Norman’s Books

Managing the business risk that is cyber

Cyber book cover

The intent is to help business leaders and information security practitioners discuss cyber risk in business rather than technical language, enabling executives and the board to make informed and intelligent business decisions.

It’s not enough to say that cyber risk is “high” when there are so many business risks to address. It’s not enough to follow standards from NIST, ISO, or FAIR when they don’t help you understand the risk to the achievement of enterprise objectives.

Leaders need to know whether to invest more of their scarce resources into cybersecurity or satisfy competing demands for those same resources from other sources of risk and opportunity[1].

Should they invest their last million dollars into cyber, a marketing program, product development, employee safety, customer satisfaction, compliance, new cloud systems, an upgrade to their network, an acquisition, or other area?

How much investment is enough?

This is what four eminent reviewers had to say:

“With Managing the Business Risk that is Cyber Norman Marks has written a practical guide to the elusive concept of cyber risk. Addressing cyber risk as business risk rather than IT risk is pivotal to ensure proper understanding, prioritization and handling – an approach described in both tangible and actionable terms in this book which I highly recommend to anyone involved with managing a business.” – Hans Læssøe, retired Chief Risk Officer and author of Prepare to Dare and Decide to Succeed“

“Cyber risk has become one of the most critical issues facing many organizations today. It is vitally important that directors, executives and managers understand not only the potential risks they might face but also the overall context of where cyber risk fits within the organization’s business objectives and its many other priorities. Norman Marks has provided a most important analysis in this book and sets out how cyber risk should be evaluated and dealt with in a comprehensive and considered manner. It should be read by all business people who may be affected or are concerned about cyber risks.” – John Fraser, retired Chief Risk Officer and author of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives

“Norman’s new book provides a clearly presented, thoughtful, and accessible message that will help Boards better oversee all risks, including cyber. It should also help management achieve its objectives by more effectively understanding and managing all risks (including cyber risk). The book provides practical advice (highlights key takeaways), is accessible to a generalist audience, and is an engaging read (includes nice context through “war stories”).” – Joshua Rosenberg, risk practitioner

“Framing information security risks with a business context that enables good decision making is difficult to do well — this book fabulously shows how to do this. I hope that all business and technology executives can follow his example, to the benefit of their organization and their customers.” – Gene Kim, bestselling author of The Unicorn Project and co-author of the award-winning The DevOps Handbook and The Phoenix Project

As they say, the book should help those leading the organization and those in charge of protecting information assets talk the same business language.

Surveys tell us that board members find cyber risk the #1 most difficult one to oversee.

At the same time, Information Security practitioners report that they are not getting through to either the board or to business leaders, and are not receiving the support and funding they need.

If leaders don’t understand the risk within the context of running the business, how can they make an informed and intelligent decision about addressing it?

[1] ISO 31000 advocates will remind me that “risks” include “opportunities”. But I prefer to make sure everybody understands the point.

Adventures in the Audit Trade

Norman Marks’ first novel is the tale of the newly appointed head of Internal Audit of a global manufacturing company based in the United States.

He has to deal with accounting frauds on two continents, suspected employment discrimination, and even discord among his team members. All of that while learning the business and its
management team.

It would be a challenge for a leader who has built a solid reputation in the company over a period of years, let along one who is learning where the coffee machine is.

Will he succeed, or will he (as his wife fears) antagonize the top executives and lose his job?

This is a work of fiction, with fictional characters and situations. But it could be real.

Auditing at the Speed of Risk with an Agile, Continuous Audit Plan

Cover for Continuous audit plan

We need to stop auditing the past and turn towards auditing what matters today and will matter in the future.

This new book by Norman Marks, globally recognized as one of the most influential thought leaders in internal auditing, builds on his previous publication, Auditing that Matters. It explains the value and practice of updating the audit plan continuously.

Risks and business conditions change all the time, so an annual plan or even one that is updated quarterly, won’t lead to auditing what matters today. You audit what used to matter.

We need to audit at the speed of risk and the business.

