Excellent advice for all of us involved in managing risk

January 9, 2019 11 comments

The International Federation of Accountants (IFAC) has published a first class document, Enabling the accountant’s role in effective enterprise risk management.

While it is focused on accountants, primarily in Finance, the explanation of the value and purpose of enterprise risk management should be required reading for boards, executives, and practitioners as well.

Frankly, I wanted to excerpt half the booklet, but here are some of the more valuable portions with highlights by me.

To add value, accountants [and the rest of us – ndm] need to be seen as risk experts who are outward-looking and provide valuable insights to manage risk in a way that supports their organizations in responding to uncertainty and achieving their objectives.

Business requires taking risks and seizing opportunities to achieve success.

The accountant’s [and everybody else – ndm] primary role in ERM is not solely to mitigate risk, but to promote and facilitate effective risk and opportunity management in support of value creation and preservation over time. This involves being focused on the benefits of intelligent risk-taking in addition to the need to mitigate and control risk.

ERM requires information and analysis that may indicate success or failure, and support decisions around potential courses of action.

The need for effective ERM has never been greater as organizations navigate complex and interconnected risks to their business models and operations.

The reality is that risk management is underdeveloped in many organizations; a reactive approach to risk management is currently the norm. Risk management is typically siloed rather than seen as a core competence and strategic asset. Consequently, risk management processes are ineffective and inefficient and not seen as adding value to decision making and responding to uncertainty.

To be effective partners and contributors to an organization, accountants need to understand the principles of risk management and how they can be implemented to manage opportunities and threats as part of the existing planning and control management cycle.

A challenge in effectively managing risk is that risk oversight and management are poorly understood, resulting in different interpretations and approaches, which depend on personal experiences, organizational role, and sector. For example, in financial services, or in managing financial performance, the measurement and assessment of risk has been a predominantly quantitative exercise designed to avoid loss or fraud. Since the financial crisis, this approach is recognized as being too narrow to adequately inform decisions and manage uncertainty. In other sectors, specific challenges such as health and safety or digital and cyber risk are predominant risk areas which ultimately shape the overall approach to managing risk.

The challenge that arises with applying risk management activities solely through a lens of risk mitigation is that it increases cost with little benefit to the organization’s resilience and success.

Risk management should sit at the heart of every organization. Effective risk management requires different parts of an organization and multiple processes to come together to understand collectively how the organization is exposed to uncertainty, and how this uncertainty may undermine the achievement of business objectives, and the opportunities for growth and innovation. It is about ensuring an organization is safe and resilient, but that it also continues to thrive.

Risk management is therefore fundamentally about making decisions in the context of uncertainty. It involves understanding the past, present and possibilities for the future. ERM processes involve identifying, assessing, and treating uncertainty and related risks and opportunities that could affect the outcomes of an organization’s objectives.

Ultimately, ERM gives the board and managers a better understanding of how risk affects the voice of strategy. It also provides confidence that all levels of the organization are attuned to the risks that can impact strategy and performance, and that these are proactively being managed.

An effective contribution to ERM involves enabling decisions and driving insights to decision makers. There are various elements to better supporting decisions in risk management. More informed risk-taking and decision-making requires high quality information about opportunities and risks and their implications. Ultimately, high-quality information is crucial to good decision making as it reduces uncertainty – and can support a higher risk appetite where appropriate.

The guidance misses one important piece of advice that I would share with any CFO (or board member, CEO, and practitioner).

That advice is that leaders of the organization, such as the CFO, need to lead everybody to understand risk management the way it is discussed by IFAC.


I welcome your thoughts.


Transforming risk management in 2019 and beyond

January 3, 2019 15 comments

I was thinking about a post for the New Year that would highlight the changes I would like to see in both practices and thought leadership around the management of risk, when I listened to a new video from my good friend, Alex Sidorenko.

Alex had been attending a risk management conference in Dubai led by another friend, Alex Dali. In this video, he shares a key takeaway.

The risk management leaders at this global conference said that there were two indicators of effective risk management.

The first is that business decisions are informed and intelligent (my words). The consideration of risk is integrated into the setting and then the execution of strategies through daily decisions.

My caution is that when we are talking about ‘risk’, we should be thinking about all the things that might happen, not only harms.

In fact, as I wrote in my last book, we should be avoiding the word ‘risk’ as management has a negative perception of it.

  1. Most think it only relates to harms
  2. Managers tend to think of risk management as a compliance activity

In fact, if we think instead about anticipating what might happen and making informed and intelligent decisions with that in mind, there will be a common purpose and understanding between practitioners and the leaders of the organization.

That’s the second set of indicators: a common understanding and language around risk.

