Is your ERM program as useful as a GPS?

June 7, 2018 6 comments

When I go somewhere new, my GPS is an invaluable tool.


Before I leave, I can tell it where I want to go (if not from my current location, I give it a new departure point) and when. It will help me understand my options, not only different routes if I drive and how long each should normally take, but how I could travel using public transportation, etc.

This helps me plan the trip.

During my trip, it will help with:

  • Projecting my time of arrival. This helps me know whether I am likely to arrive on time (achieve my objective)
  • Indicating potential traffic delays, including known road repairs
  • Offering alternate routes
  • Warning me if I exceed the speed limit
  • Letting me know where I can refuel my vehicle or myself (restaurants)
  • Telling me of points of interests (opportunities)
  • Showing me where I am on my path to my objective

The GPS helps me make informed and (hopefully) intelligent decisions so I can reach my objective safely and on time.

Does your ERM program do as much?

Or is it a list of things that could go wrong that you update every so often?

I welcome your comments.


By the way, by ERM I mean your enterprise risk management program – not a software platform.


Why do we need risk management?

June 1, 2018 6 comments

Too often we do things without understanding why.

Look at the latest report from the Enterprise Risk Management Initiative at North Carolina State. Their 2018: The state of risk oversight is intended to provide “an overview of enterprise risk management practices”.

I will come back to that claim.

But first let’s consider why we need to consider risk.

Some time ago, Deloitte conducted a survey and asked board members and top management the right question:

Does risk management at your organization help you set and then execute on strategies?

Tell me whether you agree with these assertions:

  • The only purpose of risk management is to help leaders select and then execute successfully strategies to deliver optimal value.
  • They do this by making intelligent and informed decisions (which include strategy selection).
  • Those decisions are made every day across the extended enterprise by the people running the business.
  • Risk management is about considering what might happen and enabling decisions across the organization to be appropriately informed.
  • Effective ERM is not focused on avoiding failure; it enables the achievement of success.
  • If leaders of the organization do not believe risk management is helping them be successful in setting and executing strategy, it is failing.

The study reports that only 5% assessed their ERM program as “robust”.

But what does that mean?

The respondents were asked to self-assess their program and not provided guidance, such as asking whether ERM enables informed and intelligent decisions.

So, I personally doubt that even 5% would pass that test.

In fact, the authors continue to position ERM as assessing and providing information on risks, rather than on whether enterprise objectives are likely to be achieved.

The report says something that is strikingly odd, indicating that yet again people see risk management as all about avoiding failure rather than achieving success.

…a majority of the respondents in the full sample indicated that their organization’s risk culture is one that is either “strongly risk averse” (8%) or “risk averse” (45%). Similarly, just over one-half of the largest organizations, public companies, and financial services companies indicated their risk culture is “strongly risk averse” or “risk averse.” The overall lack of ERM maturity for the full sample is somewhat surprising, when the majority of organizations are in organizations with notable aversion to significant risk-taking.

If you are not willing to take risks, you will wither away and die.

The key is to take the right level of the right risks. In fact, I strongly recommend doing away with the idea of “accepting” risk, replacing it with “taking” risk.

No self-respecting CEO or board will say they are risk-averse! That is what they are paid to do – take risks!

The report is a study of failure in action: a failure to implement risk management in a way that adds huge value in the setting and execution of strategy.

It describes these barriers:

  • Competing priorities 29%
  • Insufficient resources 27%
  • Lack of perceived value 24%
  • Perception ERM adds bureaucracy 19%
  • Lack of board or senior executive ERM leadership 18%
  • Legal or regulatory barriers 4%

If leaders across the organization see ERM as a bureaucratic compliance exercise that gets in the way of success, then we should not be surprised that they are neither supporting nor funding it.

Maybe they tolerate it to appease the regulators and the board.

If only they could see how it should function!

That takes courage from individuals, whether in executive leadership, on the board, as CAE, or as CRO.

Don’t do traditional, failing, ERM.

Help people make informed and intelligent decisions.

Is ERM at your organization effective?


By the way, I congratulate my friend and OCEG colleague, Jason Mefford, on his latest book. Rock N Roll Risk Management Guide #1: Tips  for  Making  Risk  Management More Proactive, Practical,  and  Profitable. It’s still a draft, so watch for the final publication.

