Perhaps we are no longer seen as a low-cost provider. Perhaps we are seen as a company that takes advantage of its customers. The likelihood is greater that this will harm our reputation than benefit it. Revenue could be impaired, particularly in the longer-term.
  • On the other hand, our competitors might increase their prices right away. Any negative effect would likely disappear, leaving only the positive revenue and cash flow impacts.
  • But, they might seek to take advantage, perhaps with an aggressive marketing campaign, seeking to steal customers and revenue.

Multiple things might happen if we increase our prices.

The effects are not all immediate, with some potential longer-term and even permanent impacts on our business.

We can change their effect if the price increase is lower, raise them if the increase is greater.

But we need to look further and deeper.

Each of the scenarios that can be envisaged leaves us in a changed situation. Before we can decide whether and by how much to change our prices, we need to consider whether those situations would be acceptable. If not, what can and should we do?

The options facing us to treat unacceptable situations flowing from our initial price decision will themselves have a range of effects, often a combination of potential and negative consequences. They will lead to another set of situations where we might have to make decisions and act.

For example, a price change now might change our perception in the marketplace as a low-cost supplier of quality products. If that will have a negative effect on revenue, what are we going to do about it? Can we modify our own marketing campaigns? Can we justify it based on quality or other factors like customer service or warranty periods? Can we take advantage of it to reach premium customers?

Let’s say we decide to increase our marketing budget to counter any reputation impact. That money has to come from somewhere. Perhaps our budget for marketing our other products and services will be impaired.

Where am I going with this?

A so-called risk assessment that only focuses on shorter-term effects (even if it includes both positive and negative effects) is limited in its value. Some effects occur later. We may need to act either to address those negative effects or take advantage of opportunities. All of that needs to be considered before an intelligent and fully informed business decision can be made.

There’s a domino sequence of situations that flow from any potential decision. Making a decision now without considering longer-term consequences can have disastrous results.

Consider the US invasion of Iraq. If we were to use all the benefits of hindsight to see what might happen, a series of situations and responses to them, we would probably question the initial decision.

A gives rise to B (after consideration of options), which gives rise to C (again, after considering options), which gives rise to D – and so on.

Are decision-makers thinking through the full range of potential consequences, including those over time and the responses and effects of the responses to them – and so on, for a long period of time?

Is the risk manager helping people make these considered decisions, not only with information and analyses but with quality decision-making processes?

If there is a lack of quality in decision-making, shouldn’t internal audit be drawing attention to it?

Which is the greater risk or threat to an organization, a data breach by outsiders or an inability to make quality decisions?

I welcome your thoughts.

10 Years of Progress

December 17, 2019 6 comments

Its 10 years since my first blog post in December, 2009; Is there value in talking about GRC? remains a relevant question especially as so many vendors put a GRC label on their software.  I’ve written about GRC 97 times since then.

But, thankfully, most practitioners have moved on to focus on those elements of GRC that are meaningful to them rather than trying to implement software for “GRC”. Depending on their role and responsibilities, that may mean risk management, compliance, internal audit, information security or cyber, etc. Sometimes, but not always, one software solution will be the best choice for several areas; but almost never will it be the right choice for every area of GRC.

Of my 689 posts (not including this one), the most viewed is from 2011, Just what is risk appetite and how does it differ from risk tolerance?, which has been viewed a massive 69,617 times (10% of which were in 2019).

But I want to talk about progress in practices since that first post. These will just be highlights.

Risk management

While the great majority of practitioners continue to follow traditional practices (such as developing a list of top risks that is reviewed periodically, perhaps on a heat map), an increasing number recognize that this is a failing practice and have moved on. They recognize that risk management should enable decision-makers to make informed and intelligent decisions that will enable them to take the right risks and achieve enterprise objectives.

Boards and top management teams are similarly starting to ask for more. They recognize that discussing a list of risks is not helping them run the organization for success. It only helps identify potential problems. The focus should be on having an acceptable likelihood of achieving objectives (a better way of thinking about ‘risk appetite’) instead of an acceptable level of risk.

Corporate governance codes and frameworks similarly talk about both risk and opportunity. However, there is little guidance on how to weigh all the pros and cons so you can make those informed and intelligent decisions.

The future is not clear, especially as regulators continue to press traditional practices that might help avoid failures (emphasis on might) but don’t contribute to success.

We need to stop the focus on the management of risk and replace it with a focus on the management of success.

That will take time.


Internal audit

I am pleased by the progress I have seen, especially the move away from a rigid annual plan that is out-of-date even before the first audit. Instead, there is a growing recognition that you need to audit at the speed of risk (or at the speed of the business, if you prefer). That requires a far more flexible audit plan. A majority of functions now update their plan at least quarterly, while leaders are using a continuous planning approach to ensure they address the risks of today and tomorrow rather than of the past.

Compared to 10 years ago, far more are providing their stakeholders with opinions. Most include opinions in their audit reports (micro opinions), while a growing number provide an overall assessment of how enterprise risks and related controls are managed (macro opinions).

But there is still work to be done.

Too few have limited their audits to issues or risks that matter to the success of the organization as a whole (defined by the achievement of enterprise objectives). They may start with an intention of auditing such enterprise-level risks, but then bloat their scope by including areas that, if the controls failed, would not require the attention of top management or the board; in other words, their scope includes issues that don’t matter to the success of the organization as a whole. That time, the time spent on issues that only matter to middle management, can be better spent on other enterprise-level risks.

If you want to be agile, which enables you to pivot promptly to new or changed risks, you can’t afford every audit to be a leviathan. Think of how long it takes to turn an oil tanker.

The other area that I see improving in the future is in communicating the results of the audit.

While executive summaries are getting shorter, they are still written in the language of the auditor and say what the auditor wants to say. Leading functions realize that they need to tell their stakeholders what they, the stakeholders, need to know. For example, what is the effect of any control deficiencies on the ability to execute successfully on business strategies to achieve enterprise objectives? Which objectives might be affected and by how much?

I believe the future is bright and salute the achievements of the past decade.

What do you think?

FYI, in 10 years those 689 posts have been viewed a total of 1,256,639 time!

New guidance for risk committees

December 10, 2019 5 comments

A new publication by the Risk Coalition (a group of organizations in the UK that includes their Institute of Directors, a couple of risk management associations, and the organizations for internal and external auditors) merits our attention.

Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services Sector has some interesting content. For example, it says:

  • In financial services the real risk is to take no risks. We are in the business of managing financial risks.
  • While the concept of the Three Lines of Defence continues to provoke much academic and professional debate, the Risk Coalition believes the basic principle of requiring independent oversight and challenge of management risk-taking remains sound.

In addition, I like that the guidance talks about ‘risk taking’ instead of simply managing risk. It also defines risk as not purely a negative effect on objectives:

The possibility that events will occur that affect the likely achievement of an organisation’s corporate strategy or strategic objectives. Commonly considered as negative events (downside risk), there may be occasions where risks may be exploited to an organisation’s advantage (upside risk).

Its definition of risk culture is also useful:

The combination of an organisation’s desired ethics, values, behaviours and understanding about risk, both positive and negative, that influences decision-making and risk-taking.

There are some key phrases in its definition of a risk appetite framework (which I highlight):

A key, board-approved framework designed to aid effective management decision-making, risk monitoring and reporting, and through which aggregate risk appetite is translated and cascaded into meaningful, calibrated risk thresholds, limits, metrics and indicators aligned to strategic objectives, and embedded throughout the organisation.