That requires making sure you understand changes in risk and the business as they happen, anticipate the risks the business and its leaders will face in the coming period, and update the audit plan accordingly.

Rather than an audit plan that is annual, semi-annual, or even quarterly, it needs to be updated on a far more continuous basis – at the speed of risk. A rolling audit plan that reflects what should be audited now and soon helps an internal audit activity remain both relevant and valuable.

Norman Marks dives into practical guidance on risk assessment, what should be in the audit plan, how to communicate it, and more.

He shares detailed examples of audit plans from three of his companies, as well as many stories about specific situations and how the continuous approach led to audits that delivered huge value to executives and the board.

Norman was privileged to have a review board of distinguished practitioners and leaders of the profession, who made sure this book will lead internal auditors towards the goal of world-class performance.

Risk Management for Success

Book cover - From Risk to Success Management

Traditional risk management programs focus on managing and mitigating harms – in other words, on avoiding failure.

But survey after survey tell us this approach is not convincing executives and boards that risk management is helping them achieve their objectives. They see it as a compliance exercise: something they have to do rather than want to do.

Norman Marks draws on his personal experience as an executive and builds on the thinking in his previous books, including World-Class Risk Management, Risk Management in Plain English, and Making Business Sense of Technology Risk, to explain how risk management should instead focus on achieving success.

This book discusses how a consideration of what might happen can enable informed and intelligent decisions from the setting of objectives and corporate strategies through the daily execution of the business. Those decisions enable the appropriate taking of risk so that the organization has an acceptable likelihood of achieving its objectives.

An assessment of risk management is recommended by a majority of corporate governance codes around the globe and required by the Standards of the Institute of Internal Auditors. The book includes a comprehensive maturity model that details the attributes of the highest level of maturity envisaged in this book, as well as management surveys that can be tailored for your organization. They can be used as the basis for an assessment by management, the risk officer, or the internal audit team.

Auditing that Matters: Case Studies

Case Studies book cover Discussion Guide book cover

Auditing that Matters: Case Studies is a collection of 20 case studies based (all but one) on real life situations from my years as an internal audit executive.

When an internal audit function holds a team meeting, each member is given a copy of this book (preferably in advance) and asked to think about what they would do. Each case study ends with a number of questions, but the leader can certainly either adapt them or add his or her own.

Then the team leader can facilitate a discussion of the selected case and see if the team can, after exploring the options, come to a shared approach. The discussion alone can be illuminating even for the more senior members of the team.

The team leader uses the partner to the Case Study book, Auditing that Matters: Case Studies Discussion Guide to help him or her with ideas and suggestions for each case.

While the pair of books is designed for groups (including college classes), individual practitioners may also find the books useful.

Both books are available in e-reader form from Amazon (Kindle), but I recommend the print copy so people can highlight sections or make notes.

This pair of books rounds out a series. First there was World-Class Internal Auditing: Tales from my Journey that explained how I came to my approach to internal auditing. Then, Auditing that Matters explained how to achieve what I consider world-class internal auditing practices, and most recently I published Is Your Internal Audit World-Class?: A Maturity Model For Internal Audit so that people can assess their practices.

Is your Internal Audit World-Class?

internal-audit-maturity-model-book

How effective is your internal audit function? Is it world-class?

The IIA recommends that an assessment be made at least every five years, but most CAEs would want to know how well they are doing every year.

I believe that the only assessment that makes sense is that of the customer: the audit committee of the board and the senior management of the organization.

I also believe that it is immensely valuable to use a maturity model. The IIA has a practice guide on how to use one for other processes and I have one in my books for risk management. But there aren’t any for internal audit that reflect leading thinking and practices.

This book includes both a set of questions that can be used as a basis for obtaining internal audit stakeholders’ assessments and a detailed maturity model.

It can be found in paperback (only – a Kindle version would not be of great practical use) on Amazon.

Making Business Sense of Technology Risk

Making business sense of technology risk - cover

If you look at any survey of the top risks facing organizations, you will find technology-related risks (such as cyber and disruptive technologies) among those cited as being of greatest concern.