I like this advice:

  • Think of risk management as a means to achieve objectives, not as liability management
  • As the world continues to accelerate, we need to slow down and make mindful decisions
  • Consider the full impact of events, so you make the best risk-informed decision
  • Those managing risk have been trained to look for negative impacts and are often expected to minimize any liability or exposure (i.e. stop “bad things” from happening). Risk management is about helping an organization achieve its objectives in the face of uncertainty. In order to take a risk, we must expect a reward and; therefore, risk and reward must be considered together in a holistic way.
  • Consider the bigger picture of what you are trying to achieve (your objectives) and focus on getting that, instead of focusing on all the “bad things” that could happen but probably never will. Spend more of your time and resources on getting the positive, while expending the minimal effort to manage the large obstacles to achieving the objective.

Should we “tear up the risk appetite” statement?

May 26, 2018 6 comments

That is advocated in a provocative post in StrategicRISK. The author, Lauren Gow, is the  StrategicRisk Asia Pacific editor, based in Australia. As far as I can tell, she has not been a risk practitioner (except in the sense that all of us are because we are constantly weighing and taking risk). But that doesn’t mean she doesn’t have (a) a point, and (b) a right to express it and challenge us all in the process.

Here are some key excerpts from the article:

  • Let’s talk about risk appetite. Or more specifically, let me ask you – what is the point behind you, as a risk manager, preparing a specific risk appetite document for the board? Have you ever stopped and really thought about why you do it? If you are doing it because you believe it adds value to the management of the business, it may be time for a rethink.
  • A risk appetite document is a vertical silo tool. And it is being used during a period when most businesses are pushing for more horizontal, integrated ways of working. One might argue that silos themselves do not cause problems within a business, but the closed mentality that comes as a result of the silo-style operation does.

Writing a specific risk appetite document for the board separates risk management from all other parts of the business. How do you effectively make a mark across the whole business when you are not integrated within it?

  • In the creation of a specific risk appetite document, risk managers are essentially handing the board further ammunition to shorten the leash of management. You are adding barriers to management from a board level and making it more difficult for management to take a calculated risk on new products or markets. This goes against what most risk managers say they want to be seen as within their business.

You want to be a business enabler, not innovation impediment; a driver of transformation, not the brakes of revolution. Creating more rules for management from board level will not achieve this goal.

  • Be bold. Tear up your risk appetite policy today. Tell the board you will no longer be doing a specific risk appetite document for them but instead you will be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working.

I have written about this topic for several years. Of note are:

Let me quote my own post from March:

  • These days, I talk about the need for people to make intelligent and informed decisions, because that is where risk is taken.
  • Top management and the board need a reasonable level of assurance that important decisions are both intelligent and informed – that they give due consideration to what might happen (i.e., risk).
  • In fact, I think it is vitally important to stop talking about managing and mitigating risk. Instead, we should recognize that no organization will succeed if it does not take risk.
  • The key is to make informed and intelligent decisions that take the right level of the right risk, where it is justified on business and other grounds. Decision-makers need guidance so that they know that what they are doing (taking risk) is consistent with the desires of top management and the board. You may call that risk appetite (I prefer not to) or risk criteria, but often it is covered by policies such as investment guidelines, hedging policies, delegations of authority, and stop-loss limits.

I quoted an October 2017 post:

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.

Then I suggested:

  1. Recognize that if you are required by law or regulation to have a risk appetite statement, or even by boards who (perhaps on the advice of consultants) believe this is necessary, you need to put one together.
  2. Any risk appetite statement should first satisfy the needs of the regulators. (Sadly, they seem to be happy with fluff such as “we have no tolerance for non-compliance with laws and regulations”.)
  3. If at all possible, develop risk appetite statements that actually mean and do something. (Or indicate that the guidance is in other standards and policies.) They should:
    1. Guide decision-makers, so that they know before they take a risk whether their decision would be acceptable and in the interests of the organization as a whole as it strives to achieve its objectives
    2. Allow for flexibility where there is a business justification for taking what might appear to be a lower or higher level of risk – because of the opportunity that is presented. For example, require such decisions to be escalated to more senior levels of management or the board
    3. Enable top management and the board to have assurance after-the-fact that risk to objectives (which I define as the likelihood of failing to achieve an objective) is within desired levels
    4. Distinguish between different sources of risk. Don’t attempt to have a single risk appetite that encompasses market risk, compliance risk, reputation risk, and so on. That is nonsense. Develop guidance that is suitable for decisions in each area
  4. If you decide on ‘fluff’ risk appetite statements, you still need guidance for decision-makers (see below)
  5. If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership
  6. Provide reports to the board and top management (as described in my books) that help them see whether enterprise objectives are likely to be achieved
  7. Have the CEO provide assurance to the board on the quality of decision-making, risk-taking, and the achievement of enterprise objectives
  8. Have the CRO (if there is one) do the same
  9. Have the CAE provide an opinion on the above
  10. Include the quality of decision-making in each individual’s performance assessment

Returning to Lauren’s provocative piece……

She suggests that instead of some high-level document (risk appetite statement), management should “be regularly reviewing each board-level policy and making risk recommendations for each area. Let go of the relative safety of the risk appetite life buoy and take a chance on a new way of working”.

