Norman’s Books

Risk Management in Plain English: A Guide for Executives

When COSO published its updated ERM Framework last year, I thought about what it would mean for my popular 2015 book, World-Class Risk Management.

Unfortunately, I didn’t see anything in the COSO update, nor in the pending ISO 31000 global risk management standard, that merited changing anything in the book. (Sad but true.) Frankly, setting aside all pretense of modesty, I think the concepts and guidance in my book are superior.

Instead, I decided to write a totally new book.

Risk Management in Plain English: A Guide for Executives (available from Amazon in hard copy and e-reader formats) has the sub-title, Enabling Success through Intelligent and Informed Risk-Taking.

It is based on a number of principles for effective risk management, which I have shared here many times. They include:

  • It’s not about avoiding harm (“doom management”), it’s about achieving success.
  • It’s about understanding what might happen, determining whether that’s OK, and then acting as needed.
  • To be successful, you need to be making informed and intelligent decisions. Those are where risks are taken. That is how you optimize the likelihood and extent of success: achieving objectives.
  • We should avoid techno-babble and use the language of the business.
  • Risk management can be considered effective when leaders of the organization and decision-makers at all levels assert that it is helping them be successful.
  • The periodic review of a list of risks is a small part of risk management.
  • It’s about helping leaders understand the likelihood of achieving objectives, not the out-of-context size of risks.
  • Risk management is effective management!

I have not tried, in the new book, to change my guidance for risk practitioners. I continue to look to World-Class Risk Management for that.

Risk Management in Plain English focuses much more on guidance for leaders of the organization. I have tried to explain to them, in business English, what effective risk management is – and what their role and responsibilities should be. It is deliberately concise and readily consumed by them.

My hope is that risk practitioners will find the new book useful, would consider sharing it with their leaders, and have a conversation about risk management after everybody has read the book.

Here is the table of contents:

Introduction. 3

I. Executive Summary. 4

II. Are we taking too much or too little risk?. 10

The possibility for gain as well as loss. 11

The level of risk is not a single point 12

III.     Risk and the CEO.. 14

Asking the right question. 14

Cognitive bias. 16

Leading by example. 17

The CEO and the CRO.. 17

IV. Risk and the Executive Leadership Team.. 19

Working to the same objectives. 20

V. Risk and the Executive. 21

The executive and the CRO.. 22

The extended enterprise. 23

Cross-functional decision-making. 24

VI. Risk Reporting, Review, and Appetite. 26

A recommended risk report 27

A list of risks or a heat map. 28

Reviewing a list of risks. 29

The risk du jour 30

How effective is your risk management program?. 32

VII.   Risk Management and the Board. 34

Is risk management effective?. 34

When the board takes risk. 34

Risk and the board’s agenda. 35

Should the board ensure the CRO is independent of management?. 36

VIII.  Risk Management and the Risk Office. 38

Risk Appetite. 40

Converting Risk Management into Action. 46

I hope you will find it useful.


Auditing that Matters

Auditing that matters captures my thinking, expressed here and elsewhere, about how an effective internal audit department can make a huge contribution to the success of an organization.

An internal audit department can provide leadership with the confidence it needs in the people, systems, and organization to lead the enterprise to success.

This book is about:

  • Providing the assurance, advice, and insight that the leaders of the organization need
  • Focusing on the risks and issues that matter to the executive management team and the board
  • Practicing enterprise risk-based auditing
  • Communicating effectively to management and the board what they need to know, when they need to know, in a useful and actionable form
  • Building the team and processes necessary to deliver world-class internal audit services

I have been extraordinarily lucky to have a review panel of leading practitioners. This is what they have to say:

  • This is a timely book for internal auditors who want to accelerate their careers. Norman provides powerful career advice and lessons learned for delivering outstanding customer service in a profession where the performance bar is rising daily as are stakeholder expectations…. I would make it a must read for my team members. – Larry Harrington, CAE at Raytheon and former Chairman of the Board of the IIA
  • “For auditors looking for a book on “Value-added auditing”; this is the edition for you! Norman’s clearly describes the how-to methods for auditing that matters, and this is a must read book for all auditing leaders! – Steve Goepfert, retired CAE of United Airlines and former Chairman of the Board of the IIA
  • Norman has pulled clear, insightful and useful recommendations from his years of experience leading top notch internal audit programs.  This book will prove valuable for new and experienced internal audit professionals. – Patty Miller, retired Deloitte partner and former Chairman of the Board of the Institute of Internal Auditors (IIA)
  • This book is packed with lessons for the internal auditor.  A first class opportunity to learn from the experience of others. – Michael Parkinson, Audit Committee member and member of the IIA’s International Internal Auditing Standards Board
  • This is the best book on the real world of internal auditing that I have read, because it gives numerous examples of practical problems and how best to approach and resolve them. Norman has captured his many years of executive audit experience into an easy to read and highly informative addition to the education of the next generation of internal auditors. – John Fraser, retired CAE and CRO with Hydro One
  • Whenever I felt that I was making progress in this profession it was because of other Internal Audit professionals embracing fully our profession’s motto “progress through sharing” and being generous with their experience, know-how and lessons learned from failures and successes. Norman’s book is a wonderful act of generosity with multiple experiences and ideas shared in thoughtful way for us all to reflect upon and build our own progress. – Dominique Vincenti, CAE at Nordstrom, formerly Chief Officer – Global Internal Audit Practices with the IIA
  • Internal Audit, as explained by one of the world’s leading practitioners, reminds us all of the central importance and function that proper governance plays in a well-run organisation. – Tom McLeod, former CAE at Rio Tinto Group and member of the Board of the IIA (Australia)