My preference, which I will restate, is that we discard the technobabble of the risk practitioners in favor of using the language of the business. (Where everybody in a mature organization is comfortable with technobabble, then continue to use it – as long as it is not focused solely on harms.)

I come back to a Deloitte study from a few years ago.

Executives were asked whether risk management helped them set and then execute on strategies. Only about 13% said it made a significant positive contribution.

So, Alex, my vote for an indicator of success is when the leaders of the organization in the executive suite and on the board wholeheartedly answer the Deloitte question with a hearty thumbs up!


In 2019, let’s press the regulators, consultants, and other thought leaders to focus less on managing harms (especially in silos like vendor risk management) and more on helping those leading the business anticipate what might happen and make intelligent and informed decisions.


I welcome your thoughts.

Advice for audit committees and oversight of external auditor

December 15, 2018 5 comments

While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.

One of the reasons is that most of the advice given audit committees comes from the audit firms, and they are hardly likely to suggest that they are asked penetrating questions.

Another reason is surely political: who wants to upset the auditors?

I wrote two blogs on this topic, The effective audit committee and Evaluating the external auditors, which you may want to visit.


In my experience, both as the leader of internal audit functions and more recently as an advisor to organizations, audit committees fail to challenge the external auditors and ensure they are providing quality services at an appropriate cost.

Some of that may be because they see the auditors as having to be independent and don’t feel they should be questioning either their expertise or insight.

Both can be questionable and the audit committee needs to ensure that the auditors are doing the job they are paid for – well and at reasonable cost.


I want to bring my blogs up to date by talking about the external auditors’ work on SOX.


As you may know, I literally wrote the book for the IIA on SOX(now in its 4th edition). I also teach SOX managers and advise organizations on efficient and effective SOX compliance.

What I am hearing, again and again, is that the audit firms are NOT following PCAOB Auditing Standard No. 5 (since renumbered but unchanged) – which they are REQUIRED to follow.

The standard mandates that the scope of work is based on a top-down, risk based approach.

The only controls that need to be included in the scope and tested are those that are relied upon to detect or prevent an error or omission that is not only material but reasonably possible.

Instead, perhaps out of fear of being criticized by the PCAOB Examiners, the auditors are demanding (and that is the correct word) that management’s scope and work include areas where there is not such a reasonable possibility. The latest (but not only) fear-driven scope creep is around information security and cyber – and who has heard of a hacker altering the financial statements?

This is driving up both the cost of management testing and external auditor fees.


Why does this matter to the audit committee?

They are responsible for oversight of the external auditors.

When the auditors feel that they can do whatever they like, ignoring management’s comments that “there is no risk”, I have to feel that something is wrong.

I want the auditors to focus on areas where there is a real risk, one where there is a reasonable possibility of a material misstatement.

I don’t want them distracting management and consuming their limited resources.


Please, audit committee members, ask your audit partner whether his or her team are following a top-down and risk-based approach, and agreeing on the risks with management (and internal audit, as appropriate).

If the answer is unclear, I have to question their capability.


I welcome your comments.



Stop managing and start taking risk

December 9, 2018 10 comments

Don’t do that, the risk is too high!

You need to spend more money on cyber/fraud prevention/anti-money laundering/(fill in the blank) because there is a high risk of something really bad happening.

You can’t announce the new product/roll out the new system because it’s not ready. We haven’t fixed all the bugs.


The people who shout these warnings are focused on risk. If they see it as high, they see red. STOP signs. DANGER!

stop signdanger


But, what about the people who are trying to get something done?

Do they see prudent, business-oriented people or do they see the boy who called wolf (from Aesop’s fable) or Chicken Little calling out that the sky is falling?

Do they see people who are helping them or getting in the way of running the business?


In a recent RiskMinds video (thank you for sharing, Alexei Sidorenko) Nassim Nicholas Taleb, who is famous for talking about black swans, tells us that there should be no risk management and we should be studying risk taking.

In fact, in his Amazon bio, he says he “spent two decades as a risk taker before becoming a full-time essayist and scholar focusing on practical and philosophical problems with chance, luck, and probability”.

I couldn’t agree more.

Focusing on avoiding hazards (things that might go wrong) is a recipe for failure. You only succeed in life and in business by taking the right level of the right risks.

It all comes down to helping leaders make informed and intelligent decisions. Informed means having as good information as you can about what might happen, both good and bad, on your way to achieving your objectives – whether your objective is to grow revenue or lose weight. Intelligent means involving the right people, considering your options, leaving your biases behind (see here), and taking the time to think things through.


Taleb is asked what he sees as the greatest risk. His answer (in my translation) is that when you are not taking risk intelligently (and that can mean steaming ahead through the shoals when the need requires) you are putting your future and its success ‘at risk’.


Unfortunately, most practitioners see their job as requiring them to call out that the sky is going to fall if we don’t delay/spend money/change our practices/etc.