I’m not going to agree that this is a matter of board policies. Neither do I believe that it’s about safety and avoiding harm.

It’s about taking the right level of the right risks as we make decisions and achieve our objectives.

How does the board obtain assurance that management is taking the right risks? How does it know that management is making informed and intelligent decisions?

Part of the answer lies in repudiating Lauren’s last words: “take a chance on a new way of working”.

Let’s think about the old way of working.

For example, many if not most organizations already have these in place:

  • Limits on the credit that can be granted to new customers
  • Requirements that credit limits are approved by appropriate management
  • Limits on the level of hedging and other use of derivative instruments
  • Requirements that expenditures over a certain value are approved by a more senior individual, even by the board if necessary
  • Policies that indicate the quality of investments that can be made
  • Requirements that all acquisitions are approved by top management and the board
  • Controls to ensure that all write-offs are approved by appropriate management
  • Controls to ensure that excessive discounts are not offered to customers
  • ….and so on

So I stand by the suggestions I made in March. But, I am going to emphasize step #5: “If you don’t need or want risk appetite statements, develop risk criteria or other guidance that will help decision-makers: practical guidance that ensures that at least the most important decisions are informed, intelligent, and consistent with the desires of leadership”.

Figure out, for your organization, what you need to achieve the objectives of:

  1. Providing assurance that the right levels of the right risks are being taken through informed and intelligent decisions
  2. Ensure that information provided to the board and investors is reliable, complete, and accurate
  3. Satisfy the compliance requirements of the regulators and others

If you think that risk appetite statements work for you, guiding people to take the right level of the right risks, then fine.

If not, understand whether there is sufficient guidance already in place – and if that is sufficient rely on it; if not, fix it.

I welcome your comments.

What is your consolidated risk exposure?

May 23, 2018 8 comments

This question came up as I was reading the preface to what appears to be a major contribution to risk management thought leadership.

Prepared to Dare is by Hans Læssøe, formerly the chief risk officer at LEGO. His risk management program has been profiled extensively, for example in the Wall Street Journal, Strategic Finance magazine, and in the work of Professors Robert Kaplan and Anette Mikes.

I like what Hans has to say in the description of the book (with my highlights):

The discipline and profession of risk management is undergoing significant changes these years, and will continue to do so for years to come. In an ever-changing world, the attention towards taking risks and managing the risks taken becomes increasingly important for businesses and organisations to survive and prosper.

The stakes are getting higher and speed is increasing. Hence, intelligent risk taking becomes a necessary core competence of leaders at all levels of an organisation.

This book builds on solid and practical experience, and takes the reader from the basic concepts and approaches to making maneuverability a true competitive advantage by actively and deliberately leveraging the tools and processes of risk management in business design, strategic and operational decision making.

One of the thoughts that he shares is that thinking about what might happen (risk) comes before you take the risk. Contrast this with COSO, where risks are identified after strategies are defined.

By the way, I encourage everybody to read and listen to the work of Alex Sidorenko (see his blog). In January, he interviewed Hans.

There’s a difference, though, between my books (World-Class Risk Management and Risk Management in Plain English) and this new one by Hans.

The difference is clear when you examine this description of chapter 2 from the Preface to the book.

In this chapter, I will describe an avenue to establish an Enterprise Risk Management (ERM) which is consolidating the risk exposure of an organisation as well as enable depiction of the key risks of the organisation. Different approaches to portfolio consolidation, including Monte Carlo simulation will be described and assessed. I will also describe potential linking between risks and opportunities.

Taking the second half of the paragraph first, Hans provides guidance on useful risk management tools and techniques, such as Monte Carlo simulation and game theory.

My books don’t cover those techniques as they focus more on how risk practitioners can contribute to the success of the organization as a whole – by enabling informed and intelligent decision-making.

Hans also emphasizes informed decision-making, but I see his book as adding more value when it comes to specific risk management tools and techniques.

The major difference, as I see it, is in that first sentence.

What is the “consolidated risk exposure”?

At LEGO, Hans used likelihood and impact scales, together with heat maps.

I have problems with those, instead suggesting that we should focus on the likelihood of achieving objectives.

After all, it’s not about managing risks; it’s about managing the organization (my latest mantra).


Let’s consider the partner of a CPA firm. As he considers his audit of the financial statements of his major client, he is required by standards to assess the risk. The risk he is considering is the risk of issuing the wrong opinion.