I highlighted these sections because in my experience very few risk appetite statements or frameworks are developed in such a way that they influence risk-taking and decision-making at all levels of the organization. For example, how does an HR manager know how his or her decision on which candidates to present might affect enterprise strategic objectives? How does saying that the organization has no tolerance for compliance or safety failures affect decisions on investments in those areas?

The guidance says is it “evolutionary, not revolutionary” and I must agree.

It provides more clarity to traditional thinking about risk management, but doesn’t suggest how to step up to real value-add activities.

In other words, there’s quite a lot missing!

I set up a risk committee when I was CAE and CRO at Business Objects. The first question that had to be addressed was:

Why do we need a risk committee?

If the answer is that we need one to comply with the expectations of the regulators, then we are unlikely to get the full and enthusiastic support of the management team. The team is focused, as should be the board, on achieving the strategic objectives for the organization – in other words, they are focused on the success of the organization, not just its compliance obligations.

I vividly remember a conversation I had many years ago with a senior executive. He was responsible for the company’s trading desk and told me that he couldn’t spend much time answering my questions because he had to get back to running the business and making money.

We get the executives’ attention and support when they appreciate how what we are doing helps them do both – make money and run the business for success. In time, this executive learned how my team and I could help him do both and he became a huge supporter.

The answer to the question should be that the committee helps the board be assured that management is taking the right risks, seizing opportunities wisely, as a result of informed and intelligent decisions.

The answer should not be limited to any form of blinkered focus on managing the possibility of downside events and situations that ignores the need to weigh ALL the potential things that might happen. In other words, is management weighing ALL the pros and cons before making decisions, or is simply looking at the cons out of context? Even the COSO ERM framework explicitly recognizes that when justified by the opportunity, risk appetites should be exceeded.

So the next question is:

How does the risk committee contribute to success?

I struggle with this myself, in particular the next question:

Why do I need a separate risk committee when strategy and performance are discussed elsewhere?

Separating risk and strategy, or risk and performance management, makes little sense to me – unless your risk committee is there as window-dressing for compliance, rather than helping the organization both protect and create value in its pursuit and achievement of objectives.

I recall a panel discussion at an event years ago in Canada. The CEO of the Hudson Bay Company told us that his board had a Risk and Strategy Committee. I think this is a world-class practice.

So, what do you think? Does it make sense to have a committee that only focuses on the downside? If it is charged with assuring the board that due consideration is given to all the things that might happen during decision-making and risk-taking, how does that work?

I welcome your thoughts.

Guiding Principles of Corporate Governance

December 6, 2019 2 comments

The IIA should be congratulated for its recent publication, prepared in collaboration with the Neel Corporate Governance Center at the University of Tennessee, Knoxville, of Guiding Principles of Corporate Governance.

I still prefer the King Code IV from the Institute of Directors, Southern Africa, because it is more thorough. But the IIA document is definitely worth reading.

One area that I think is weaker than I would like is in defining requirements for the information provided so that the board can monitor performance. Principle 6 doesn’t go nearly far enough for me. The board needs to know promptly when there is an obstacle in reality or likelihood to achieving objectives. It should know about significant events or situations that could affect the interests of stakeholders, whether it be a reputation or perception issue, activities by competitors, and so on.

A report like this would benefit significantly from a study of the incidence and severity of governance failures. Has anybody seen something reliable and recent?

I welcome your thoughts.

What do you like in the IIA guidance? How could it be improved?

Is it sufficient to use as a foundation for a model of governance practices?

A risk case study

December 2, 2019 7 comments

I returned this week from a vacation in Mexico, including a day at the Copper Canyon.

Our tour guide took about 20 of us down the mountain side to see some Tarahumara Indian homes. I decided that I wanted to come back ahead of the group, finding my way back up the path and steps to our hotel at the top.

Let’s walk this through.

My objectives were:

  • Get back to the hotel ahead of the group. Many of the members were slow and I would find it frustrating keeping to their pace instead of mine.
  • Do so safely. While the path was not bad, it also was uneven and unpaved with a lot of rocks and steps to climb. The likelihood of a severe injury was very low indeed and I could accept a slight stumble. But if I moved too quickly, I could fall and bruise myself or worse.

What might happen along the way? In other words, what would a risk manager put on a list or heat map?

  • I might fall. The range of pain and injury went from slight (perhaps 5%) to severe (less than 1%).
  • I might get lost. There were multiple paths and I could easily take the wrong one. If I did that, I was confident (>90%) I could either find my way back and take the right path, continue on the (well-worn) path that would eventually take me back to the hotel, even if the arrival would be delayed, or ask one of the other people that I could see on the paths.

But there was also an opportunity: the chance to enjoy the walk back more than if I were in the middle of a muddling-along group.

I assessed the overall picture and decided that the opportunity outweighed the possibilities for harm.

I started walking, enjoying the faster pace and the fresh air.

But soon I caught up with another member of the party who, unbeknown to me, had also decided to head back early. He was older, with a walking stick, and I was faced with my first decision.

Do I try to pass or do I slow down and follow?

If I tried to pass, the possibility of injury would go up quite a lot. I didn’t try to calculate it, just decided quickly that it was not a ‘risk’ I wanted to take. At the same time, the possibility of getting to the hotel before the crowd was receding. I had to accept that, while looking for an opportunity to pass safely.

The opportunity came a few minutes later when the gentleman stopped to take a rest. I stepped past him with care, but was then presented with a dilemma.

There’s a saying that when you come to a fork in the road, you should take it. That’s what I saw: a fork.

To my right, the path went steeply up the hill. It looked a bit rough, while the path on the left continued straight and level and was clearly well used. There was no sign indicating which way led to the hotel, and the older guy remarked that he had no idea which was the right path to take.

I flipped a mental coin and decided to go left. I was swayed by the fact that the path up the hill presented a greater possibility of falling. It seemed steeper and more uneven than my memory of how we came down. I doubted that was the right way.

The path continued straight and level for a while. Soon, I was wondering whether it was the right path because I couldn’t see where it would start going up the mountainside.

An Indian lady approached. My Spanish is not very good, but I pointed ahead and asked whether it went to the hotel. She said it did. Si!

But after a few more minutes I was starting to believe it was the wrong way. I didn’t think I was lost, because all I had to do was retrace my steps back to the fork.

The foliage cleared and I was able to look up the mountain and see the hotel – which was behind and above me. Now I knew I had gone wrong.

I had to make another decision. Do I continue to where this path might find its way up the mountain (I hoped), or should I turn around? I considered the likelihoods of harm and opportunity and decided that, on balance, it was better to go back.

A few minutes later, I was a second path leading up. Decision time! This was definitely not the way we came down, but it looked like it should work. Do I take the new option or continue to retrace my stapes back to the fork? I weighed the possibilities of getting lost or delayed and the opportunity to get back faster than going all the way back. In addition, the path looked less steep that the way we had come down, so it should be somewhat safer (if my guess was right, since I couldn’t see all the way up the path to the top).

I decided to take the path up. Soon, I saw a path joining mine – with the rest of the group climbing it.

I got to the top, where my wife was waiting for me and asking where I had gone.

What can we learn from this?

