A brave root cause analysis and how COSO might help

I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.

A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).

The lead-in paragraph says:

Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.

Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.

However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.

She says this well:

Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.

In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only the symptom is identified and addressed, rather than the underlying disease.

RCA should not be considered an additional step. It should be mandatory for every identified control weakness.

The author has a useful section on the different ways a root cause analysis can be performed.

• Five Whys: Asking “why” five times to drill down to the true cause of a finding.
• Pareto Chart: Presenting potential causes for the identified problems on a chart from the highest to the lowest frequency to focus on areas of improvement with the greatest impact.
• Fishbone Diagram: Assessing potential causes grouped into categories (people, process/methods, equipment, materials, measurement, environment) to establish a relationship with the identified problem.
• Scatter Plot Diagram: Testing correlation between variables by plotting potential root cause (an independent variable) against the effect (dependent variable).

I would add a caveat: whichever method you choose (I prefer the first), you have to keep inquiring until the true root cause is identified.

In other words, you may have to ask “why” six, seven, or more times until you are satisfied that the root cause has been identified, and only then can corrective actions be considered.

Consider this. An audit or review has identified that reconciliations are not being completed on time.

1. Why? Because people are too busy.
2. Why are they busy? They have too much work to do in other areas and the reconciliations are lower priority tasks.
3. Why do they have too much work? People have left and not been replaced.
4. Why have they not been replaced? The manager has not been able to fill the positions.
5. Why hasn’t he been able to fill the positions? Candidates are asking for too much money, more than the company can offer.
6. Why is the company not able to offer sufficient compensation? Because the Human Resources department mandates a salary and bonus range for these positions that is lower than candidates with the required experience and ability demand.
7. Why…..?

And on it goes until the true root cause, which in this case is in a different department than the symptom, is identified.

The other three methods (Pareto chart, Fishbone diagram, and Scatter plot diagram) may not be sufficient. For example, you may identify a common point of failure for multiple control issues. But then you have to ask “why” several times to get to why that cause existed.

Where the article goes astray is in its attempt to list ‘common root causes’ for deficiencies in particular areas. If you have been able to access and read the article, you will see what I mean. We can set aside the rest of that article.

So are there common root causes?

I would start with the principle that holds true in 99.99% of cases: the root cause is people related. It may be:

• Controls are performed by people with insufficient training, experience, or competency (addressed by a COSO principle). The author has identified competency weaknesses and lack of training as common root causes, but they are not root causes. The auditor needs to ask why these conditions exist. Why didn’t competent people get hired? Why wasn’t adequate training provided? Several more whys may be needed before the true root cause is identified.
• Controls are performed by people who have not received the information they need to do their job well (another COSO principle). Again, the article just says the common root cause is insufficient internal communication. But why did that happen? And why, and why, and why.
• Management is lacking in some way, whether it is in how people are directed, how they are motivated, or some other issue.

Take one example from Auditing that Matters. Loretta Forti is our heroine, conducting an audit that focused on the timeliness of approval for capital expenditures (Authorizations for Expenditures, or AFEs).

I had asked her to perform an audit of the AFE process after I discovered that expenditures with a very high ROI were taking so long to be approved that the opportunity passed!

It was relatively easy to find out how the process worked. Once a month, the division CFO gathered all the Vice Presidents and they collectively reviewed all the AFEs and the analysis prepared by Mike Passaretti and his team [the Capital Expenditure department]. They would take about half a day to discuss them and decide which they would propose should move forward and what the priority was for each.

The next meeting, typically the following day, was with the division CEO, Bob. The CFO and all the Vice Presidents would review with Bob the AFEs they believed should go forward. When he felt that the total was too high or disagreed with the VPs’ recommendations, the executives had to debate which would be approved, which might be deferred, and which would be declined. This meeting also took a half-day on average.

Because of the intense review and approval process, each executive was careful to ensure all the AFEs they proposed had complete and accurate analyses included in the package. Mike and his team were equally careful with their review and analysis. This all took time.

