Those lists of greatest risks all miss the BIG one

March 1, 2019 14 comments

When something goes wrong, 99.999999% of the time it’s because somebody made a poor decision (at least in hindsight).

You ask the individual responsible, “What were you thinking?”

That is quickly followed by, “You weren’t thinking, were you!”


The BIG one, the root cause of failure and the greatest source of harm to any organization and its success, is the likelihood of a wrong decision that has major ramifications.

I discussed this in World Class Risk Management and extended the discussion in Making Business Sense of Technology Risk, where I made a distinction between strategic decisions (which include setting objectives and strategies) and tactical decisions.


We should be concerned if the likelihood of poor decisions, especially but not limited to important ones, is higher than we can tolerate.


What are the root causes of poor decisions?

There are many, including:

  • Poor framing of the decision
  • The wrong people making the decision
  • Relying on information that is not complete, accurate, or up-to-date
  • Not seeking all relevant information
  • Cognitive and other bias
  • Not including others that either have relevant information or who might be affected by the decision
  • Not considering all relevant options
  • Poor identification and assessment of what might happen, both good and bad, for each option
  • Failing to understand the ramifications of the decision when it comes to the achievement of enterprise objectives
  • Putting personal or team benefits ahead of those of the organization
  • Haste
  • Delay
  • Poor communications
  • Inadequate change management
  • Politics
  • Pressure
  • Incompetence
  • ….and so many more


As you look at your own decisions, those of your team, your peers, your partners, and elsewhere across the extended enterprise, do you have reliable assurance that informed and intelligent decisions will be made?


What can and should you and others do about it?


I think there are roles for both risk and audit practitioners.


I welcome your comments.



The cyber heat map

February 24, 2019 23 comments

Vince Dasta of Protiviti makes a good point (pun intended – as will be explained shortly) in Cyber Risk Assessment: Moving Past the “Heat Map Trap”.

Here are a few excerpts:

  • Given the limits on time, attention and resources with which every cyber team must contend, risk assessment plays a critical role in helping set priorities and decide between options. Having a rigorous and accurate risk assessment process goes a long way in determining an organization’s cybersecurity performance.
  • Unfortunately, our observation has been that most cybersecurity professionals significantly overestimate the quality of their risk assessment programs. The common weakness? A reliance on what can be called “pseudo-quantitative” methods, in which risks, benefits and other factors are given labels or colors (such as red, orange, yellow and green) or ratings on an ordinal scale that run, say, from 1 to 5. These approaches have the veneer of objectivity but are actually highly subjective. The illusion of objectivity is all the more deceptive because of the frequent use of scientific-looking heat maps.
  • Monte Carlo simulations generate a probability distribution curve plotting the likelihood of a loss exceeding a certain amount.

Vince argues (quite well, IMHO) for a process that considers what might happen, identifies the various potential impacts should that happen, then uses Monte Carlo methods to develop a chart that shows the range of those potential effects.

In Making Business Sense of Technology Risk, I explain why even this would fall short.

For example:

  • Before you can assess whether the level of risk is unacceptable, you need to decide whether you need to take the risk in order to achieve business objectives. Looking only at the threat side of risk and reward will not lead to a quality business decision.
  • Using only monetary loss measures to ‘value’ the level of risk is not always meaningful to executives making business decisions. They need to be able to compare the need to invest in cyber to the need to invest in product development, marketing, the implementation of new technologies, acquisitions, and so on.
  • Boards and executives are (or should be) focused on achieving objectives. They will be able to make more informed and intelligent decisions if all the risks and opportunities are expressed in terms of their potential effect on the likelihood of achieving enterprise objectives.
  • Heat maps are focused on ‘risks’, assuming (incorrectly) that the level of risk is a point when in fact there is a range of potential effects, each with its own likelihood. Decision-makers should not focus on risks to avoid or mitigate but on the success achieved by taking the right risks.

Even so, I commend Vince for his initiative to help organizations get a better handle on cyber and its potential effect on the organization.

I would like to see everybody considering cyber as just another source of business risk that needs to be weighed, with all other risks to objectives, when making strategic and tactical decisions.

I welcome your views (and comments on the book, once you have read it).