  1. The levels of ‘risk and opportunity’, or the effects of uncertainty on my objectives, changed often and without warning. Relying on a list of risks at the start of the journey back would not have been useful.
  2. My ‘risk management’ was iterative and continuous. A periodic assessment, even every few 10 minutes, would not have been of great value.
  3. To make my (hopefully informed and intelligent) decisions, I needed to consider all the things that might happen and see which way the scales were tipped.
  4. Trying to assess likelihood and impact with any level or precision was unnecessary. Common sense was sufficient. Many practitioners may have a problem with that, but in real life it’s very often quite clear when the possibility of severe harm is unacceptable.
  5. We do this all the time. ‘Risk management’ is neither new nor a separate process from running our business, making as intelligent and informed decisions as reasonably possible.

I welcome your comments.

Why does internal audit need to be agile?

November 18, 2019 7 comments

You don’t have to go very far to hear an internal audit leader talk about agile. Richard Chambers, President and CEO of the IIA, shared this:

A lot is being said about the need for internal audit to be “agile.” My definition of agility is simple: “Internal audit’s ability to pivot swiftly to address emerging risks and changing stakeholder expectations.” It’s critical to our success!

Why does internal audit need to be agile?

We live in a world where business conditions are changing all the time and the pace of change is accelerating. That is universally accepted.

Internal audit needs to be able to respond to those changes promptly.

When new risks of significance to success are identified, internal audit needs to be able to update its plan and provide the assurance and insight that leaders need – when they need it, not when a static plan provides.

This is why Richard and I both talk about auditing at the speed of risk. I also talk about auditing at the speed of the business, which perhaps more clearly identifies that we need not only to be agile in our audit planning, to add and then perform the audit of a new area promptly, but also provide the assurance and insight that is needed at speed.

If the CEO comes to you, as the internal auditor, and asks for your thoughts on a new strategy, can he wait weeks or months until there is a gap in your audit schedule? No.

If the CEO asks for your thoughts as you complete the fieldwork, is it appropriate to make him wait until everybody has blessed a formal audit report? No.

It starts with an agile audit plan, where you can ensure each audit project is focused on what is needed now, for today and tomorrow.

But then you need:

  • Every audit project to be as short as possible. It’s very hard to move quickly to a new topic when the audit team is tied up on month-long (or longer) projects. If you limit each audit to the enterprise risks that matter, eliminating the work that would only matter to local or middle management, you can keep the great majority of audits within my target of 60-100 hours.
  • The ability to complete every project quickly. When you have done enough work to determine your opinion, stop. Don’t keep working to fill the time available/budgeted. Don’t work just to complete the audit program or checklist when the results are already known.
  • Eliminate unnecessary documentation. Only document your work to the extent that there is value, not just to comply with department standards. If documentation is required by regulators who may audit your work, or if the results are disputed by management, then ensure your documentation is sufficient. But otherwise, challenge the need for every hour spent.
  • Auditors who can think, not only performing work at speed, but are able to know when they have done enough and can stop.
  • The ability to know when you need to change the audit plan. You need to know when business conditions and plans change, either downgrading and removing projects that are no longer high risk-rated, or adding new ones.
  • A relationship with management where you can discuss the results of your work and agree on necessary corrective actions quickly.
  • An audit committee that understands the need for agile auditing.

I welcome your thoughts.

Silos are thriving even in ERM programs

November 15, 2019 6 comments

You are the captain of a ship that is sailing from Singapore to Auckland with a cargo that needs to be kept cold and will lose its freshness if you don’t arrive within a few days of your schedule.

The navigator bounds onto the bridge, brandishing a sheaf of papers. “There’s stormy weather ahead, captain! I recommend changing course to bypass the cyclones that are forming. It will delay our arrival by 48 hours, but at least we will be safe.”

The engineer hears the shouting and tells you that any delay of more than a few hours will be a problem. “I canna keep the engines running and the refrigeration going at full power for two extra days. We will run out of fuel.”

At this, the second officer reminds you that any delay will cost the company a great deal of money. “If we don’t deliver the cargo on time, it will degrade and we will incur a huge performance penalty.”

The safety officer steps forward. “If we sail through these cyclones, we are exposing the crew to danger that is avoidable. It would be a violation of our safety procedures and protocol.”

You have to make a decision.

You have to understand the problem, consider the options, and then take the necessary actions.

In order to do that, you need to weigh all the possibilities together, not one at a time.

But that’s what addressing a variety of risks (or sources of risk) one at a time does. It fails to see and take action based on the big picture.

Traditional risk management, even when it is called enterprise risk management, simply puts together a list of risks. It doesn’t help you see how they, collectively, should affect your strategies and how you achieve them. It doesn’t help you weigh the pros and cons of each option.

Fortunately, Able Seaman Jones steps forward (after giving you a cup of coffee).

“Captain, sir! I’m taking an MBA course and have learned about some techniques, like Monte Carlo simulation, that will help you take all of these issues and give you an idea of the overall costs and benefits of the various options. With your permission, I can work with your officers and use the information each has developed to provide you with the information that should help you make the best decision for the company.”

World-class risk management (as described in my book of that name, updated by the discussions in Making Business Sense of Technology Risk) not only breaks down the silos but takes the information from individual areas such as Compliance, Safety, Sales, Marketing, Finance, Engineering, Supply Chain, and so on to compile and provide leaders with the big picture analyses they need.

Sadly, I keep seeing silos not only continuing but growing in number. For example, there is separate and isolated discussion of:

  • Cyber risk management
  • Safety risk management
  • Project risk management
  • Credit risk management
  • Operational risk management
  • Strategic risk management
  • Financial risk management
  • Third party risk management
  • Extended enterprise risk management (a new one to me, recently pushed by Deloitte)
  • Digital risk management
  • Supply chain risk management
  • And so on

Risk practitioners need to turn their attention to providing leaders and decision-managers at all levels with the information they need to make the informed and intelligent decisions necessary to achieve enterprise objectives.

Stop providing them with what you want to say about risk. Start providing them with the information they need to run the organization and achieve success.

A list of risks, or a heat map (no matter how pretty), simply doesn’t cut it.

If I was on the board or was CEO and was given a list of risks or a heat map, I would ask “what does this mean and how does it help me run the business,” send it back, and ask for something that will help me do my job!

Instead of talking about this risk management or that risk management, enterprise risk management or integrated risk management, let’s talk about effective management – how to achieve enterprise objectives. Manage success, not risk.

I welcome your comments.

Finally some good advice on risk for boards

November 9, 2019 6 comments

While I still disagree in some areas, I applaud Jim DeLoach for his latest piece for the (US) National Association of Corporate Directors, Revamping Risk in the Digital Age.

Please read the entire piece, but here are points I especially like, with my highlights:

  • It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns—it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.
  • In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.
  • Over three decades, best-of-class [in Jim’s opinion] risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks, to an enterprise-wide approach focused on the most critical business risks and integrated with strategy-setting and performance management
  • In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value.
  • Digital leaders proactively take risk, whereas digital skeptics do not. 
  • a traditional approach to risk management might be the biggest risk that an organization faces. 

There are so many key points here that I encourage you to reflect on each.

I strongly agree that the traditional approach of focusing on the possibility of harm instead of the likelihood of success is itself a great source of risk to the organization.

You simply have to understand all the things that might happen, the big picture where you can see and weigh them all, if you are to make the informed and intelligent decisions necessary for success.

Focusing on harms, especially one at a time, outside the context of performance and strategy execution, is not the same as making sure you are taking the right level of the right risks – and that, as Jim rightly says, is essential if you are to prosper.

Jim and I agree on one word change in the risk management discussion. Rather than the passive expression of accepting risk, he and I both talk about the active form of taking risk.

I believe it is important to use that word and focus on informed and intelligent decisions as part of how any organization sets and then executes on its strategies for achieving its objectives.