It was clear to Loretta, as it was to all the Vice Presidents and the CFO, that the process was too long, consumed far too much executive time, and often cost more than the spending itself (if you count the cost of the VPs’ time)!

The question was why the process was this way.

The CFO and VPs all agreed, usually with language they wouldn’t use with children around, that they hated both the all-VP meeting and the meeting with Bob. They said they didn’t have the time to spare and asked for our help to get the process – both time and cost – under control.

Loretta and I met to talk about what we were to do. Rather than share my opinion, for once I did the smart thing and asked Loretta for her opinion.

At first, she didn’t know what to say. But as she realized she could say what was on her mind, and with some gentle guidance from me, she said it: the CEO was the problem. He was the only one who wanted these long and expensive meetings. Only when he was persuaded to change his mind could it be changed.

I knew Bob quite well, having worked with him before he moved into his current position with the company. He was one of the executives with whom I met frequently to discuss the business and he had shared a number of confidences with me.

I was sure that he would listen to Loretta and had a suspicion he would find it easier to understand himself if he met one-on-one with her. Both a formal meeting with the CFO present and a larger meeting with the three of us (Bob, Loretta, and I) might make it harder for him to look in the mirror.

And so it was. I persuaded him to meet with Loretta and she, in turn, trusted me when I told her she would not only be safe but would enjoy herself.

I admit that I was a little nervous as I waited in my office for Loretta. Then she appeared in the doorway, all smiles!

She told me that the meeting went brilliantly. Bob was charming, as usual, and showed great respect for her – even though she was ‘only’ a manager. He let her explain what she had found and that the long process was preventing timely investment to seize market opportunities. In addition, not only was it consuming a lot of expensive executive time, but it was taking them away from running the business.

This was critical, explaining the issue in terms of how it affected the business and its success. Auditors who talk in their language (what I call “technobabble”), rather than the language of the executives they are attempting to inform or persuade (which is the objective of an audit report) are unlikely to succeed.

Loretta said that Bob responded with silence, clearly thinking about what she had said.

Then he shocked her by telling her that he was the problem. He recognized that his insistence on discussing and approving every AFE could not continue. Bob told Loretta she had done an excellent job and that he would like to talk to me.

When I met Bob later that week, he repeated his praise for Loretta. Then he asked for my opinion. Again I was smart and didn’t give him my opinion straight away. Instead, I asked him why he wanted to approve every AFE.

After a short hesitation, he said that perhaps he should only approve major capital expenditures instead of every one. I concurred, saying that was what I was used to and would advise.

But I kept at it. Why had he insisted on approving every AFE? This was not what he had done in his previous positions with the company, nor was it what he was used to working directly for Tom O’Malley – a consistent and effective delegator.

Then he looked again in the mirror and saw his true self.

“Norman, I can see now that I didn’t trust my direct reports enough to make these decisions!”

We talked about this for a while. Either he had the wrong people in these key positions, in which case he needed to replace them, or he needed to trust the people he had and delegate more effectively. He didn’t hesitate before saying he had excellent people; he just had to let go, take a little more risk, and trust and delegate.

For the next couple of weeks, Loretta and I had a trail of VPs visiting us to express their thanks for Loretta’s great work. Bob had changed the entire process, with new delegations of authority such that the VPs could approve most AFEs, the CFO would have to approve all over a certain value, and Bob was only involved in truly major capital expenditures.

Going back to the statement I made earlier, that PEOPLE are almost always the root cause, in one way or another, root cause analysis may surface some ugly truths.

It can take a lot of interpersonal and even political skills for the auditor (with the CAE’s active assistance) to discuss the issue and root cause with management, obtain their agreement on the facts, and work with them on the appropriate corrective action.

They are often unable or unwilling to face those facts.