If you asked him about his level of risk, I think he should think first about the likelihood of reaching an incorrect opinion. He might also consider the likelihood of upsetting the client; failing a PCAOB examination; going over budget; or having problems among the staff.

Several things might happen, each of which is a source of risk. I would not advise assessing each source of risk, but instead consider the overall likelihood of achieving his objectives.


I have just started a book suggested by my wife, I’ve Decided to Live 120 Years: The Ancient Secret to Longevity, Vitality, and Life Transformation. (I am not recommending it yet as I have only read the first chapter or so.)

The author’s goal is to live and enjoy his life for another 50 or more years (he is in his late 60s).

How would he assess his “consolidated risk exposure”?

I don’t think he would appreciate a heat map as much as knowing the likelihood of living to 120 in a style that affords meaning to the second half of his life.


Then let’s turn to the CEO of a large organization. He will probably be turned off when he hears the phrase “consolidated risk exposure”. He will prefer reports that show the likelihood of achieving EPS, market share, customer satisfaction, revenue growth, and other targets.


So where does this leave me?

I recommend that risk practitioners charged with their organization’s ERM program read both my and Hans’ books – and monitor Alex Sidorenko’s site for blogs and interviews.

Internal auditors will, I think, gain more from my books. They need to understand the principles and how risk management can contribute to success more than they need to understand specific risk management tools and techniques.

Board members and those advising the board and/or the C-Suite should read Risk Management in Plain English.


What do you think?

Is it really all about culture?

May 19, 2018 3 comments

For the last several years, practitioners and consultants have been talking about culture. For example:

You have probably seen these and more about culture, specifically focusing on risk, compliance, and ethics.

I shared a different way of thinking about culture in How do you manage culture and The board and enterprise culture.

Two new pieces reinforce my view that culture is not just about risk, compliance, and ethics. There are many, many dimensions and sometimes they may actually conflict.

The first of these is an interview with another friend, Jim DeLoach.

5 Keys to Building an Innovative Culture: A Q&A With Protiviti’s Jim DeLoach has some interesting comments. I cannot disagree with Jim this time, especially when he says:

When I think of innovation culture, I’m thinking about an organization that innovates with speed, is able to make decisions at a relatively high velocity, an organization that is very engaged and focused on customers, an organization that embraces external trends.

One key point, one that Jim doesn’t make but which I am sure he will agree with, is that if you are so focused on the ‘risk culture’ that you become risk averse, you can not only slow down decisions and inhibit performance, but also make it more difficult to be innovative.

A more fascinating piece appeared this month in Harvard Business School’s Working Knowledge (its well worth subscribing to): Amazon vs. Whole Foods: When Cultures Collide.

The authors described a “culture clash”.

Amazon’s acquisition of Whole Foods last August was the corporate equivalent of mixing tap water with organic extra virgin olive oil. You’d be hard-pressed to find two companies with more different value propositions.

Even so, it was surprising to hear reports shortly after the marriage about Whole Foods customers, really angry customers, regularly encountering empty shelves at their favorite retailer. Then stories surfaced about Whole Foods employees crying over their new performance-driven working conditions imposed by Amazon.

Both Amazon and Whole Foods had a ‘culture’ that emphasized and encouraged the behavior that made them successful. As the piece says, “This is not a story where there is a good guy and a bad guy”.

So what does this all mean?

Culture is not something that is limited in its scope to ethics, risk, and compliance.

It’s about the behaviors that are necessary for the organization to thrive, with people making the decisions you want them to make. You want them to be ethical, compliance, and risk-aware, but you also want a culture of innovation and creativity, empowerment, customer-focus, teamwork, quality, performance, openness, and so on.

My advice?

Stop talking about ‘culture’ without at least adding a modifier, such as risk or innovation.

Start recognizing that sometimes you have to make compromises in one dimension of culture in favor of another. For example, you cannot always involve everybody or seek all possible information when a decision has to be made with speed. Sometimes you have to take a cyber risk that is outside your comfort zone to keep up with your competitors in a dynamic world.

Define the behaviors you need, from ethics to teamwork to performance to innovation. Then and only then think about whether your organization’s culture provides reasonable assurance that those behaviors will be practiced.

If you don’t have that assurance, then do something about it.

If you do, continue to monitor the situation because culture tends to change with every new executive or acquisition (for example, Amazon and Whole Foods).

I welcome your thoughts.


A must read: Carillion, £5bn UK public company that failed, is pummeled in an official report

May 16, 2018 7 comments


I have never seen such language from officials as was used to describe the situation at Carillion.