But executives and board members say they are not getting the information they need to understand how to address those risks. They don’t know how much to invest in cyber, for example, when funds are scarce.

Is the cyber risk so great that they should divert funds from acquisitions or product development? Even chief information security officers are reporting a disconnect with the leaders of the organization. Apparently they know that the board and top management don’t understand what is being reported, and they are not satisfied they are getting the support they need.

But if the board and top management don’t understand how and why technology risk might affect the achievement of their goals as leaders of the organization, it’s not surprising they are not providing the funds the technical staff says they need. At the same time, do the technical teams understand how the risks they see might actually affect the organization and its success? Are they looking at the risks with a business or a technician’s eye?

In this book, I build on the concepts in my earlier World-Class Risk Management and suggest an approach that moves the discussion of technology-related risk into the language of the business. I analyze the primary sources of guidance (from NIST and ISO) and point out the limitations: they may be good for technicians, but do they help us understand the risk to enterprise objectives that may arise from failures related to technology?

I discuss ways to consider how the possibility of technology failures (and opportunities) should affect decision-making, both strategic and tactical.

In the process, I tackle topics such as:

Risk is not a point, but a range
How to aggregate multiple risks
Integrating risk and performance reporting
What is acceptable when it comes to technology-related risk
How to enable leaders of the organization to make intelligent and informed decisions that consider technology-related risks
and more

The book is available on Amazon in both paperback and e-reader formats.

Risk Management in Plain English: A Guide for Executives

Risk Management in Plain English: A Guide for Executives (available from Amazon in hard copy and e-reader formats) has the sub-title, Enabling Success through Intelligent and Informed Risk-Taking.

Risk management in plain English

It is based on a number of principles for effective risk management, which I have shared here many times. They include:

It’s not about avoiding harm (“doom management”), it’s about achieving success.
It’s about understanding what might happen, determining whether that’s OK, and then acting as needed.
To be successful, you need to be making informed and intelligent decisions. Those are where risks are taken. That is how you optimize the likelihood and extent of success: achieving objectives.
We should avoid techno-babble and use the language of the business.
Risk management can be considered effective when leaders of the organization and decision-makers at all levels assert that it is helping them be successful.
The periodic review of a list of risks is a small part of risk management.
It’s about helping leaders understand the likelihood of achieving objectives, not the out-of-context size of risks.
Risk management is effective management!

Auditing that Matters

Auditing that matters explains how an effective internal audit department can make a huge contribution to the success of an organization.

Book cover

It can provide leadership with the confidence it needs in the people, systems, and organization to lead the enterprise to success.

This book is about:

Providing the assurance, advice, and insight that the leaders of the organization need
Focusing on the risks and issues that matter to the executive management team and the board
Practicing enterprise risk-based auditing
Communicating effectively to management and the board what they need to know, when they need to know, in a useful and actionable form
Building the team and processes necessary to deliver world-class internal audit services

I have been extraordinarily lucky to have a review panel of leading practitioners. This is what they have to say:

This is a timely book for internal auditors who want to accelerate their careers. Norman provides powerful career advice and lessons learned for delivering outstanding customer service in a profession where the performance bar is rising daily as are stakeholder expectations…. I would make it a must read for my team members. – Larry Harrington, former CAE at Raytheon and Chairman of the Board of the IIA

“For auditors looking for a book on “Value-added auditing”; this is the edition for you! Norman’s clearly describes the how-to methods for auditing that matters, and this is a must read book for all auditing leaders! – Steve Goepfert, retired CAE of United Airlines and former Chairman of the Board of the IIA

Norman has pulled clear, insightful and useful recommendations from his years of experience leading top notch internal audit programs. This book will prove valuable for new and experienced internal audit professionals. – Patty Miller, retired Deloitte partner and former Chairman of the Board of the Institute of Internal Auditors (IIA)

This is the best book on the real world of internal auditing that I have read, because it gives numerous examples of practical problems and how best to approach and resolve them. Norman has captured his many years of executive audit experience into an easy to read and highly informative addition to the education of the next generation of internal auditors. – John Fraser, retired CAE and CRO with Hydro One