A management risk committee

February 17, 2019 7 comments

A couple of weeks ago, Jim DeLoach shared his views on effective [management] risk committees. I pretty much agree with what he had to say in NACD’s BoardTalk.

This, plus a question from a follower of this blog on the same topic, had me searching for the charter of the risk committee I established, with the strong support of the CEO, at Business Objects. Unfortunately, I couldn’t find it. But I can share some of the principles under which it operated.

The four members were all direct reports to the CEO and I served as staff and advisor. They included the executive vice presidents responsible for Product Development and Marketing (chair), plus the CFO and general counsel

The committee was responsible for oversight of management’s processes and policies around the management of risk. This included being evangelists for the consideration of ‘what might happen’ in all major decisions of the business.

We spent most of our time working to reach a consensus on the major risks and opportunities that might affect the company’s objectives. The members each represented a very different segment of our business operations and it took their collective insights to see the big picture.

But, the full executive committee would then consider the assessments made by the risk committee, led actively by the CEO. In fact, in some respects the executive committee was the risk committee.

In any event, the committee did not last very long for the simple reason that the company was acquired by SAP.


How does your risk committee function?

Why does it exist?

What value does it deliver?

How does it integrate with discussions on strategy and performance?

New Book: Making Business Sense of Technology Risk

February 12, 2019 2 comments

I am pleased to announce that my new book is available on Amazon.You can find details on the Norman’s Books tab.

Making business sense of technology risk - cover

While I started my career as a financial auditor, I soon migrated to the IT world. I was an IT auditor, manager, and senior manager in public accounting and industry before crossing over to lead as a vice president a major portion of a large IT function (including information security and related activities).

As the head of internal audit for large public companies and later as chief risk officer,  I worked with the executive management team and the board, providing assurance, advice, and insight on a number of areas, but technology was always a hot topic.

So while I was (at one time) a techie, my perspective for the last many years has been that of an executive and board advisor. In fact, at one company the chair of the IT committee asked me to attend its meetings to provide him and the rest of the members with my insights in addition to those of the CIO.

The question was always “what did we have to do, what decisions did we have to make, to enable the company to succeed?”

We should all be concerned about the failure of boards to understand technology-related risks and how they rate compared to other sources of business risk.

Much of the problem can easily be attributed to the failure of the technical management team to communicate those sources of risk in a way that makes sense to business management and the board.

Boards and top executives need actionable information that helps them understand how technology-related sources of risk might affect the objectives they are trying to achieve.

Simply providing leaders with a list of top risks or a heat map with prioritized information assets is not the actionable information leaders need.

This book provides my thoughts on how to bridge the divide between technical management and business leadership. After reviewing the major available frameworks (from NIST and ISO, with reference to FAIR as well), I share some key principles and advice on incorporating the consideration of technology-related sources of risk in decision-making and how to communicate in a way that provides the actionable information needed by leaders.

I hope you enjoy it!

Focusing board attention on management

February 9, 2019 6 comments

My good friend, Jim DeLoach had two pieces published in January.

Both are full of good ideas and suggestions for boards, well worth reading.

They are:

·        Briefing The Board On Technology Matters

I differ from Jim and other advisors to boards on one paramount point.

Rather than trying to make sure themselves that everything is right, the board should focus its limited time on gaining comfort that it has the right management team in place, a team capable of getting things right.

The board only meets to discuss a limited number of topics a limited number of times each year. They cannot hope to run the company in a few board meetings, assessing new technologies or financial reporting.

Instead, they need to ask the questions that will help them assess whether they have reasonable assurance that management is making intelligent and informed decisions on matters like these – every day.

So, I think it’s better for the board to ask questions such as:

  • Are you, CEO, comfortable with the ability of the management team to identify, assess, select, and implement the new technologies that will advance the company? If so, why?
  • Are you, CEO, assured that intelligent and informed decisions are being made as a part of setting and executing on strategies, decisions that incorporate a solid understanding and appreciation of the full range of things that might happen and affect the achievement of objectives? If so, what gives you that assurance?
  • Are you, the management team satisfied that the internal audit team is providing you (and us) with the assurance, advice, and insight we need to be successful? If so, why?

What does this mean for practitioners?

  • Provide the board with information on the adequacy of management’s processes and capabilities, not just on specific topics.
  • Be ready to provide your professional opinions not only on the processes but also on the people involved in running the organization. If people are not up to the job, it is wrong to sit and watch failures from the sidelines.

I welcome your thoughts and perspectives.

The positive side of risk

January 30, 2019 16 comments

Both good and bad things happen. Only managing the potential for failure, in my opinion, is a recipe for failure.

It is essential to consider all the things that might happen, both good and bad, if you are to achieve your objectives.


So how should we talk about the good stuff if we reserve the word ‘risk’ for the bad?


COSO and governance codes like King IV (South Africa) talk about ‘risk and opportunity’, where risk refers to the harmful effect of what might happen and opportunity is the positive side.

I have heard people talk about opportunity being the “other side of the coin” from risk.


ISO 31000:2018 refers to risk as ‘the effect of uncertainty on objectives’; the effect could be either positive or negative. (ISO does not provide a definition of uncertainty in this context. There are several dictionary definitions, few of which work in this context, but the one in Wikipedia is useful: “Uncertainty is a potential, unpredictable, and uncontrollable outcome.” That is consistent with my preference for talking about ‘what might happen’.)

We could use the ISO language, but is that useful when people generally see risk as bad?


If we can’t agree on what the terms risk and opportunity mean, how can we have a constructive conversation?


What does real life have to tell us?


Let’s take the fairly simple example of a CEO starting his day.

He is thinking about the problem that came up late the previous evening and how he should spend his morning.

His current schedule starts at 9:30 am with a 2 hour final review and approval of the company’s next generation product. The project leaders and his key direct reports are meeting in his conference room to confirm that it is on track for timely and quality completion. The product is essential to the success of the company over the next couple of years, especially as its competitors are likely to release similar products at about the same time as the company. A delay or functionality failure would be a disaster.

But, last night the CFO sent him an email with the updated forecast for the 4th quarter (Q4) and full year. Apparently, the company is expected to miss both the Q4 and annual revenue numbers (which he had shared with the analysts only a month earlier) by as much as $10 million. The CEO knows that will disappoint the market and the company’s share price will drop. In addition, his customers will see the shortfall and question whether they should move all or part of their business to a competitor that reports revenue and market share growth.

He knows he needs to understand the situation better. A meeting with both the CFO and the head of sales is needed, so he texts them both and asks that they meet in his office at 8 am.

The CEO is also thinking about what could be done to salvage the situation. He remembers that when he last talked to the head of sales, several large deals were being pursued. Perhaps he could visit a few of those customers; his presence and ability to make a deal might either increase the size of a deal or accelerate one from Q1 of next year into Q4.

The 8am meeting sheds some light on the current situation. His questions elicit:

  • The CFO and head of sales believe there is only a 70% likelihood of achieving revenue goals.
  • There are several deals that are being negotiated, each with a different likelihood of success. Overall, the head of sales says that:
    • There’s a 15% chance that they will miss by $5 million or so. The CFO and CEO agree that this will disappoint the market and the share price will drop temporarily. A good Q1 could bring it back.
    • They could miss by $10 million or even more, and that is also 15% likely. The CFO and CEO deem that unacceptable as the share price would drop substantially and it could be several quarters before it recovered.
    • If the CEO joined him to visit three major customers, including one that afternoon, there is a good possibility that they will be able to bring some large deals to a close in Q4 and hit their numbers. The head of sales believes that the likelihood of hitting the numbers (or better) would increase to 90%, and the possibility of a $10 million miss would drop to only a few percent. The CEO would have to leave the office by 10 am as the customer is a 2 hour drive away.
  • The CFO advises that he should warn the market of the possibility of missing the previously announced numbers by the end of the week (just a few days away) – unless the forecast changes before then.


It is decision time for the CEO.

If he stays with the current schedule, the likelihood of missing the revenue numbers is unacceptable. The board will expect him to act, as long as he doesn’t offer a massive discount to close deals at the cost of Q1 results. In addition, large discounts would set expectations for similar discounts in the future.

But, if he postpones the project review he might avoid the revenue failure.

But, again, if he postpones the project review for a week while he chases revenue, there’s a chance (which he estimates at 20%) that it’s going in the wrong direction and it would take enormous efforts to bring it back.

On reflection, he changes his gloomy estimate from 20% to 5%, because it would only be a week’s delay and he should be able to catch any major defects before they turn into disasters.