I also agree with the idea of integrating the consideration of what might happen (a.k.a risk) with strategy management and performance management and reporting.

  1. Making quality decisions, both setting and then executing on strategy, requires an understanding of what might happen and their effects. It’s integral to the decision-making process, not something that needs to be integrated as if it were a separate activity.
  2. Effective management requires that you understand where you are (performance management), where you want to go (strategy management), and the likelihood of getting there (which should be a combination of performance, strategy, and risk management).

In fact, I have suggested many times that instead of talking about risk appetite as the amount of risk you are willing to take in pursuit of objectives (i.e., ignoring the reason to take risk, the potential upsides), we should redefine risk appetite (although I would prefer a different term) as the likelihood of achieving objectives that you would consider acceptable.

I depart from Jim in some less important areas.

  1. I don’t like the talk about risk culture. It’s an amorphous term that I don’t believe has a great deal of merit. For a start, there is no single risk culture in any organization. Then there’s the point that culture is multi-dimensional, with attitudes towards taking risk just one; others include ethics and moral behavior, entrepreneurship and creativity, teamwork, and so on.

Do you want the same attitude towards risk-taking from accounting, safety, marketing, and sales? I certainly hope not!

It would have been better to just talk about the ability to make intelligent and informed decisions, taking the right risk.

  1. I’m also not a fan of the idea that some risks are compensated and others are not. For a start, the organization may not be able to sustain a huge loss even if there is an equal possibility of a huge gain.

It would have been better to recognize that in any situation there is a variety of things that might happen and you need to assess and weigh them all together.

  1. I’m not sure whether Jim is saying that this is world-class, but if so I disagree: “an enterprise-wide approach focused on the most critical business risks”. World-class is focusing on success, not managing specific risks, especially not one at a time.
  2. Finally, I still have a problem with talking about risk appetite, as explained above. It’s not something that considers the totality of what might happen, plus it is pretty impossible to define for some issues, such as compliance and safety.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.


As always, I welcome your comments.

How effective is risk management today?

November 2, 2019 6 comments

That is a question that State of Enterprise Risk Management 2020, from ISACA®, CMMI Institute® and Infosecurity Group, attempted to answer. They “surveyed a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between”.

My opinion is that if you want to know how effective risk management is, you should ask the customer and not the provider.

Pretty much every survey of top executives and board members has, for years, told us that they do not see risk management as much more than a compliance exercise, something you do because you have to: a requirement of governance codes and boards urged on by consultants. World-class, effective risk management helps people make the informed and intelligent decisions necessary for success. It helps the management of success rather than failure.

But the report does have some interesting comments, including (with my highlights):

  • …practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance practitioners) can be directed to advocate so strenuously and so often in favor of risk reduction that they can sometimes forget that risk management is about optimizing risk rather than removing it entirely.
  • They may focus on unexpected or unplanned events that may impact profitability, competitiveness or reputation but ignore the fact that failure to incur the right risk can likewise be potentially problematic, by causing enterprises to stagnate, lose competitiveness/market share or otherwise underperform their competition.
  • …enterprises question if they are too risk averse or not risk averse enough, if they invested the right amount in risk management processes to bring about the correct maturity level to accomplish their goals, and if they implemented the correct steps to ensure optimization.
    • Comment: the question of how much to invest in risk management is a critical one, one that should be based on an assessment of its value. Value is created when risk management helps people make the informed and intelligent decisions necessary for success, taking the right risks.
  • The survey data show that respondents—particularly those who are at a more senior level in the organizational hierarchy—understand well the most critical risk that challenges their enterprises. They understand both what the risk is—as well as the consequences—should undesirable outcomes occur. Sixty-seven percent of those surveyed indicate that they are either extremely or very familiar with the current business and technology risk facing their enterprise.
    • Comment: I doubt that this is true, because most develop a list of risks that are rated high, medium, or low without considering how they might affect the business and its objectives. If we are to run the business wisely, we need to know which business objectives might be affected and by how much – and I see this done very rarely.
  • What is interesting is that risk awareness correlates to seniority. As the respondent seniority level increases, the more aware they are of the risk that their enterprise faces. Eighty-six percent of respondents at an executive-level job, 80 percent of respondents at a director-level job, 66 percent of respondents at a manager-level job and 55 percent of respondents at a staff-level job are either extremely or very familiar with the business and technology risk.
    • Comment: consider me a skeptic. The recent IIA report (which I wrote about last month) talks about a disconnect between those in senior positions and those in the trenches. It could easily be the case that the executive practitioners (such as the CRO, CAE, and CISO) think they understand the risks but are mistaken. The people closer to business operations may have a better understanding. In any case, I doubt any of them have analyzed the likelihood of achieving objectives, taking into account everything that might happen, both good and bad.
  • Although over 80 percent of respondent enterprises undertake basic risk management steps, the maturity of the risk management process is, on the whole, less than expected given the relatively high adoption of these steps. Only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level of the maturity spectrum for risk identification, which is one of the highest adopted risk management steps. Only 63 percent of respondents report having defined processes for risk identification. Results for risk assessment maturity were similar—42 percent at the managed or optimized level and 64 percent having defined processes.
    • Comment: it would be much more useful to see how many look at the big picture rather than trying to manage one risk at a time. Consider the view from the top (achievement of objectives) instead of from the weeds. Are decision-makers getting and then using the information they need to take the right risks for success?
  • When asked about cybersecurity risk tolerances, only 35 percent of respondents report that their enterprise has a defined (either completely defined or very defined) view of the risk tolerances for their organization.
    • Comment: why is it that so few perform a business impact analysis? How would a breach affect the business and its objectives? How likely is a breach of that magnitude? How much should we spend to mitigate that effect or reduce its likelihood? What is the best business decision?
  • Most risk managers intuitively understand that cybersecurity is a significant area of risk for their enterprises. Survey respondents report information/cybersecurity risk as the most critical risk category facing their enterprises; it is cited as the single most critical risk, with almost double the percentage of the next closest critical risk type (29 percent, compared to a distant second-place reputational risk at 15 percent). Moreover, reputational risk, the second highest type of risk cited, can be a consequence of a cybersecurity risk.
    • Comment: they may understand it intuitively because that’s what the consultants keep saying. But is it? Have they done any form of business impact analysis? Actual breaches have, on average, had minimal effect on business success.
  • The goal of effective risk management is not always to completely remove risk. Risk, when judiciously and strategically undertaken, can lead to competitive advantage, opportunities to better achieve the enterprise mission, entering new markets and numerous other advantages. Instead, the goal should be to ensure that the right risk is being taken in a manner that is judicious and alert to the possibility of potential failure, while ensuring that unnecessary risk—or risk that is out of conformance with the enterprise risk appetite—is avoided.
    • Comment: Absolutely, although I am not in sync with the last part – unless you define risk appetite as the desired level of certainty that you will achieve or exceed your objectives.

I welcome your comments.


November 2, 2019 1 comment

If you purchased my new book on internal audit assessment using a maturity model, send me an email at I have updated the model and want to send you a copy. Indicate the page that the model ends on (not the very last page of the book). I will send you a PDF with the updated model by email.

Did risk management fail?

October 28, 2019 4 comments

Every so often, something bad happens to an organization and people say that risk management, perhaps governance, failed.

Let’s examine that, with special attention to a recent blog post by my friend, Richard Chambers, President and CEO of the Institute of Internal Auditors: When Boards Are Surprised, Who’s At Fault?

