Norman’s Books

Risk Management for Success

Book cover - From Risk to Success Management

Traditional risk management programs focus on managing and mitigating harms – in other words, on avoiding failure.

But survey after survey tell us this approach is not convincing executives and boards that risk management is helping them achieve their objectives. They see it as a compliance exercise: something they have to do rather than want to do.

Norman Marks draws on his personal experience as an executive and builds on the thinking in his previous books, including World-Class Risk Management, Risk Management in Plain English, and Making Business Sense of Technology Risk, to explain how risk management should instead focus on achieving success.

This book discusses how a consideration of what might happen can enable informed and intelligent decisions from the setting of objectives and corporate strategies through the daily execution of the business. Those decisions enable the appropriate taking of risk so that the organization has an acceptable likelihood of achieving its objectives.

An assessment of risk management is recommended by a majority of corporate governance codes around the globe and required by the Standards of the Institute of Internal Auditors. The book includes a comprehensive maturity model that details the attributes of the highest level of maturity envisaged in this book, as well as management surveys that can be tailored for your organization. They can be used as the basis for an assessment by management, the risk officer, or the internal audit team.

Auditing that Matters: Case Studies

Case Studies book coverDiscussion Guide book cover

Auditing that Matters: Case Studies is a collection of 20 case studies based (all but one) on real life situations from my years as an internal audit executive.

When an internal audit function holds a team meeting, each member is given a copy of this book (preferably in advance) and asked to think about what they would do. Each case study ends with a number of questions, but the leader can certainly either adapt them or add his or her own.

Then the team leader can facilitate a discussion of the selected case and see if the team can, after exploring the options, come to a shared approach. The discussion alone can be illuminating even for the more senior members of the team.

The team leader uses the partner to the Case Study book, Auditing that Matters: Case Studies Discussion Guide to help him or her with ideas and suggestions for each case.

While the pair of books is designed for groups (including college classes), individual practitioners may also find the books useful.

Both books are available in e-reader form from Amazon (Kindle), but I recommend the print copy so people can highlight sections or make notes.

This pair of books rounds out a series. First there was World-Class Internal Auditing: Tales from my Journey that explained how I came to my approach to internal auditing. Then, Auditing that Matters explained how to achieve what I consider world-class internal auditing practices, and most recently I published Is Your Internal Audit World-Class?: A Maturity Model For Internal Audit so that people can assess their practices.


Is your Internal Audit World-Class?


How effective is your internal audit function? Is it world-class?

The IIA recommends that an assessment be made at least every five years, but most CAEs would want to know how well they are doing every year.

I believe that the only assessment that makes sense is that of the customer: the audit committee of the board and the senior management of the organization.

I also believe that it is immensely valuable to use a maturity model. The IIA has a practice guide on how to use one for other processes and I have one in my books for risk management. But there aren’t any for internal audit that reflect leading thinking and practices.

This book includes both a set of questions that can be used as a basis for obtaining internal audit stakeholders’ assessments and a detailed maturity model.

It can be found in paperback (only – a Kindle version would not be of great practical use) on Amazon.


Making Business Sense of Technology Risk

Making business sense of technology risk - cover

If you look at any survey of the top risks facing organizations, you will find technology-related risks (such as cyber and disruptive technologies) among those cited as being of greatest concern.

But executives and board members say they are not getting the information they need to understand how to address those risks. They don’t know how much to invest in cyber, for example, when funds are scarce.

Is the cyber risk so great that they should divert funds from acquisitions or product development? Even chief information security officers are reporting a disconnect with the leaders of the organization. Apparently they know that the board and top management don’t understand what is being reported, and they are not satisfied they are getting the support they need.

But if the board and top management don’t understand how and why technology risk might affect the achievement of their goals as leaders of the organization, it’s not surprising they are not providing the funds the technical staff says they need. At the same time, do the technical teams understand how the risks they see might actually affect the organization and its success? Are they looking at the risks with a business or a technician’s eye?

In this book, I build on the concepts in my earlier World-Class Risk Management and suggest an approach that moves the discussion of technology-related risk into the language of the business. I analyze the primary sources of guidance (from NIST and ISO) and point out the limitations: they may be good for technicians, but do they help us understand the risk to enterprise objectives that may arise from failures related to technology?

I discuss ways to consider how the possibility of technology failures (and opportunities) should affect decision-making, both strategic and tactical.

In the process, I tackle topics such as:

  • Risk is not a point, but a range
  • How to aggregate multiple risks
  • Integrating risk and performance reporting
  • What is acceptable when it comes to technology-related risk
  • How to enable leaders of the organization to make intelligent and informed decisions that consider technology-related risks
  • and more

The book is available on Amazon in both paperback and e-reader formats.


Risk Management in Plain English: A Guide for Executives

Risk Management in Plain English: A Guide for Executives (available from Amazon in hard copy and e-reader formats) has the sub-title, Enabling Success through Intelligent and Informed Risk-Taking.

Risk management in plain English

It is based on a number of principles for effective risk management, which I have shared here many times. They include:

  • It’s not about avoiding harm (“doom management”), it’s about achieving success.
  • It’s about understanding what might happen, determining whether that’s OK, and then acting as needed.
  • To be successful, you need to be making informed and intelligent decisions. Those are where risks are taken. That is how you optimize the likelihood and extent of success: achieving objectives.
  • We should avoid techno-babble and use the language of the business.
  • Risk management can be considered effective when leaders of the organization and decision-makers at all levels assert that it is helping them be successful.
  • The periodic review of a list of risks is a small part of risk management.
  • It’s about helping leaders understand the likelihood of achieving objectives, not the out-of-context size of risks.
  • Risk management is effective management!


