World-Class Risk Management
For several years now, I have been writing, speaking, and networking with people around the world to discuss risk management. I have reviewed hundreds of articles, surveys, and other publications on the topic, and written about them in my two blogs (on the IIA site and on my personal site).
I had fun writing my book on World-Class Internal Auditing. So much so that I decided to write one on World-Class Risk Management (with the advice and support of luminaries such as Grant Purdy, John Fraser, Martin Davies, Jim DeLoach, Alex Dali, Felix Kloman, Arnold Schanfield, Richard Anderson, and more).
Grant Purdy was kind enough to write a challenging foreword.
What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?
These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.
The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.
Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view.
Not everybody will agree with the ideas and suggestions in the book. My hope is that through open minds and discussion, it will spark a debate that will move the practice of risk management forward.
Expert reviews include:
- “Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy
- “I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach
- “In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali
Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization
The IIA has published an updated, significantly expanded (including suggestions for aligning your program with COSO 2013) version of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners – a publication that has been downloaded about 200,000 times.
The book has introductions from Richard Steinberg and Dominique Vincenti, and has received rave reviews from eminent practitioners:
- “This is the best Sarbanes-Oxley 404 guide out there for management.” — Denielle deWynter, Senior Director, The McGraw-Hill Companies
- “This book will help many future public company professionals in the important aspect of Sarbanes-Oxley — understanding the requirements, nuances, and approach before you have to do it. It will also help veterans to challenge and validate their existing approach to ensure it is tightly and correctly constructed and considers many helpful suggestions.” — Robert Hirth, COSO Chair
- “Sarbanes-Oxley has become a routine process at many companies. Leading edge companies are using this new guide to lean out the Sarbanes-Oxley process; reducing the cost of compliance while improving the overall quality of the program. This updated guide is a great tool for those employees who are new to Sarbanes-Oxley, its history, and its requirements. The guide gets them totally up to speed while giving them leading edge thoughts about how they can lean out the process and improve the quality of the program at the same time.” — Larry Harrington, Vice President, Internal Audit, Raytheon Company
- “Overall, I found this to be a very useful, well-organized and well-written guide. I particularly like the focus on management’s responsibility and the imperative to drive overall efficiency, along with concrete guidance on how to do so. Too much Sarbanes-Oxley guidance is directed toward the external auditor, leaving management to either extrapolate from, or worse, take direction from the external auditors on program design and operation. So, a great perspective and very useful to management if IIA can publicize more broadly than just to internal auditors. The real-world examples really enhanced the readability/understanding.” — Rod Winters, former CAE, Microsoft Corporation
World-Class-Internal Audit: Tales from my Journey
This book is a series of short stories about episodes from my professional life that gave me precious and enduring lessons. Taken as a whole, they explain who I am today and how I have practiced internal auditing as a chief audit executive for more than twenty years.
My hope is that these stories will amuse as well as provide some insights into how I came to lead internal audit departments as I did.
Maybe, and this is why I wrote the book, it will stimulate some thinking on your part.
- I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.
- Norman, well Done! Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book! It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.
How Good is your GRC?: Twelve Questions to Guide Executives, Boards, and Practitioners
What should board directors, executive management, and those who advise them (including risk and audit practitioners) know about GRC? Is it really the imperative that is suggested by the various white papers?
What is “GRC”? Is it more than a single collective bucket into which the firms have gathered all their consulting services for governance?
In this discussion, I suggest 12 questions that you may ask about GRC, whether to understand the term or to assess its adequacy. I then review additional considerations for organizations considering technology to upgrade their “GRC” processes.