If you go to a casino and play roulette, you are taking risk.

You bet on even and it turns up odd.

Are you surprised? You shouldn’t be. At a European casino, there is only a 48.60% likelihood that you will win. (It’s a little less in the US.)

You are not surprised because you know there’s no more than an even chance you will win.

When the CFO presents his forecast for the quarter or year, there is no certainty that it will be achieved. It’s his or her best, hopefully educated, guess based on projections from the management team.

If I was on the board and the CFO presented that forecast to me, I would ask for his or her assessment of the likelihood of achieving that forecast. Is it 90%, 80%, or something else?

If the company fails to hit the target, the forecast of the CFO, should I be surprised?

There was a solid likelihood (perhaps 20% or more) that it would not be achieved.

Maybe I am surprised, but I should not be shocked and I should think twice before blaming the CFO for a poor forecast.

If the CRO, on behalf of the senior management team, reports to the board that a source of risk is within the desired range (perhaps saying it is within the risk appetite), there is no certainty that there won’t be an event with an unacceptable effect.

The board should know (but often does not) that there is a, say, 20% chance of an event that would be significant in its damage to the organization.

So, just because the board is surprised doesn’t mean they should be surprised! Maybe risk management and earnings forecasts were reasonable and justified. They just didn’t work out. That 20% possibility happened.

Maybe they are surprised, but if a reasonable process was followed that resulted in an estimate of 20%, then they should not be shocked and they shouldn’t blame management for a failure of risk management.

They key question is whether a reasonable process was followed.

Risk management and the estimate of the likelihood of a significant effect are not like looking into a crystal ball and predicting the future with certainty. (Note: I didn’t say the likelihood of an event; I said the likelihood of the effect. An event can have a wide range of possible effects; what we are concerned with is when it occurs with an effect of a certain magnitude.)

Let’s assume that a reasonable process was followed and management knew of a possibility but didn’t inform the board. Ideally, the board has established when it requires management to bring potential issues to its attention.

  • They may have told management to inform them if management at any point determines that, taking all the things that might happen into account, the likelihood of achieving an objective falls below aa% (my version of risk appetite). Management would not only have to inform them of that assessment, but what leads them to it – what possibilities (aka risks) underlie the assessment.
  • The board may also have identified the threshold for specific sources of risk, where if the likelihood of an effect that is greater than $xx is more than yy%, they will be informed.

In either of those cases, neither the board’s governance activity nor the risk management process failed (perhaps the reporting aspect of risk management failed). Management failed.

I would blame the CEO and maybe the CRO for that failure.

If the risk management process did not identify the possibility of the effect at all, then the question is whether it was reasonable to expect that it would identify it. Risk management is not perfect. Would a reasonable person believe it should have been identified?

If so, then I blame the CEO and maybe the CRO. If not, that’s just bad luck and nobody is to blame.

If the surprise was clearly the failure to have effective risk management processes, then the CEO is to blame (first) and then the CRO. But the board and internal audit may also be to blame.

  • The board for not challenging management until risk management might be considered effective, and
  • Internal audit for not performing the work necessary to identify the situation – unless the ERM program was effective at the time of their assessment and changes since then have resulted in it failing today.

The bottom line is that s*** happens and it’s not always somebody’s fault.

I welcome your comments.

How effective is your internal audit function? Is it world-class?

October 20, 2019 5 comments

The IIA recommends that an assessment be made at least every five years, but most CAEs want to know how well they are doing every year.

When I became a CAE, I started by benchmarking against firms that had a great reputation, either for their business practices or internal audit departments.  That is still a good idea and I recommend it. But in my case I found so many practices that disturbed me that after a couple of years I only met with CAEs whose presentations at conferences indicated they led practices I would admire. For example, one major company’s auditors spent 60% of their audit time on documentation, which is far too much, and would continue to perform audit work until their allocated time ran out even if they had completed the defined scope. Another said they had a risk-based approach; but they then said that every function and process is audited at least once every five years on a cyclical basis. That is not risk-based internal auditing.

I highly recommend attending conferences and seminars to keep up-to-date, build and maintain a network, and hear from your peers and thought-leaders. However, always listen with both an open and questioning mind. Not all so-called thought leaders should (IMHO) be considered up to world-class levels. This blog is quite active in criticizing some of the guidance that is published!

One approach is to have an external quality assurance review (QAR). That can be done through the IIA, who will assign a team of experienced auditors to follow IIA QAR guidance and methodologies. The primary focus is typically compliance with IIA Standards and the Code of Ethics, although the better review leads will also interview stakeholders and provide more of a qualitative assessment of performance. You can also engage one of the consulting firms to perform a QAR.

The value of external reviews is limited to the experience and quality of the QAR team. If they are conversant with leading practices, then you may get a review of high quality. Unfortunately, not every experienced auditor, even CAE, has reached world-class levels in their own practices.

If you engage a consultancy firm, they may focus unnecessarily on the quality of your tools (such as analytics and RPA) instead of the value of your assurance and insight. They often rely on a list of so-called best practices rather than understanding the needs of your organization and the potential value internal audit can deliver.

I believe that the only assessment that makes sense is that of the customer: the audit committee of the board and the senior management of the organization.

I also believe that it is immensely valuable to use a maturity model. The IIA has a practice guide on how to use one for other processes and I have one in my books for risk management. But there aren’t any that I could find for internal audit that reflect leading thinking and practices.

One of the values of a maturity model is that if helps both CAEs and audit committees understand and then discuss leading practices. Many audit committees are complacent, accepting what they are receiving because they don’t realize more value can be obtained.

I have tried to fill the gap with a new book. Is your Internal Audit world-class: a Maturity Model for Internal Audit includes both a set of questions that can be used as a basis for obtaining internal audit stakeholders’ assessments and a detailed maturity model. It is based on the leading practices discussed in Auditing that Matters.

The guidance can (and probably should) be used in any QAR, but can also be used by CAEs and their audit committees simply to see where they stand on an annual basis. If you engage a team of reviewers to perform a QAR, I suggest asking them to use my maturity model (modified as appropriate) and consider my questions.

Knowing how you compare to world-class practices and understanding the added value of moving up the maturity curve can, itself, have great value.

I hope you find this guide useful and I look forward to your comments.

Amazing insights on cyber

October 18, 2019 1 comment

A couple of recent pieces shed some light, some amazing light, on how cyber-related risk is perceived by executives and the board.

CIO magazine discusses a survey of Australian CEOs and CISOs. They found that:

  • …only 6 percent of CEOs say their organisations had suffered a data breach in the last 12 months. This compares to 63 per cent of CISOs who reported breaches in their organisations.
  • Almost half (44 per cent) of CEOs felt that their organisations can respond to respond to cyber threats in real time. Unfortunately, their CISOs don’t feel the same way with only 26 per cent indicating that this is the case.
  • What the study found is pretty much a disconnect and lack of communication between the two very important roles of CEO and CISO.
  • One-third [of CEOs] believe cyber security is an IT or operations issue. So they do not see it as a business priority and as a consequence, they don’t [include] it as part of their business planning.
  • 25 per cent of the organisations surveyed that have boards do not report on cyber security to their board members on a regular basis.

This disconnect leads me to a number of suspicions, if not conclusions:

  1. If the CEOs didn’t believe their organizations suffered a data breach, the consequences of any breaches must have been inconsequential.
  2. CEOs don’t give a lot of time to concerns about cyber breach despite all the ‘experts’ calling it a top risk, even though they almost certainly have been breached; in real life it is not a top risk . It doesn’t really matter.
  3. The incidence of major breaches that can have a major impact on an organization must be low.
  4. Even CISOs don’t know how many times they have been hacked.