Whenever I felt that I was making progress in this profession it was because of other Internal Audit professionals embracing fully our profession’s motto “progress through sharing” and being generous with their experience, know-how and lessons learned from failures and successes. Norman’s book is a wonderful act of generosity with multiple experiences and ideas shared in thoughtful way for us all to reflect upon and build our own progress. – Dominique Vincenti, CAE at Uber, formerly Chief Officer – Global Internal Audit Practices with the IIA

The book is available now in most locations on Amazon (I recommend the paperback version rather than the Kindle e-book).

World-Class Risk Management

WorldClass_Risk_Man_Cover_for_Kindle

What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?

These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.

The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.

Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view.

Expert reviews include:

“Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy, former CRO at BHP Billiton, chair of the committee that developed ANZ AS436, forerunner of ISO 31000
“I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach, Managing Director, Protiviti
“In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali, President of the Global Institute for Risk Management Standards

Available as a paperback on Amazon or as an e-book, also on Amazon.

Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization – 4th Edition

The IIA has published an updated, significantly expanded (including suggestions for aligning your program with COSO 2013) version of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners – a publication that has been downloaded about 200,000 times.

Management Guide 4th edition

It is available either from the IIA Bookstore or Amazon.

The book has introductions from Richard Steinberg and Dominique Vincenti, and has received rave reviews from eminent practitioners:

“This is the best Sarbanes-Oxley 404 guide out there for management.” — Denielle deWynter, Senior Director, The McGraw-Hill Companies

“This book will help many future public company professionals in the important aspect of Sarbanes-Oxley — understanding the requirements, nuances, and approach before you have to do it. It will also help veterans to challenge and validate their existing approach to ensure it is tightly and correctly constructed and considers many helpful suggestions.” — Robert Hirth, COSO Chair

“Sarbanes-Oxley has become a routine process at many companies. Leading edge companies are using this new guide to lean out the Sarbanes-Oxley process; reducing the cost of compliance while improving the overall quality of the program. This updated guide is a great tool for those employees who are new to Sarbanes-Oxley, its history, and its requirements. The guide gets them totally up to speed while giving them leading edge thoughts about how they can lean out the process and improve the quality of the program at the same time.” — Larry Harrington, Vice President, Internal Audit, Raytheon Company

“Overall, I found this to be a very useful, well-organized and well-written guide. I particularly like the focus on management’s responsibility and the imperative to drive overall efficiency, along with concrete guidance on how to do so. Too much Sarbanes-Oxley guidance is directed toward the external auditor, leaving management to either extrapolate from, or worse, take direction from the external auditors on program design and operation. So, a great perspective and very useful to management if IIA can publicize more broadly than just to internal auditors. The real-world examples really enhanced the readability/understanding.” — Rod Winters, former CAE, Microsoft Corporation

World-Class-Internal Audit: Tales from my Journey

This book is a series of short stories about episodes from my professional life that gave me precious and enduring lessons. Taken as a whole, they explain who I am today and how I have practiced internal auditing as a chief audit executive for more than twenty years.

My hope is that these stories will amuse as well as provide some insights into how I came to lead internal audit departments as I did.

Maybe, and this is why I wrote the book, it will stimulate some thinking on your part.

The book is available from Amazon as a paperback or e-book.

Reviews include:

I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.

Norman, well Done! Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book! It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.

How Good is your GRC? Twelve Questions to Guide Executives, Boards, and Practitioners

What should board directors, executive management, and those who advise them (including risk and audit practitioners) know about GRC? Is it really the imperative that is suggested by the various white papers?

What is “GRC”? Is it more than a single collective bucket into which the firms have gathered all their consulting services for governance?

In this discussion, I suggest 12 questions that you may ask about GRC, whether to understand the term or to assess its adequacy. I then review additional considerations for organizations considering technology to upgrade their “GRC” processes.

The book is available from Amazon as a paperback or e-book.