Consider situations where:

• A manager is a poor leader, failing to delegate, motivate, inspire, etc.
• The employee charged with performing the control has too much work and management is unwilling to hire additional staff.
• A manager is unable (might be incapable) to persuade more senior management that there is a need to address a risk, to hire more people, to change direction, etc.
• People are talking in different languages, such as senior management and the cybersecurity staff.
• The company’s systems are old and need to be replaced at a cost of tens of millions, which is not in the budget.
• The CEO is a bully and gets his direct reports to compete instead of working together.
• The Marketing team distrusts the people in the front lines, and therefore loses touch with the needs and wants of the customer base.
• The manager is biased against individuals who don’t look like him or her, creating a hostile environment and failing to get the best out of employees.
• The culture established and reinforced by management’s actions discourages creativity and risk-taking, and stifles performance.
• Management is not trusted or respected.
• People are motivated to achieve their personal performance goals rather than what is best for the organization.

A root cause analysis that is not afraid of identifying and reporting people failures is essential.

The COSO principles are useful, but they are insufficient. Only some of the bulleted situations above are covered by them.

I am reminded that the former CEO of GE, Jack Welch, was once asked what problems he faced every day. His answer was:

1. People
2. People
3. People

They are the root of (almost every) control failure.

We need to be brave to see and help others see the true situation.

I welcome your thoughts.

Advertisement

The Woeful State of Enterprise Risk Management

My thanks go to Professors Mark Beasley and Bruce Branson of North Carolina State University’s Poole College of Management (the Enterprise Risk Management Initiative).

They recently published 2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 13th Edition.

I believe this is their best edition and thank them for the detail it includes.

The information has value, but it is very important to understand that the survey on which the report is based was sent only to current members of the AICPA (in other words, CPAs). What they have to say is likely to be very different from what a CEO, COO, or other business executive would say. It is also likely to be different from what a board member would say.

Data was collected during the first few months of 2022 through an online survey instrument sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, we received 560 fully completed surveys.

A variety of executives participated in our survey, with 21% of respondents having the title of chief financial officer (CFO), 18% serving as chief risk officer (CRO), 6% as controller, and 8% leading internal audit, with the remainder representing numerous other executive positions.

The respondents represent a broad range of industries. Consistent with our prior year survey, the four most common industries responding to this year’s survey were finance, insurance, and real estate (27%), followed by not-for-profit (28%), services (21%), and manufacturing (10%). The mix of industries is generally consistent with the mix in our previous reports.

The respondents represent a variety of sizes of organizations. As shown in the table on the next page, 47% of organizations have revenues $100 million or lower while 30% have revenues over $1 billion. So, there is nice variation in organization size in our sample. Almost all (89%) of the organizations are based in the United States.

My intuition says that they are more likely to be positive about ERM at their organization, as well as being more risk averse than other executives in operating management positions.

Their introductory statements are solid, and I am pleased to see them recognize the need to take risks and exploit opportunities. (The emphasis below is mine.)

Many business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.

Many organizations are recognizing the need to enhance the formalization and robustness of their risk governance processes. Boards and C-suite executives of these organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s leadership a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.

However, even these CPAs are saying that current risk management practices are failing to deliver.

The professors ask: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?”

• Not at all – 37%
• Minimally – 26%
• Somewhat – 25%
• Mostly – 9%
• Extensively – 3%

That’s pretty awful!

This is what they say about the “Strategic Value of Risk Management” (with my highlights):

• Less than 20% of organizations believe their risk management processes provide strategic advantage. This is surprising given most leaders understand that risk and return are inseparable [Marks: it’s not much more than 3% and not close to 20% according to their own numbers.]
• Organizations continue to struggle to integrate their risk management and strategic planning
• Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.
• Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.
• There is noticeable room for improving ERM processes to help manage risks impacting reputation and brand.
• There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.