A list of risks is not a list of ingredients for success.


What emphasizes the scale of the problem is that the interviewer doesn’t understand what he is saying. She doesn’t hear the point that we shouldn’t be making a list of risks but enabling better risk-taking. Instead, she wants his help to prioritize her list of risks.


In Risk Management, a recent article purports to guide information security practitioners on how to assess and manage the security of information. But nothing is said about understanding how a security incident could affect the business and the achievement of its objectives.

The author is managing data security risk, not helping people take the right level of cyber risk.

By the way, the only way you can eliminate cyber risk is by closing the business (and it’s questionable whether it is totally eliminated even then). The question for business leaders is how much cyber risk should they take; or, putting it another way, how much should they be spending on cyber defense, detection, and response?

These are business decisions, not risk decisions.


There are too many articles, frameworks, and standards that focus on managing risk, and not nearly enough discussion on taking the right risk (after weighing the consequences) through informed and intelligent decisions.


What do you think?

Why is internal audit not seen positively?

December 6, 2018 15 comments

One of the findings in a new report by Deloitte, their 2018 Global Chief Audit Executive research survey, is that only 33% of CAEs believe their function is seen positively.

This is awful, especially when you consider that this is the assessment by CAEs. I would assume management and maybe the board would not rate IA as highly as those responsible for the function.

The survey also found that while there has been an increase in the percentage of CAEs who believe they and their team have strong organizational impact, the new level (up from 16%) is still is only 40%.

Again, this is the perception by CAEs.

Note that even some who believe they have strong influence do not think they are perceived positively.

Deloitte sees the solution to the problem as the use of new technologies.

I think that’s nonsense.

This is what I believe is behind the problem:

  1. Internal audit more often than not fails to address the more significant risks to the business as a whole.

Internal auditors and the work they do don’t matter (except to check the box). They are not contributing to the effective management of the risks that could cause the organization to fail to meet its key objectives, such as those relating to market share, revenue growth, margin improvement, and so on.

They are not auditing the risks and issues that are on the agenda of the executive committee and the full board.

They are not looking at what is being managed by the top of the house. Instead, they are auditing risks to processes and such. Risk-based, yes; but not enterprise risk-based.

Most of their findings, in the words of a former CEO and current chair of audit committees, are “mundane operational matters”.

CAEs should consider moving to an enterprise risk-based audit approach, as discussed in the UK Chartered Institute of Internal Auditors’ 2014 guidance and (in a more detailed fashion) in Auditing that Matters (2016).

One way to ask if any planned audit is mundane or potentially consequential is to ask “who would be concerned if the audit found that the management of the risks addressed and related controls were inadequate?” If findings would never merit the attention of the CEO or the full board, why is the audit on the audit schedule (excepting projects required by regulators)?

Stop asking what the risks to a business unit, department, location, or process are.

Start asking what could cause the organization to succeed or fail?

Stop auditing what used to be a risk and start auditing what will be a risk that needs to be managed this and the next period.

Now what can we do to help?

  1. Internal audit limits its work product to standard, formal audit reports. It does not provide the timely advice and insight it could, limiting itself to assurance reports after the fact.

In too many cases, IA does not work with management to agree on the risk when it finds issues and what needs to be done for the business as a whole – which could mean agreeing that taking the risk is appropriate. Instead, IA writes a report and flings it over the wall for management to respond.

In too many cases, IA delays communication of its assurance, advice, and insight for weeks or months.

If the results of the audit are consequential, management needs to know yesterday!

Communicate what leaders need to know, when they need to know it, in a way that is easy for them to absorb and act on.

According to Deloitte, about a third of CAEs take more than a month to issue an audit report. I’m not sure what value is created, although I am sure the cost is high.

There really aren’t more than these two points.

Of course, it takes the right CAE and team to audit and then communicate what matters.

Much more in the book.

BTW, if you are auditing the wrong stuff and communicating late and poorly, it really doesn’t help to have used advanced analytics or RPA.


What do you think?


I think is time for the IIA to establish a task force to discuss how to turn this all around.



People still don’t know how to assess cyber risk!

December 1, 2018 7 comments

Why do the consultants keep advising management and the boards to consider cyber risk as if it is separate from all other business risks? Managing any single source of risk in a silo is almost certainly going to lead you to make incorrect, uninformed decisions.

Cyber is only one of many sources of risk that can affect the achievement of an enterprise objective initiative, program, or project.

As I keep saying, it is not about managing risk – it’s about managing the organization and its success.

McKinsey published an article in November, Cyber risk measurement and the holistic cybersecurity approach. It’s an interesting piece, reflecting responses by some board members to a recent piece by them. For example, they quote people as saying:

  • “So far, we have not taken a big hit, but I can’t help feeling that we have been lucky. We really need to ramp up our defenses.”
  • “Digital resilience is one of our top priorities. But we haven’t agreed on what to do to achieve it.”