So, he has to weigh all the possibilities and make an informed and intelligent decision.


He decides to ask his COO to lead the project review while he visits as many major customers as he can before the end of the week.

Both good and bad consequences may flow from this decision.


Do we call the good ‘opportunities’ and the bad ‘risks’? Should we call all the potential effects ‘risks’?

Certainly, one is not (IMHO) the flip side of the other.

It’s not as if you either have either a risk or an opportunity, a good or a bad potential effect. The decision will have both.


I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both.


I welcome your comments, good and bad.

Hyperventilating about cyber – Part 2

January 27, 2019 2 comments

Today, I am going to share an excerpt from a draft of my upcoming book, Making Business Sense of Technology Risk.

I welcome your comments and feedback.



Is the level of concern about cyber merited? Should organizations and individuals be as worried about the possibility and consequences of a breach as they are advised by the consultants, information security pundits, and in news reports?


The answer is “it depends”.

The potential for harm is not the same for every organization, in every nation, and in every industry sector.

For example, when I was with Tosco Corporation as head of internal audit, I was worried about the possibility that a hacker might breach our cyber walls and get to the control system in one or more of our refineries’ process units. Whether by accident or on purpose, they could change pressure or temperature settings and cause a fire or explosion that would likely kill or severely injure a number of employees.

But gaining access to our corporate systems was much less of a concern. They might disrupt our business for a while, but any consequences of the breach would not be of a magnitude that would cause the organization to fail.

After Tosco, I joined Solectron Corporation. This was a contract manufacturer of electronic equipment such as phones, servers, laptops, telecommunications equipment and so on. While a breach would be annoying and disruptive, I cannot think of a scenario where it would cause the company to fail.

From Solectron, I went to Maxtor Corp. (the leading manufacturer of hard drives) and Business Objects (the leader in business analytics software). Both had intellectual property such as product design that gave them a technological lead in their markets. The theft of that intellectual property would be serious and could erode their advantageous market position and, eventually, market share and profits. Such consequences were of serious concern.


My advice is to focus less on how a breach might happen (after all, there are usually a number of vulnerabilities) and more on the potential consequences. In other words, don’t worry (yet) about which vulnerabilities might exist and be exploited. The effect may be the same whichever vulnerability the hackers exploited.

There will be a range of possible consequences, each with a different likelihood.

The next step is to work with business management to assess the effect on the business and the achievement of objectives. That is, in my opinion, the best way to determine the potential severity of a breach.

It is now possible to develop a chart that shows the range of potential breach consequences (the effect of a breach on the business) and the likelihoods of each level of consequence.

Management should consider whether there is an unacceptable likelihood that a breach could cause severe harm, to the point where the organization would fail to achieve its objectives.

There is always a theoretical possibility of a dire consequence. The question is whether the likelihood is so great that immediate action is required – and resources diverted from other business investments.

At the lower end of the range of consequences lie effects that would not cripple the business. But management should still consider whether there is too high a possibility of what some would call ‘death by a thousand cuts,’ where disruptions are so frequent that the likelihood of achieving objectives is severely affected.

But that is not enough.

Business objectives may be subject to multiple technology-related sources of risk and other business risks as well.

In order for executives and business leaders to make intelligent and informed decisions, they need to understand all the sources of risk.

Those responsible for assessing and communicating cyber risk need to work collaboratively with those handling other sources of risk to ensure decision-makers are provided the actionable information they need.


When looking at the big picture, is the likelihood of achieving enterprise objectives at an acceptable level? Is there an unacceptable likelihood of severe harm?

If so, drill down to the sources of risk that underlie the assessment. Analysis should be performed to determine where changes should be made (which may or may not relate to cyber). It all depends on the degree that the level of risk can be changed, the certainty of that result, and the related cost.

If the decision is made that the level of cyber risk needs to be changed, this is where I would consider all the vulnerabilities and the options for improving defense, detection, and response.

I would not pour resources into cyber simply on principle (somebody assesses the risk as high) where it not justified on business grounds.


It is important to understand what leaders need if you are to provide them with the information necessary for quality decisions. My advice is to give them both the big picture and the detail, and then they can work with the practitioner to refine reporting and communications.