A report from the IIA, discussed in Radical Compliance, also talks about a misalignment when it comes to risk – this time between boards and executives. It found that:

…across 11 enterprise risks, boards are more confident [in how well risk is managed] than executives — which is alarming, since executives are closer to the organization’s reality than board directors.

I suggest referring to the chart in the Radical Compliance article that shows the gap by type of risk. (I will not be writing about the IIA report; you can read it for yourself and see why.)

Why is there this misalignment and lack of understanding?

I put it down to these facts:

  • People continue to try to manage a list of risks rather than the success of the organization.
  • They are not assessing the level of risk based on how something might affect the likelihood of achieving objectives. Quantifying a ‘risk’ like cyber based on a dollar value is usually (IMHO) misleading.
  • If you don’t understand how something like cyber might affect an organization and its success, which is a range of potential effects and each has its own likelihood, you don’t know how to assess whether it is an acceptable level of risk or not.
  • As a result, the management of risk is something separate from the management of performance and success – and becomes a compliance exercise rather than something integral to effective management of the organization.
  • The level of risk to an organization’s success from a cyber breach is inflated in the surveys and media based on a few high profile incidents. The average data breach cost is less than $4 million (according to the Ponemon Institute – see my book, Making Business Sense of Technology Risk for a more in depth discussion).
  • People do not understand that risk management is about the ability to make informed and intelligent decisions so you can achieve success, not managing a list of risks or discussing whether cyber is #1 or #3!

I usually find good material on McKinsey. But you will see many of the same problems in their latest, The risk-based approach to cybersecurity. It’s all about ‘risk reduction’ instead of increasing the likelihood and extent of success.

The board and the CEO are focused on the successful achievement of objectives. Why can’t practitioners talk to them in those terms?

I welcome your opinions and comments.

Common sense talk about risk heat maps and more

October 12, 2019 7 comments

My congratulations go to James Lam, a long-time risk practitioner at E*Trade, and Chris Inglis, board member at FedEx, for their comments in a recent article. The piece says:

  • The current iteration of risk evaluation heat maps are akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.
  • “I’ve seen heat maps since the ’90s … and I still don’t know what to make of them. Looking at a heat map, the board is left to question the placement of risk. “Heat maps are one of the worst things that happened to risk assessment,” said Lam. “If I look at something in yellow, should I want it in the green? … or do I want to get closer to orange or red if I can get a return on the risk?”
  • Traditional color-coded risk assessments fail to quantify risk in a manner boards are prepared to understand.
  • If someone asks for $5 million for multifactor authentication, the board won’t know how to respond.
  • It’s a “breath-taking moment” when someone from IT can say they read the business plan during a board pitch.

Inglis says he wants his risk assessment team and cyber defense to be able to answer five questions during a pitch:

  • Are you defending the business or a component of the business, like digital infrastructure?
  • Are the people authorized to take risk the ones who mitigate the risk?
  • Has the security organization done everything defensible?
  • How are they defending the business?
  • Have you used all the instruments of power at your disposal?

I don’t think this goes far enough.

Quantifying the potential for a cyber breach to affect the business is a sound first step, but it is even more important to understand how such a breach might affect the achievement of enterprise (business) objectives.

Then, you can answer questions that should be posed by executive management and the board such as:

  • Does cyber risk represent an unacceptable risk to the achievement of enterprise objectives? If so, which ones? This determination requires the involvement of both technical and business management.
  • By how much would an additional investment in cyber reduce that risk? Will the investment be more than the reduction in risk? Why?
  • Should the investment be in prevention, detection, or response, or a combination of those areas? Why?
  • Can I afford that level of investment? Will it be at the expense of addressing another source of risk or seizing an opportunity? For example, will it mean that I will not have the funds for a marketing campaign, investment in new products or services, or an acquisition? How would it affect cash flow and earnings?
  • What are my options and why is one recommended by business and technical management? Can we really manage cyber risk by ourselves?

Only when the business impact is understood does it make sense to get into the details of which risks to which information assets should be mitigated and how.

For more on this topic, including an analysis of the major cyber frameworks and standards, please see Making Business Sense of Technology Risk.

I welcome your thoughts.

Allegations and investigations

October 6, 2019 5 comments

It is difficult today to avoid news about allegations and subsequent investigations.

First it was a slew of high profile allegations about sexual misconduct. Now it’s about abuse of power – and the sex-related allegations continue.

In my time, I have conducted many investigations, had my team perform others, and been a target in an allegation that was investigated by outside counsel hired by the audit committee. So I think I have some relevant experience!

What we should all note from the news is that a failure to perform an appropriate investigation is a serious source of risk to any organization.

This is what I believe:

  1. It is critical for any individual within the organization to be able to report suspected inappropriate behavior without fear of retaliation.

The apparent effort by members of the US government to identify a whistleblower and then paint him or her as a political operative is unforgiveable and probably illegal (these federal employees are protected by law).

Unfortunately, many people do not come forward because there is a credible fear – justified by real life examples – of retaliation.

I advised (through her attorney) one lady who reported suspected wrongdoing by her manager to her company’s ombudsman, as required by company policy. However, her manager had started a disciplinary process against the whistleblower, triggered by that person’s refusal to perform what she believed to be corrupt acts demanded by the manager. The ombudsman was a senior member of the legal department who was advising the manager on the disciplinary process; he refused to open, let alone act on, the whistleblower’s complaint. Unfortunately, the whistleblower was fired, her allegations were never investigated, and her personal attorney failed to advise her properly on how to sue for damages. (Sadly, the only protection under federal law is when the whistleblower reports the suspected activity to the SEC. No protection against retaliation is provided when allegations are reported to the company’s ombudsman or hotline following company policy.)

At one company, an individual told one of my team that she had been subject to inappropriate sexual harassment. He came to me and I advised that the lady should report the allegation to HR or the hotline. Our team did not investigate personnel-related incidents. Later, I asked the VP of HR whether the allegation had been received, without naming the person. He said that it had been received but he had decided it had no merit and would not investigate. He had recognized the name of the complainant and that was enough for him. He said the lady had disciplinary problems and was complaining to protect her job, not because anything had happened. I tried to persuade him that the allegation needed to be investigated, to no avail. I reported this to the General Counsel and let him handle the issue, which he did.

Failing to investigate an allegation by an employee who is being disciplined exposes the company to a claim that the company’s actions against the employee are retaliation.

I also think about the ladies who have alleged inappropriate sexual activities by Supreme Court judges during the confirmation proceedings. They were not only identified by name but were publicly ridiculed.

These allegations should, if there was to be a fair process, have been conducted quietly by professional investigators with an open mind, not in public. Frankly, as I look at the current impeachment inquiry, I have to wonder whether the process is appropriate. It should be much quieter and performed by objective professionals.

  1. It is also critical that individuals outside the organization be able to report suspected wrongdoing by our employees.

I can recall a number of cases where vendors and customers gave us information that we investigated and determined there had been fraudulent acts. (The assessment of fraud is a legal determination, based on facts that we provide counsel.)

Few organizations, in my experience, have processes where vendors, customers, and others can report suspected inappropriate behavior by an employee of the company. When complaints are made, they generally end up in the wrong hands because the third party doesn’t know whom to tell.