The book is available now in most locations on Amazon (I recommend the paperback version rather than the Kindle e-book).


World-Class Risk Management

For several years now, I have been writing, speaking, and networking with people around the world to discuss risk management. I have reviewed hundreds of articles, surveys, and other publications on the topic, and written about them in my two blogs (on the IIA site and on my personal site).

I had fun writing my book on World-Class Internal Auditing. So much so that I decided to write one on World-Class Risk Management (with the advice and support of luminaries such as Grant Purdy, John Fraser, Martin Davies, Jim DeLoach, Alex Dali, Felix Kloman, Arnold Schanfield, Richard Anderson, and more).

Grant Purdy was kind enough to write a challenging foreword.

What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?

These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.

The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.

Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view.

Not everybody will agree with the ideas and suggestions in the book. My hope is that through open minds and discussion, it will spark a debate that will move the practice of risk management forward.

Expert reviews include:

  • “Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy
  • “I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach
  • “In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali

Available in paperback from CreateSpace or Amazon, or as an e-book on Amazon.


Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization – 4th Edition

The IIA has published an updated, significantly expanded (including suggestions for aligning your program with COSO 2013) version of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners – a publication that has been downloaded about 200,000 times.

It is available either from the IIA Bookstore or Amazon.

The book has introductions from Richard Steinberg and Dominique Vincenti, and has received rave reviews from eminent practitioners:

  • “This is the best Sarbanes-Oxley 404 guide out there for management.” — Denielle deWynter, Senior Director, The McGraw-Hill Companies
  • “This book will help many future public company professionals in the important aspect of Sarbanes-Oxley — understanding the requirements, nuances, and approach before you have to do it. It will also help veterans to challenge and validate their existing approach to ensure it is tightly and correctly constructed and considers many helpful suggestions.” — Robert Hirth, COSO Chair
  • “Sarbanes-Oxley has become a routine process at many companies. Leading edge companies are using this new guide to lean out the Sarbanes-Oxley process; reducing the cost of compliance while improving the overall quality of the program. This updated guide is a great tool for those employees who are new to Sarbanes-Oxley, its history, and its requirements. The guide gets them totally up to speed while giving them leading edge thoughts about how they can lean out the process and improve the quality of the program at the same time.” — Larry Harrington, Vice President, Internal Audit, Raytheon Company
  • “Overall, I found this to be a very useful, well-organized and well-written guide. I particularly like the focus on management’s responsibility and the imperative to drive overall efficiency, along with concrete guidance on how to do so. Too much Sarbanes-Oxley guidance is directed toward the external auditor, leaving management to either extrapolate from, or worse, take direction from the external auditors on program design and operation. So, a great perspective and very useful to management if IIA can publicize more broadly than just to internal auditors. The real-world examples really enhanced the readability/understanding.” — Rod Winters, former CAE, Microsoft Corporation


World-Class-Internal Audit: Tales from my Journey

This book is a series of short stories about episodes from my professional life that gave me precious and enduring lessons. Taken as a whole, they explain who I am today and how I have practiced internal auditing as a chief audit executive for more than twenty years.

My hope is that these stories will amuse as well as provide some insights into how I came to lead internal audit departments as I did.

Maybe, and this is why I wrote the book, it will stimulate some thinking on your part.

The book is available from Amazon as a paperback or e-book.

Reviews include:

  • I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.
  • Norman, well Done! Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book! It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.


How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners

What should board directors, executive management, and those who advise them (including risk and audit practitioners) know about GRC? Is it really the imperative that is suggested by the various white papers?

What is “GRC”? Is it more than a single collective bucket into which the firms have gathered all their consulting services for governance?

In this discussion, I suggest 12 questions that you may ask about GRC, whether to understand the term or to assess its adequacy. I then review additional considerations for organizations considering technology to upgrade their “GRC” processes.

The book is available from Amazon as a paperback or e-book.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: