Every year, the audit firms provide audit committees with their ideas of what the agenda should include in the coming year. Their ideas are usually good, although typically (and understandably) focus on matters of interest to the audit firms. Each year, I have wondered (and blogged) why they don’t include any discussion of obtaining formal assurance from internal audit on the effectiveness of risk management.
This year, the publication from Deloitte is more interesting than usual. In their Audit Committee Brief, November/December 2014, they ask What’s on your agenda for 2015? They highlight:
- Effectively managing IT
- The audit committee report (as filed in the 10-K)
- Internal controls, in particular the focus by the PCAOB on material weaknesses and the work of the external auditor, as well as the update of the COSO internal controls framework
- Globalization and its effect
- Finance talent
- Risk oversight
- Tax considerations
Addressing the risk oversight issue first, Deloitte has made some progress this year. They make the important statement:
“Regardless of who in the company is in charge of risk, the most important consideration is that the company has a clear view of where risk monitoring and related activities are housed and that risk issues are being adequately covered.”
All of the topics in the Deloitte document are food for thought, but none more, in my opinion, than the topic of IT.
While Deloitte understandably focuses exclusively on the negative risk from technology (cybersecurity and so on), they make the excellent point that they need to get face time with the CIO. I think it is an excellent idea for the CIO to attend every other audit committee meeting.
Deloitte suggests questions for the audit committee to ask about technology-related risk, I think additional questions should be considered, including:
- How do you assess and manage business risk relating to technology? Are you engaged with the enterprise risk management process?
- How much risk is enough and how much is too much?
- How do you determine how much to invest to address technology-related risks?
- Are you taking enough risk when it comes to new technology that might advance the business? How do you know? Who do you work with to assess whether and when to deploy new technology?
- How do you know that the IT function is delivering the value it should to the business?
- How involved are you with the company’s strategy-setting processes? Is this the right level of involvement?
I welcome your comments.
A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.
I think there are some key ingredients to an effective audit committee that are often overlooked. They include:
- The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
- The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
- They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
- They need to be willing to ask a silly question.
- They need to persevere until they get a common sense response.
- No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
- Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.
What do you think?
I welcome your comments.
Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.
Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.
My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.
Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:
- The term ‘GRC’ is one that is interpreted in many ways.
- When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
- When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
- When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
- When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
- When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
- GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
- The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
- No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
- The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.
Where I believe we differ is that I do not advocate the use of the term ‘GRC’.
As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.
I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.
For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.
Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.
Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.
Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?
So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.
Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.
Good Riddance grC.
I welcome your comments.
Some say that risk management is effective when it has all the components described in their favorite standard (ISO 31000:2009) or framework (COSO ERM). (COSO ERM specifically states this as the requirement).
Some say that risk management is effective when all the principles in their favorite guidance are present and functioning. (ISO talks about its “set of principles that organisations must follow to achieve effective risk management.”) The principles are (from a consultant’s site that provides a high-level view of the standard):
- Creates and protects value;
- Is an integral part of all of the organisation’s processes;
- Forms part of decision making;
- Explicitly expresses uncertainty;
- Is systematic, structured and timely;
- Is based on the best available information;
- Is tailored to the organisation;
- Takes human and cultural factors into account;
- Is transparent and inclusive;
- Is dynamic, iterative and responsive to change; and
- Facilitates continual improvement of the organisation.
Some say that risk management is effective when activities are compliant with the organization’s related policies and standards. But are those policies and standards adequate?
Some will say that risk management is effective when the board, operating and executive management believe it adds value and are satisfied that it provides the information they require. I believe that has merit but they may be satisfied with less than mature risk management (that seems to be the case with many current organizations who are satisfied with enterprise list management, until they are caught short).
Some will say that risk management is effective when an independent assessment/audit/examination is performed and the report says so. The trouble is that the people who do such audits generally rely on one of the above criteria (components present, principles in operation, etc.)
I would like to suggest a different approach.
Let’s start by considering why organizations should have risk management. It’s NOT because laws and regulations mandate it in many cases. It’s NOT because people say you need it. It’s because effective risk management provides a level of assurance that an organization will not only achieve its objectives (or exceed them) but will set the best objectives.
Quoting from COSO ERM:
“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
COSO explains that effective risk management enables:
- “A greater likelihood of achieving business objectives”
- “More informed risk-taking and decision-making”
Irish guidance on the ISO 31000:2009 risk management standard says:
“The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.”
The Australian mining company, BHP Billiton, has a risk management policy signed by its CEO. It includes:
“Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.
- By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
- Successful risk management can be a source of competitive advantage.
- Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.
“The effective management of risk is vital to the continued growth and success of our Group.”
I like what E&Y has to say:
“An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it.
“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”
So we can see that, as the BHP CEO said, effective risk management is not only essential to the success of an organization but “can be a source of competitive advantage”.
For the last year or two, I have been saying that you assess the effectiveness of risk management by asking decision-makers at all levels whether the risk information is enabling them to make better decisions and be more successful.
In other words, assess risk management not by its structure but by its effect.
I still think that is a key test, but I am going to add a new dimension to my thinking.
Let’s consider a company that has significant foreign currency exposure. It does business globally so it has bank accounts in a number of countries and has both payables and receivables in different currencies.
There are a number of strategies for reducing foreign exchange risk, but to manage the risk effectively you need to know what is happening with rates as well as how your bank account balances, payables, and receivables are changing.
If this company only has the ability to understand its foreign exchange risk once a month, in other words its monitoring of this risk is only monthly because that is the only time it is able to obtain all the necessary information and calculate its exposure, the risk is much higher than if it has the processes, people, and systems to monitor its exposure daily or better.
However, the investment necessary to upgrade the risk monitoring from monthly to daily may be significant. The company has to decide whether the reduction in exchange risk that can be improved by upgrading risk monitoring justifies the additional expense.
Until it upgrades risk monitoring, there is a risk that the information provided by risk management is insufficient. Management needs to decide whether that is an acceptable level of risk.
If management decides that the level of risk is too high, then I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks. But if management decides that the level of risk is acceptable, then that would not prevent me from assessing risk management as effective.
Let’s take another situation. An organization is concerned about its reputation risk. It has engaged a company to monitor reputation risk indicators (using social media analytics) and report once each quarter. However, it is in an industry where customer satisfaction can move quickly and significantly.
Quarterly risk monitoring creates a risk that the risk management program is not providing the information necessary to manage risks to the enterprise objectives. As in the prior example, management will need to decide whether an investment in more frequent reputation risk monitoring is justified by the potential reduction in reputation risk (because it would increase the ability to respond to customer complaints, etc.)
If management decides that quarterly risk monitoring represents a risk outside acceptable ranges, I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks, and management has determined that this is a risk (the risk of a bad decision) is unacceptable.
One final example. The company has an excellent risk management framework, formal policies and procedures, processes, and enabling systems. However, in the last year the level of staff turnover among the champions of risk management in the executive ranks and among the risk officers themselves means that the experience of the individuals relied upon to monitor, understand, assess, evaluate, and respond to risks has diminished.
There is an increased likelihood than in prior years that risks will not be managed as desired, the wrong risks taken, and that risk information that flows to top management and the board may not be reliable.
This is a deficiency in the operation of risk management and may represent a risk to the achievement of objectives because it results in less than reliable risk information on which decisions are based. If the risk is unacceptable, then until it is treated and brought back to within acceptable ranges I would say that the risk management program is less than effective.
So, where am I going?
If we revisit the objective of risk management, we see that we rely on it to provide management and the board with the information they need to run the business, make better decisions, and take the right risks.
But risk management is not and never will be perfect.
It is impossible to monitor every risk, including new risks, in real time and provide useful information – also in real time – to the people who need to act on it.
There will always be risk champions who are new to the company and because they don’t understand the business and their risk-related responsibilities, will fail in that respect.
There will be times when the people required to provide expert insight when assessing and evaluating risks are on vacation, sick, or otherwise unable to participate.
There will always be a risk that the risk management program fails to provide the information necessary for decision-making.
The key is whether that risk is known and is considered acceptable.
If the risk is acceptable, then I would consider the risk management program as effective.
That is not to say that all the principles described in ISO 31000 are not necessary, or that the components discussed in COSO ERM are not required. But, that is the structure of the program and that doesn’t mean it is effective and produces the results necessary for the organization to succeed.
Bottom line: CROs and executive management should assess their risk management program (auditors can help) and determine whether the level of risk that it will provide insufficient information to run the business, make informed decisions, and take the right risks is acceptable.
OK, I understand that this is a little complicated and a very different way of thinking about effective risk management. Does it make sense?
I welcome your views.
Being a leader means taking risks. Nobody leads if they sit in their office reviewing files and talking to their staff on the phone.
No, true leaders are people who are followed.
Who is followed? The leader that inspires you to grow and be fulfilled; the individual that people listen to and who is able to motivate change; the manager that listens to you more than he talks to you; the one that other leaders and people you respect look up to.
Any practitioner, whether staff or management, can be a leader.
But it takes being willing to take some risks.
Acknowledge what you don’t know and find ways to learn what you need to know.
Keep your mouth shut when you need to listen (which is the majority of the time) and only open it when you have something useful to say.
It means being willing to share your professional opinion based on business grounds without hiding behind professional standards or firm policies.
It means being willing to share both the bad and the good news, even when that will be unpopular or meet resistance from executives. (Why are we so reluctant to say things are done well?)
Everybody should be able to see the elephant in the room after we have given our report.
It means taking a new approach when that is better than what is “customary”, and showing the path to others.
Leaders don’t keep knowledge to themselves. They are open and willing, without bragging, to share and enable the whole team to grow.
A leader puts the priorities of others alongside or even ahead of others. Your problem is their problem.
Leaders not only care about others but are known to care.
Are you a leader? Do you know how to improve your leadership skills?
I welcome your comments.
I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:
- An effective risk tolerance, appetite, criteria, etc. statement
- A discussion of Risk Appetite by thought leaders
- Just what is risk appetite and how does it differ from risk tolerance?
- The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?
- What is your risk appetite?
- New guidance on risk appetite and tolerance. I like some parts, disagree with others
I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.
This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.
Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.
Jim shares some truths:
“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”
“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”
But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.
In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.
So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.
I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.
I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.
I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.
I welcome your comments.
Please see this related story about an internal auditor that recommended that the company consider taking on more risk.