They also say, correctly:

  • Companies are rolling out a wide range of activities to counter cyber risk. They are investing in capability building, new roles, external advisers, and control systems. What they lack, however, is an effective, integrated approach to cyber risk management and reporting.
  • Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
  • Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.

I especially like this:

At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”

But then they go down the silo path.

  • Working with top management and drawing on internal and external resources, the chief risk and information security officers create a list of critical assets, known risks, and potential new risks.
  • The chief measure of cyber-resilience is the security of the organization’s most valuable assets.

I know that this approach is consistent with guidance from ISO 27005: 2018 and NIST. But it focuses attention on information assets and not the achievement of organizational objectives and success.

Why can’t they ask a simple question:

If we had a cyber incident, how could it affect the business?

There’s going to be a range of potential consequences, each with a different likelihood. They could identify the level of harm that would be unacceptable and its likelihood.

But cyber is just one source of business risk!

It needs to be measured and discussed in a way that enables it to be considered alongside other business risks, including such as legal, market, compliance, safety, culture, third party, and other sources of risk.

When management and the board are setting objectives and making strategic and tactical decisions, they need to see the big picture, all the things that might happen (risk). Looking at cyber and then looking separately at other sources of risk is simply wrong.

I fail to see why people think cyber is risk #1 when they are not assessing how it could affect the achievement of key business objectives. What is the likelihood that a cyber incident would cause the organization to fail to achieve its EPS, market share, and other targets?


A new piece from PwC is no better. How your board can better oversee cyber risk doesn’t have a single question about what would happen to the business if there were a breach! Instead, there is a focus on data and other information assets.


Until we consider cyber the same way we consider other sources of business risk, in terms of how an incident might affect enterprise performance, value creation, and the achievement of objectives, management and the board will continue to make uninformed decisions.


I welcome your comments.


Internal audit needs to perform in a way that matters to the board and top management

November 24, 2018 4 comments

This last year, I have been talking to conferences around the world (most recently in Singapore, but also in the US, Brazil, the Czech Republic, and Sweden) about Auditing that Matters. It is based on my book of the same name (which covers much more than I can address in an hour or longer presentation).

I don’t expect to be able to persuade everybody to change from traditional practices, but hope they will at least ask themselves:

  • “Why am I doing what I am doing?”
  • “Am I doing the work that I should, providing the assurance, advice, and insight my customers on the board and in top management need to be successful?”
  • “Do my work and the assurance, advice, and insight I share really MATTER to the board and top management? Is it helping them succeed?”
  • “Is there anything I can STOP doing to free up more time on issues that really matter to my customers?”

Have you asked yourselves those questions?

  • Are you continuing practices just because that is what you have always done?
  • Are you doing things just because policies and IIA standards require you to do them? Or because you think the audit committee or regulators expect you to do them?

If so, is that acceptable? Are those answers you would accept from an ‘auditee’ – someone who is doing things because that is how they have always been done?

Let me ask you another question: What are the (harmful) risks (things that might happen) that might prevent your organization and its leaders from successfully achieving its objectives in 2018 and 2019?

Now: Does your audit plan include projects designed to address how well management will be able to ensure those risks are managed at acceptable levels?

Or, are you continuing to perform audits where, should control s fail, they would never rise to the level that they need to be discussed by the full board (because of the threat to corporate strategies) and require the attention of the CEO?

If you are doing work because you think the audit committee and regulators want you to do it, even though (should controls fail) it probably doesn’t really matter to the overall success of the organization? Have you talked to each pf these groups about what you could be doing and how that would add more value to them?

If the single most common root cause of control failure and of risks going beyond acceptable levels is people, are you addressing?

  • Whether there are sufficient, competent, personnel to optimize performance?
  • People know how to and actually do manage others effectively?
  • Individuals are trained and enabled to perform at their peak?
  • Leadership is respected and trusted?

Internal audit can help leaders with assurance that their people, systems, and processes are able to deliver the desired results – and advice and insight on how to improve them further.

But do we?

Do we take the time to sit down with our customers and have a two-way discussion about the business, our perspectives, and what we see – both through our audits and our ongoing observations of the business and its operations – even though it’s ‘only’ our professional opinion and we don’t have factual ‘evidence’ to support those opinions?

Or do we limit our communications to the audit report?

If so, you are only giving them a tiny bit of the insight and advice they need from you.


So, does your internal audit department really matter?

Would the success of the organization be in peril if internal audit disappeared? Perhaps some small frauds might not be detected and errors might be introduced that could have been prevented? But, would the consolidated P&L be materially changed?


I welcome your comments.