  1. Every allegation should be considered. Before launching a formal investigation by my team, we look to see if there is predication.
    • If the allegation is true, would the actions represent a violation of law, company policy, or desired behaviors?

If not, we still consider whether it would be appropriate to conduct further inquiries; sometimes, the whistleblower did not explain the situation adequately and we have our suspicions.

If yes, then we determine who is responsible for the preliminary investigation: a process to see if a formal investigation should be opened. Sometimes, it is internal audit, sometimes HR, and sometimes it could be another function like physical security or legal.

    • Is there sufficient information and evidence that the allegation might be true?

Sometimes, we can fairly quickly determine that it is without foundation, in which case we document that and close the case. (We will consider contacting the complainant if we know who that is to make sure a mistake has not been made in the details they provided. On rare occasions, we might consider investigating whether this was a deliberate smear that represents a violation itself.)

There have been times where the allegation was too vague to investigate. If we can contact the complainant, we will try to elicit more information. If not, we flag the complainant, keeping it open and waiting to see if we receive more at a later date.

    • If there is predication, we will open a formal investigation. But we try very hard to keep it quiet. The fewer people who know about it the better, even (and especially) management. I am proud to have completed investigations of suspected inappropriate employee behavior and closed them as without foundation without the ‘targets’ even knowing there had been either allegation or investigation.
  1. All investigations should be conducted by trained (and certified, where possible) objective professionals.

My investigators (including myself) were either certified fraud examiners or had received appropriate formal training in investigations, interviewing, and interrogations.

The investigation is to uncover related facts. Interpretation of those facts is a management decision with advice from legal counsel. It is very easy, too easy, for investigators to form opinions that bias and taint the investigation.

Every ‘target’ must be treated with respect and dignity throughout the investigation.

I suffered through an investigation by HR of a personnel-related complaint against some of my employees. The investigator did not know what she was doing and alienated everybody – and then failed to uncover the truth.

When a complaint was lodged against me (together with the CFO), the audit committee engaged outside counsel. She was professional and handled herself well. It was an awful experience but turned out well – although the individual who invented the complaint was paid to leave the company, which upsets me even today.

  1. Internal audit should consider a periodic review to ensure all of the above and provide assurance to top management and the board that the allegation and investigation processes are appropriate.

Where internal audit itself is responsible for the hot line or related processes, and/or investigating allegations, they should consider engaging a third party to perform a review and report the results to the board.

What do you think?

KPMG studies ERM and gets some things right but misses the key point

September 27, 2019 6 comments

There’s some good material in KPMG’s Enterprise Risk Management Benchmarking Study, subtitled Evolving to an active, integrated and agile approach amidst change and disruption.

Here are some excerpts, with my comments, in the order in which they appear in the report.

  • Companies are rightly questioning the strength of their ERM programs in the face of rapid change, competitive disruption, an unrelenting news-cycle, and a global crisis in trust. Unfortunately, this questioning may come after a major risk incident for an organization, when vulnerabilities become apparent. Despite seismic shifts in the environment and a critical need for risk agility, the evolution of ERM is slow.

Comment: While it is important for organizations to “question the strength of ERM”, they should start with questioning why they have a program in the first place. No significant progress is going to be made unless and until organizations realize they are not in the business of managing risk; they are in the business of managing the business for success, which means achieving their objectives. Then they should question hot ERM is supposed to help that, and the answer is that it should provide actionable information about what might happen so they can make the intelligent and informed decisions necessary for success.

Evolution is slow because too few are replacing the management of risk with the management of success.

  • ERM has the potential to contribute significant organizational value, helping organizations navigate both the opportunities and threats that risk present. In our survey, companies are making the right moves to address risk, but the question is… are they are moving fast enough?

Comment: I concur that we need to manage both opportunities and threats. I only wish more people understood that the same tools and techniques can and should be used to understand both upside and downside – and then make a decision that weighs all the things that might happen and their effects on achieving objectives. I don’t concur that organizations are making the right moves. They don’t understand the basic nature of the problem – it’s not about managing risk, it’s about managing success.

  • Risk registers and heat maps are commonly used to document, prioritize and report on risks. However, ERM leaders see the opportunity to reduce the administrative burden of documentation and evolve to higher-impact reporting. An annual risk assessment process is still the predominant practice, but some organizations have been able to evolve to a more continuous approach.

Comment: KPMG points out the failure of most to do more than a periodic review of so-called top risks. But they still focus on reporting risks instead of reporting whether enterprise objectives are likely to be achieved.

  • A majority of surveyed companies expressed a desire to better connect risk and strategy, often citing the 2017 COSO Guidance on Enterprise Risk Management – Integrating with Strategy and Performance. Most indicated that while their executives informally consider risk during strategic planning, ERM often didn’t have ‘a seat at the table.’ For those organizations that have integrated ERM and strategic planning, natural advancements have been made in emerging risk management and consideration of risk as not just a threat, but an opportunity.

Comment: How can you set the right objectives and strategies without a disciplined approach to considering all the things that might happen to affect their achievement? You can’t, unless you are lucky.

  • One company has been able to correlate enterprise risks to potential impacts on strategic priorities and understand risk connectivity by adopting a dynamic risk assessment approach*. This has allowed business leaders to more deeply understand top risks, the interrelationship between risks, and the impacts of risk contagion, which has improved the clarity of what they must get right and what they cannot afford to get wrong.

Comment: It is easy to start with risk and then link to affected strategies. It is perhaps less easy to start with the strategies and ask (my questions, thanks KPMG for adopting them) what must go right and what can’t we afford to go wrong?

  • Study participants acknowledged that while the concepts of risk appetite and tolerance are sound, they struggle with practical application.

Comment: No surprise here! Guidance needs to be provided to decision-makers at all levels on how to take the right risks. Risk appetite at enterprise level simply fails that test. At best, it’s an after-the fact check to see whether undesired risks have been taken. Too many fool themselves, investors, and regulators by expressing their risk appetite in aspirational language (such as “we have no tolerance for fraud or failure to comply with laws and regulations”) that is not actionable.

  • ERM leaders recognize that executive leadership needs to be more than just aware of top risks, rather they need to adopt a risk mindset, model behaviors and integrate appropriate risk management (including risk taking) practices into their approach. Leaders need to “walk the talk” in order to realize the value of ERM and grow a risk-aware culture. Respondents described a number of tactics to drive leadership engagement including concentrating effort on key leaders and influencers, evaluating the frequency and duration of risk discussions, improving reporting (e.g. dashboards and scorecards), and the formation of a dedicated risk committee.

Comment: How about having success or strategy performance discussions instead of siloed and out-of-context discussions of risk? Stop trying to get business leaders to use the language or risk and start having risk practitioners use the language of business. Talk about the likelihood of achieving objectives instead of whether the risk is high.

You don’t want to create a risk-averse culture that is afraid of seizing opportunities because something might go wrong – and they don’t know how to weigh the upsides and downsides together.

  • In general, enterprise risks are being discussed by senior leaders on a quarterly cadence, with the broader support of a risk champion network. For most organizations, the Audit Committee has responsibility for risk oversight at the Board level. Board level reporting was generally semi-annual, with a focus on the top 5-10 enterprise risks inclusive of strategic risk, status reporting on priority risk response efforts, and ERM program updates for more mature programs.

Comment: This is enterprise list management, not management of the business for success.