This corporate failure may lead to a revolutionary change in the external auditing profession in the UK, if not elsewhere. In addition, I would be surprised if the role of the external audit firms in providing internal audit services is not reviewed.

Here is some of the language.

  • Carillion’s rise and spectacular fall was a story of recklessness, hubris and greed.
  • Even as the company very publicly began to unravel, the board was concerned with increasing and protecting generous executive bonuses.
  • Carillion’s board are both responsible and culpable for the company’s failure.
  • The board was either negligently ignorant of the rotten culture at Carillion or complicit in it.
  • Richard Howson, Chief Executive from 2012 to 2017, was the figurehead for a business that careered progressively out of control under his misguidedly self-assured leadership.
  • Carillion’s accounts were systematically manipulated to make optimistic assessments of revenue, in defiance of internal controls.
  • Carillion treated suppliers with contempt
  • In failing to exercise professional skepticism towards Carillion’s accounting judgements over the course of its tenure as Carillion’s auditor, KPMG was complicit in them.
  • Deloitte, paid over £10 million by the company to act as its internal auditor, failed in its risk management and financial controls role.
  • The key regulators, the Financial Reporting Council (FRC) and the Pensions Regulator (TPR), were united in their feebleness and timidity.
  • reckless short-termism
  • The individuals who failed in their responsibilities, in running Carillion and in challenging, advising or regulating it, were often acting entirely in line with their personal incentives.
  • There is a danger of a crisis of confidence in the audit profession. KPMG’s audits of Carillion were not isolated failures, but symptomatic of a market which works for the Big Four firms but fails the wider economy. There are conflicts of interest at every turn.
  • I would not hire you to do an audit of the contents of my fridge
  • Auditing is a multi-million-pound business for the Big Four. On this morning’s evidence from KPMG and Deloitte, these audits appear to be a colossal waste of time and money, fit only to provide false assurance to investors, workers and the public.
  • no-one stopped directors “stuffing their mouths with gold”

Here are some references. Each is well worth the time reading. The Annual Report describes the company, the summary gives an idea of the background, and the the parliamentary committee report will astound you!

I welcome your thoughts.

Is it a management or board failure when no action is taken on audit findings?

May 14, 2018 18 comments

My good friend, Richard Chambers (President and CEO of the IIA), recently wrote about this in C-Suite Owes More Than Simple Awareness of Internal Audit Reports.

He cited several examples where an organization experienced a public failure even though the issue had previously been identified and reported by the internal audit team.

Richard then said:

Each of these instances provides an example of governance meltdowns fed by board and management inaction or indifference to internal audit’s work. Such instances, at best, frustrate practitioners who take seriously their task of providing assurance over risk management efforts. At worst, they can demoralize internal audit staff, thereby eroding the function’s effectiveness.

I have written about this, not so much as a governance failure but as a failure of internal audit to communicate!

When internal audit is seen as focusing on the mundane and burying any gems in a haystack of words, is it any wonder that management doesn’t look forward to internal audit reports? They don’t seem them as a valuable source of insight and actionable information that is critical to their running of the organization.

In fact, the auditors should have already worked with management to agree on both the issues and the actions to be taken. The audit report is how resolution is communicated, not how change is encouraged.

This is the comment I left on the post.

Richard, while I agree that management and the board often fail to pay attention to issues raised by internal audit, it is necessary to ask whether internal audit did its job in communicating the results of its work.

  • When I see a report of 20 pages or more, I am not surprised that executives fail to read it promptly and act on its recommendations.
  • When I see an audit report with a table of contents, I am sure it will be read out of duty not because it has actionable insights.
  • When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.
  • When I see a report that talks about risks but not what they mean to the strategies and objectives of the organization I see a report that is unlikely to communicate what executive management and the board need to know.
  • When I see a report that says what IA wants to say rather than clearly and concisely tell leadership what they need to know, I put a lot of the blame on IA.
  • When I see an IA function that fails to sit down with leadership and have a discussion rather than rely on a formal, traditional audit report, I see one that does not have a seat at the table, one that is not a trusted advisor.

I could have said, but did not out of respect for Richard (for whom I have great respect): “Those who live in glass houses should not throw stones”.

How effective are your organization’s internal audit reports? I have a 34-page chapter on this topic in Auditing that Matters. This is how I closed that part of the book:

It is one thing to reach an assessment and develop our advice and insight. It is quite another to communicate that promptly, efficiently, and effectively to our stakeholders.

We are only effective when we not only perform quality work but provide the audit committee, executives, and operating management the information they need to be successful – when they need it, in a readily consumable and actionable way.

I welcome your comments – and please join the discussion on Richard’s blog.