Auditing that Matters

Auditing that matters explains how an effective internal audit department can make a huge contribution to the success of an organization.

Book cover

It can provide leadership with the confidence it needs in the people, systems, and organization to lead the enterprise to success.

This book is about:

  • Providing the assurance, advice, and insight that the leaders of the organization need
  • Focusing on the risks and issues that matter to the executive management team and the board
  • Practicing enterprise risk-based auditing
  • Communicating effectively to management and the board what they need to know, when they need to know, in a useful and actionable form
  • Building the team and processes necessary to deliver world-class internal audit services

I have been extraordinarily lucky to have a review panel of leading practitioners. This is what they have to say:

  • This is a timely book for internal auditors who want to accelerate their careers. Norman provides powerful career advice and lessons learned for delivering outstanding customer service in a profession where the performance bar is rising daily as are stakeholder expectations…. I would make it a must read for my team members. – Larry Harrington, former CAE at Raytheon and Chairman of the Board of the IIA
  • “For auditors looking for a book on “Value-added auditing”; this is the edition for you! Norman’s clearly describes the how-to methods for auditing that matters, and this is a must read book for all auditing leaders! – Steve Goepfert, retired CAE of United Airlines and former Chairman of the Board of the IIA
  • Norman has pulled clear, insightful and useful recommendations from his years of experience leading top notch internal audit programs.  This book will prove valuable for new and experienced internal audit professionals. – Patty Miller, retired Deloitte partner and former Chairman of the Board of the Institute of Internal Auditors (IIA)
  • This is the best book on the real world of internal auditing that I have read, because it gives numerous examples of practical problems and how best to approach and resolve them. Norman has captured his many years of executive audit experience into an easy to read and highly informative addition to the education of the next generation of internal auditors. – John Fraser, retired CAE and CRO with Hydro One
  • Whenever I felt that I was making progress in this profession it was because of other Internal Audit professionals embracing fully our profession’s motto “progress through sharing” and being generous with their experience, know-how and lessons learned from failures and successes. Norman’s book is a wonderful act of generosity with multiple experiences and ideas shared in thoughtful way for us all to reflect upon and build our own progress. – Dominique Vincenti, CAE at Uber, formerly Chief Officer – Global Internal Audit Practices with the IIA

The book is available now in most locations on Amazon (I recommend the paperback version rather than the Kindle e-book).


World-Class Risk Management


What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?

These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.

The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.

Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view.

Expert reviews include:

  • “Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy, former CRO at BHP Billiton, chair of the committee that developed ANZ AS436, forerunner of ISO 31000
  • “I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach, Managing Director, Protiviti
  • “In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali, President of the Global Institute for Risk Management Standards

Available as a paperback on Amazon or as an e-book, also on Amazon.


Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization – 4th Edition

The IIA has published an updated, significantly expanded (including suggestions for aligning your program with COSO 2013) version of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners – a publication that has been downloaded about 200,000 times.

Management Guide 4th edition

It is available either from the IIA Bookstore or Amazon.

The book has introductions from Richard Steinberg and Dominique Vincenti, and has received rave reviews from eminent practitioners:

  • “This is the best Sarbanes-Oxley 404 guide out there for management.” — Denielle deWynter, Senior Director, The McGraw-Hill Companies
  • “This book will help many future public company professionals in the important aspect of Sarbanes-Oxley — understanding the requirements, nuances, and approach before you have to do it. It will also help veterans to challenge and validate their existing approach to ensure it is tightly and correctly constructed and considers many helpful suggestions.” — Robert Hirth, COSO Chair
  • “Sarbanes-Oxley has become a routine process at many companies. Leading edge companies are using this new guide to lean out the Sarbanes-Oxley process; reducing the cost of compliance while improving the overall quality of the program. This updated guide is a great tool for those employees who are new to Sarbanes-Oxley, its history, and its requirements. The guide gets them totally up to speed while giving them leading edge thoughts about how they can lean out the process and improve the quality of the program at the same time.” — Larry Harrington, Vice President, Internal Audit, Raytheon Company
  • “Overall, I found this to be a very useful, well-organized and well-written guide. I particularly like the focus on management’s responsibility and the imperative to drive overall efficiency, along with concrete guidance on how to do so. Too much Sarbanes-Oxley guidance is directed toward the external auditor, leaving management to either extrapolate from, or worse, take direction from the external auditors on program design and operation. So, a great perspective and very useful to management if IIA can publicize more broadly than just to internal auditors. The real-world examples really enhanced the readability/understanding.” — Rod Winters, former CAE, Microsoft Corporation


World-Class-Internal Audit: Tales from my Journey

This book is a series of short stories about episodes from my professional life that gave me precious and enduring lessons. Taken as a whole, they explain who I am today and how I have practiced internal auditing as a chief audit executive for more than twenty years.

My hope is that these stories will amuse as well as provide some insights into how I came to lead internal audit departments as I did.

Maybe, and this is why I wrote the book, it will stimulate some thinking on your part.

The book is available from Amazon as a paperback or e-book.

Reviews include:

  • I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.
  • Norman, well Done! Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book! It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.


How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners

What should board directors, executive management, and those who advise them (including risk and audit practitioners) know about GRC? Is it really the imperative that is suggested by the various white papers?

What is “GRC”? Is it more than a single collective bucket into which the firms have gathered all their consulting services for governance?

In this discussion, I suggest 12 questions that you may ask about GRC, whether to understand the term or to assess its adequacy. I then review additional considerations for organizations considering technology to upgrade their “GRC” processes.

The book is available from Amazon as a paperback or e-book.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: