PwC confuses boards on risk oversight

May 27, 2017 18 comments

I want to start with two admissions:

  • I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
  • I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

  1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
  2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
  3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
  4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
  5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
  6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
  7. How do you and your management team make decisions in the face of uncertainty?
  8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
  9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
  10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

Risk management and thinking

May 20, 2017 7 comments

Last week, I was privileged to present what was billed as a “3 hour master class” on World-Class Risk Management to about 200 risk and internal audit leaders in Moscow.

Organized by Alex Sidorenko and the Risk Academy (check out their excellent web page, which includes blogs and a free book on effective risk management), I spoke about a couple of themes from my World-Class Risk Management book:

  • Effective risk management is about far more than a periodic review of a list of risks. It’s about taking the right level of the right risks, especially as we make decisions running the business.
  • The journey to world-class risk management involves understanding and addressing the risks to the quality of the risk information relied upon by decision-makers, executives, and the board.

The Risk Academy web site includes a link where you can see the entire presentation.

Alex treated me to a tour of the city, which I thoroughly enjoyed – especially the opportunity to chat and share ideas about the management of risk.

During our conversation, I realized something.

What do people say when you do something they think is wrong?

“What were you thinking?”

After you struggle to reply, they continue with:

“You weren’t thinking, were you?”


What do they mean? They mean that you weren’t thinking about the consequences of your actions, what might happen, and the other choices you could have made.

Isn’t that risk management?

  • Identifying what might happen
  • Assessing and evaluating the effects of what might happen
  • Determining whether that is desirable or acceptable
  • Taking action as appropriate, including making a different decision if necessary
  • Checking afterwards that what happened met your expectations and acting as necessary, going back to the top of this list (remember how ISO 31000:2009 says that risk management is dynamic, iterative, and responsive to change)

How can we help decision-makers think about what might happen?

Isn’t that the role of the world-class risk practitioner?

I welcome your thoughts.

Deloitte on internal audit and the path forward

May 12, 2017 36 comments

In a new paper, Deloitte takes the results of its latest survey of chief audit executives (CAEs) and makes recommendations for action.

The survey, which has been widely reported, indicated that in the opinion of the responding CAEs only 28% of them “believe their functions have strong impact and influence in their organizations, while 16 percent felt that Internal Audit has little to no impact and influence”.

I think the path to fixing the problem starts with acknowledging it, which Richard Chamber has done in a number of his IIA posts (which you can find here).

Deloitte has suggested 9 areas of focus.

I disagree with them.

Here are my suggestions for CAEs, audit committee members, and executives who want to help improve the quality and value of internal audit services.

  1. Audit what matters. Audit how risks to the achievement of enterprise objectives, what might cause them to fail and what is necessary to succeed, are managed. Richard Chamber and I have both written a book with advice on the path forward. Neither of us do it for the money; it’s our shared desire to see the profession advance. My latest book addresses this topic and more, Auditing that matters.
  2. Focus on helping your stakeholders succeed, rather than on performing audits and writing audit reports. Read Richard’s latest, Trusted advisors: key attributes of outstanding internal auditors. Ask what information your stakeholders need from you which could make them welcome you to their table.
  3. Communicate what matters, when it matters, in a way that is actionable and readily consumed. The advice on this topic from Deloitte is off the mark. I cover the point in far more detail in my book, including pointing out that IIA Standards do not require an audit report; that the best communication is face-to-face where questions can be asked and answered; and that we need to deliver our assurance, recommendations, and insights at speed. The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.
  4. Understand why the CAE is not getting the respect he or she should. Is it a failure of the CAE to explain effectively or of the audit committee and management to understand the potential for internal audit to help them succeed? Is it because the CAE is complacent, delivering what he is told he should and being satisfied with good performance reviews and bonuses instead of pushing the envelope to deliver the services and value he or she could and should?
  5. Deliver. Last but hardly least, the CAE must deliver assurance and insights that the executive team and the audit committee truly value. Again, this is what my book is all about, but if the executives and audit committee see our end product as ‘ho-hum’ and not something that might affect their decisions or strategies, then is it worth the money being spent on internal audit? Why should they give respect and, more importantly, their time to an activity that is peripheral at best to running the business?
  6. Be willing to change. Some CAEs, such as Chris Keller at Apple, have thrown out the traditional internal audit model because they can see a better way to add value to the organization, providing assurance that the right risks are being taken. We don’t accept people in the business doing things the same way for years because that’s the way it is always done, so why should we do that ourselves?


I welcome your comments and perspectives.

How do we make decisions? Where does ERM fit?

May 8, 2017 4 comments

How do you make decisions in your personal life?

How do you decide where to live, which car to buy, and where to go for lunch?

For many of us, the last is the most difficult decision to make in a day!

So let’s think about it.


It’s lunch time. Even if your watch didn’t tell you, your stomach is loud.

The first decision is whether you are going to eat at all.

Can you afford the time? Can you afford not to eat, given what lies ahead in your day?

What can you get done if you skip lunch? What will suffer if you don’t?

Did you bring your lunch to work? That would provide a compromise solution: eat while you work. Do you really want to do that and risk getting stains on your papers? Is it accepted behavior or will you be forced to leave your workspace for a lunch room or similar – in which case, time might be saved but the idea of eating and working may not be achieved.

If you have to get some lunch, where do you go?

Do you go where you love the food, or where you can get a quick bite of so-so flavor and be back at work promptly, or do you go somewhere where the food is just OK but at least is relatively quick?

Or, do you gather up some colleagues and have a lunch together? This may help with team spirit and other objectives but would take longer. Maybe your colleagues ‘expect’ you to go with them and failing to do so will affect your relationship with them.

Can you afford the time, given how much work you have and the deadlines given you by your boss?


There’s more to the lunch issue (such as how will you get to the restaurant and when you should leave), but let’s leave it there.


What we did was consider our current situation and determine whether it was acceptable or not. We decided that it was not, because we needed (and wanted) to eat. The value of eating outweighed the loss of time (sorry, boss).

We then considered all the options, the benefits and downsides of each.

We made a decision.


Where was the risk manager with his list of potential harms?

Did we have a separate analysis of the risks from any analysis of the benefits (getting more work done, satisfying the boss, enjoying our food, and being ready for the rest of the day)?

What would you say if one of your colleagues responded to every suggestion about a restaurant by pointing out what could go wrong (bad food, food poisoning, delays getting back, unpleasant service, and so on)?

Would you say he or she was doing their job well and look for a separate colleague to identify and assess all the good things that might happen by going to this or that restaurant?


Can risk practitioners continue to be the voice of gloom and expect to be asked to join the CEO for lunch at his or her club?


I welcome your thoughts.

Risk appetite in practice

April 29, 2017 32 comments

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.

The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.

Margins in that business were not high, so the effective management of cost was very important indeed.

[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:

  • Procure critical materials at the lowest possible cost to optimize margins
  • Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
  • Minimize supply chain disruption risk
  • Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]

But, there were additional issues or ‘risks’ to consider:

  • The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
  • If we were dependent on a single vendor, that vendor could demand price increases.
  • If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
  • If the decision was made to select two vendors, the total cost would be likely to increase.
  • If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
  • If only two vendors were selected, there would still be significant supply-chain disruption risk.
  • If more than two vendors were selected, additional agility would be obtained, but at a cost.
  • If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.

Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.

The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.

They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.

The decision involved taking a higher level of some risks and lower levels of others.

Basing the decision on whether one risk was too high would not have led to the optimal overall result.

Now, how would a risk appetite statement have helped the VP of procurement?

I believe the answer is “not at all”.

What do you think?

I welcome your comments.

Risk management in review

April 21, 2017 5 comments

PwC’s latest Risk In Review study makes some very interesting points. It carries the title of “Managing risk from the front line” and I recommend downloading and reading it.

I like how it begins (with emphasis added):

Today a collaborative approach to risk management with risk accountability sitting squarely in the first line of defence can be the key to greater organisational resiliency and growth. That means an engaged first line that makes risk decisions in alignment with strategy. It means a proactive second line that influences decision making through effective challenge and timely consultation and collaboration. And it means a diligent, independent third line focused on its core missions of protecting the organisation and delivering value.

This recognizes that risk is being taken every hour of every day by decision-makers across the extended organization.

This is emphasized in a quote:

Melissa Lea, SAP AG chief global compliance officer, says that at her organisation, that direct connection is paramount. “We’re very first-line heavy. The more we can get risk responsibility out into the field—first into management’s hands and then to employees to make sure they’re armed with the right expectations to make the right decisions—the more successful we’ll be. We try to get people—either on the ground, in-country, or with the best lines of sight into how a particular risk might materialise—to really own that mitigation approach.”

Is the report perfect? No. For example, they still seem to believe that a risk appetite statement can drive the business decisions that take risk at all levels of the organization. I don’t.

They also don’t emphasize reporting to top management and the board the likelihood of achieving each and all enterprise objectives (i.e., the aggregate effect of risk, positive and negative in terms of the likelihood of success).

But let’s give them some credit for the pieces they got right and hope the emphasis on decision-making extends to the update of the COSO ERM Framework.

I welcome your thoughts.

Are your internal auditors present?

April 15, 2017 3 comments

If you want the internal audit team to address the risks that matter to the success of the organization, they have to know what they are.

I addressed this in detail in Auditing that matters.

In the section on Being Present, I said:

Some internal audit departments live in an ivory tower, part of a corporate organization that is at the center of the enterprise. While there are advantages in being at the center, with information flowing in and with access to corporate officers and executives, the disadvantage is that you may not know what is really happening in the business – where the front lines extend across the globe and the men and women in the trenches feel disconnected with the corporate bureaucracy.

I like to have my office in the headquarters area, but I put my staff where the action is. When business units are headquartered in other areas of the country or the globe, those are where I position my direct reports.

For example, at Tosco we had multiple refineries. Each was a major operation in itself, so I had staff located there. But, my director for the Tosco Refining Company was based at that division’s headquarters in New Jersey and the director for the Marketing Company was at their HQ in Tempe, Arizona. At Business Objects, we had a regional structure; I was at the California office, co-located with the CEO and CFO. But I also had staff in the Vancouver, Paris and Singapore offices, co-located with the Americas, Europe, and Asia/Pacific executives.

I require my direct reports to build a strong relationship with the management of the areas they are responsible for. They attend those executives’ staff meetings and have periodic one-on-one meetings with them. They are part of the local management team in some ways, dedicated to helping that part of the business succeed, although they retain their organizational independence and objectivity.

When they are present, when they are seen, they are able to listen.

My experience is that people will think of coming to you, whether to provide information or to seek advice, if they see you. If they don’t see you, the likelihood they will call on you is significantly diminished.

At Solectron, my team was scattered across the organization – again, to remain in touch with the pulse of the organization.

One of my team, Jeff Mullis, was based in Charlotte, North Carolina. On one of my visits to Charlotte, I arrived outside Jeff’s office a few minutes early for a scheduled meeting with him. As I neared his office, I heard voices inside. I waited outside while he finished the meeting he was having with two members of local management; it was clear that they had come to him for advice on an operational issue (he had been in local operating management prior to joining the audit team).

When they left and I entered his office, Jeff apologized for keeping me waiting. He asked if I had a problem that he spent time talking to local management like this rather than spending all his time on assigned audit engagements. My reply was to congratulate him!

I was very pleased that he had retained his connections with operating management and made himself available when they needed his advice and insight (that ‘magic’ word, again). He knew what was going on in the business, had his finger on the pulse, and as a result could not only be a more effective auditor but help the entire internal audit team understand the risks and opportunities across the organization.

If you want to address the risks that matter to the success of the organization, you have to do more than listen to the members of the board and executive management team.

You have to, using the words of Tom Peters, “talk to the janitor”.

The members of the audit team have to be where the action is, where the risks are being taken, and where the front lines are in manufacturing, sales, procurement, and so on.

How can we expect an occasional visit to help us understand what is really happening? Is it sufficient for the CAE or an audit manager to fly in once a quarter to talk to local management?

Let’s face it: most internal audit “findings” are where they find that what is happening in real life is different from what those in the ivory tower believe is happening.

I do not believe it is advisable to base the audit plan on input and advice from the top and then go audit to find out the risks are different, or at least managed differently.

The audit plan should reflect reality, not ivory tower beliefs.

How confident are you that your audit plan addresses the risks as they appear in the front lines?

Is that acceptable? If not, what are you doing about it?

I welcome your comments.