  • Many companies equate risk culture with tone at the top because you can’t have a healthy risk culture without it. A strong risk culture starts with leaders, who are not only engaged, but actively modeling desired risk management behaviors, setting clear expectations for their teams, taking a longer-term view and showing through their actions that risk management is something all employees must embrace — not just senior leaders and risk practitioners.

Comment: This is true, except that risk management is not about focusing only on threats. Learn what to talk and only then walk it.

  • Attention should be given to sharing stories of success and lessons learned to make the impacts of risk and the connection to routine decision-making real.

Comment: Excellent, especially the reference to decision-making.

  • It is more important than ever to get risk management right. Effective ERM will empower leaders to take the right risks, realizing significant strategic benefits (e.g. first mover advantage), support organizational agility and learning, and strengthen organizational resiliency and sustainability in a very uncertain climate.

Comment: Correct. But that means enabling and empowering decision-makers at all levels to make informed and intelligent decisions that lead to success – not just avoiding failure.

I welcome your opinions.

The board and cyber security

September 20, 2019 5 comments

There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:

  • For technical professionals who increasingly find themselves plucked out of technical operations centers and dropped into boardrooms, learning to speak the language of business is critically important, not just for their jobs and teams, but for the business as a whole. If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
  • …while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
  • In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations. But for the board, the only consideration is how these two things are supporting (or hindering) business operations.
  • CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
  • Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.

Let me talk for a moment about these excerpts.

  1. If a practitioner wants to have effective communications with leadership, he or she needs to use the language of that leadership. In most cases, that is business language. When it comes to risk management, I advise avoiding the four letter word, ‘risk’. It immediately causes a reaction by the listener that may hinder effective communication. Talking in business language about ‘what might happen’ is easier for everybody.
  2. It is nigh impossible to have 100% certain breach prevention. Do what makes business sense, but make sure you have measures and tools that will help you detect breaches and what hackers are doing promptly. The average detection time of 10 months is clearly unacceptable. Then have a discussion with business leaders about what might happen should there be (when there is) a breach. Invest in defenses consistent with the level of harm and how much it is reduced by such investment, and then ensure you have response processes that will minimize the damage and keep the business running.
  3. Discussion about cyber risk should be based on the way in which a breach might affect the business and the achievement of enterprise objectives. Please see Making Business Sense of Technology Risk, where I review existing cyber risk standards from NIST and elsewhere, and suggest a better way to assess the ‘risk’ and work with management and the board to make quality business decisions about handling it.
  4. Practitioners should focus on how they can help the organization succeed instead of helping them avoid failure. They need to be the department of ‘how’ instead of the department of ‘no’.
  5. Credibility and respect is gained (and truly earned) when practitioners can express their concerns within the context of business success. Know when it makes sense to take the risk of a breach because at some point there are better ways to spend the organization’s limited resources than on further investment in cyber. Investing money in cyber is at the cost of investing in a marketing campaign, product development, customer service, and so on.

Saying that cyber risk is ‘high’ is meaningless. Business leaders don’t know how much to invest in cyber, especially if they understand that the risk can never be eliminated and that the hackers are constantly developing new and better ways to break in.

I welcome your thoughts on the above and how practitioners can help.

Risk and the lemonade stand: how it matters in the simplest settings

September 14, 2019 5 comments

Your neighbors are asking you for help.

Their young children, ages 7 and 9, want to set up a lemonade stand in front of the house. While it’s not a busy road, there is a periodic flow of traffic. Most are people who live in the neighborhood and observe the 25 mph speed limit.

The parents are interested in letting their kids run a stand because of the life lessons it will bring them. They also support the children’s desire to raise money that will be donated to feed homeless people in the general area. (The homeless are a few miles away, not close to the family home.)

The parents have developed a list of ‘pros and cons’ but are undecided. Since you help people at work understand this strange idea of ‘risk’ (although you prefer to talk about ‘what might happen’ and the likelihood of achieving objectives), they have asked for your advice on how to assess the situation, their options, and the best path forward for the family.


  1. It would help the children understand what it is like to run even a small part of a business.
  2. The children would develop skills in selling and communications.
  3. It will encourage their desire to help others.
  4. They will have to stay focused for hours, rather than being drawn away to play on their devices.


  1. They might be discouraged if sales are poor.
  2. There is a safety concern with adults they don’t know, and because they will be close to the street.
  3. The parents will have to be there the entire time, even though they have other things to do.

How would you help? Make whatever assumptions you would like.

Hint: this is a ‘risk management’ challenge. What are the parents’ objectives and how would you go about assessing whether the likelihood of achieving them is acceptable and, if not, what actions to take?

Do risk appetite statements add value?

September 8, 2019 14 comments

I like to read Enterprise Risk, the official magazine of the Institute of Risk Management. Not only are its features often of interest, but it includes useful graphics that summarize studies, etc. on a number of useful topics.

In its Summer 2019 issue, the magazine captures the most interesting observations of a study by Baringa Partners (the full report is here).

  • Only about 15% of respondents strongly agreed that “Statements provide a clear link with the firm’s strategy”. About 30% disagreed.
  • About the same number strongly agreed that “Statements provide a forward-looking vies of risk,” while nearly 40% disagreed.
  • Only about 10% strongly agreed that “Statements are embedded into business decision-making”. Again, nearly 40% disagreed.

As Baringa comments:

Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk.

The regulators want to make sure that firms do not put the continued existence of the organization and the investment stakeholders have made in jeopardy as it pursues profit.

Risk appetite statements I have seen can be general in their language or specific, with metrics against which actual levels might be compared.

When they are general, talking about intent, such as “The Group has zero appetite for regulatory risk and a moderate appetite for the risk of litigation”, it is difficult to see how this affects decisions made either by the board or operating management.

When more specific metrics are established, such as “the Loans to Asset Ratio will be no more than 70%”, actual performance can be compared to the limits to confirm that it is line with board-approved guidance.

But does such a comparison do enough to drive behavior in a dynamic environment? It is difficult to see how it is more than an after-the-fact check rather than a driver of management actions.

This is especially true when activity across the organization needs to be aggregated to compare to enterprise-level limits. For example, if I set an enterprise level target of “the Loans to Asset Ratio will be no more than 70%” but I have to aggregate Loans and Assets numbers across multiple business units and countries, how do I guide a Loan Officer in Guyana whether to approve a loan?


Let’s step back and think about what we are trying to achieve.

While the regulators focus on preventing failure through reckless risk-taking, stakeholders should be concerned whether management and the board are taking the right risks for success (i.e., not just avoiding failure).

Success is achieved, and failure avoided, when management and the board make informed and intelligent decisions.

Do risk appetite statements lead people to make informed and intelligent decisions?

If they are not:

  • Linked to the firm’s objectives and strategies for achieving them, and
  • Forward-looking, and
  • Embedded into every important business process, and
  • Measurable and actionable…

…they will have little effect on decision-making or success. Arguably, they have little effect on avoiding failure as well.

I am not persuaded that ISO’s risk criteria are necessarily the answer either!

Rather than providing guidance and limits on risk, I prefer to consider:

  • What decisions have to be made for success?
  • What could go wrong and what needs to go right?
  • What information do decision-makers need?
  • Who needs to make the decisions and who needs to be involved?
  • How I can guide decision-makers to take the right level of the right risks?
  • How do I monitor performance to know when poor decisions are made?

Maybe the answer includes risk appetite statements.

Maybe there are some aspects that you cannot really quantify.

Maybe you will have to rely on after-the-fact detection in some cases.

You certainly have to satisfy the regulators.

But you should also customize what you do to the needs and practices of the organization.

I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.


What do you think?