The say this about the “Overall State of Risk Management Maturity”:

• While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.” [Marks: and those that do are not saying that their ‘complete ERM’ is effective!]
• Large organizations and public companies are more likely than other organizations to report a complete ERM process.
• The level of robustness and maturity of risk management oversight remained relatively steady with the prior year; however, fewer than half of respondents describe their organizations’ approach to risk management as “mature” or “robust.”
• Just over one-half of the public companies surveyed do not describe their risk management processes as robust or mature. Non-profit organizations are less likely to have structured risk management processes relative to other organizations.

They also point out that “Many organizations are concluding that their approaches to business continuity planning and crisis management are not at the level of preparedness desired, with almost three-fourths indicating significant changes in those processes will occur”.

The report has a number of important tables. I have highlighted a few points.

Description of the State of ERM Currently in Place	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
No enterprise-wide management process in place	15%	2%	2%	6%	14%
Currently investigating concept of enterprise-wide risk management, but have made no decisions yet	10%	3%	2%	6%	10%
No formal enterprise-wide risk management process in place, but have plans to implement one	8%	3%	4%	4%	10%
Partial enterprise-wide risk management process in place (i.e., some, but not all, risk areas addressed)	34%	36%	35%	36%	38%
Complete formal enterprise-wide risk management process in place	33%	56%	57%	48%	28%

Many are reporting that they have a “complete and formal” ERM process in place, but at the same time they are not saying that it is delivering the value it should. They are also saying it is not robust (see the next table).

I believe that these people don’t understand the need for ERM to inform both strategic and tactical decision-making. They are satisfied with they have (a list of risks, which is often quite short and only occasionally updated according to the survey), even if it fails to help the organization achieve its objectives.

What is the level of maturity of your organization’s risk management oversight?	Full Sample	Largest  Organizations (Revenues >$1B)	Public  Companies	Financial Services	Not-for-Profit Organizations
Very Immature	13%	3%	5%	5%	15%
Developing	22%	14%	11%	17%	29%
Evolving	35%	39%	39%	43%	33%
Mature	25%	36%	37%	29%	20%
Robust	5%	8%	8%	6%	3%

If only a handful of the CPAs in a firm see ERM as “robust”, and 18% of them are CROs, what would the heads of manufacturing, sales, and marketing have to say?

Description of the Current Stage of ERM Implementation	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board.	39%	70%	70%	52%	35%
Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board.	28%	16%	11%	28%	31%
We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board.	18%	13%	17%	12%	17%
There is no structured process for identifying and reporting top risk exposures to the board.	15%	1%	2%	8%	17%

So 70% of large organizations and public companies report at the highest level in the table above, but they don’t say the same in the next table.

Extent to which the organization’s ERM process formally identifies, assesses and responds to emerging strategic, market, or industry risks:	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Extensively	14%	22%	26%	19%	9%
Mostly	31%	41%	42%	37%	27%
Somewhat	27%	28%	23%	21%	33%
Minimally	14%	7%	7%	17%	11%
Not at all	14%	2%	2%	6%	20%

The next two tables demonstrate what I have believed for a while. Top executives don’t see the value of ERM as it is practiced at their organization (or believe it will be practiced if additional resources are provided).

Percentage of respondents indicating that each of the following “Mostly” to “Extensively” is impeding risk management progress	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Risks are monitored in other ways besides ERM	29%	28%	18%	30%	24%
Too many pressing needs	16%	27%	26%	19%	19%
No requests to change our risk management approach	19%	17%	23%	12%	21%
Do not see benefits exceeding costs	13%	17%	12%	15%	12%
No one to lead effort	12%	9%	12%	7%	16%
Would overcomplicate what can be best done ad hoc	11%	8%	9%	17%	8%

Percentage of respondents who describe each of the following as being a “barrier” or “significant barrier” to effective ERM	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Competing priorities	44%	35%	36%	47%	50%
Insufficient resources	43%	41%	40%	43%	52%
Lack of perceived value	28%	31%	27%	25%	29%
Perception ERM adds bureaucracy	24%	25%	23%	21%	26%
Lack of board or senior executive ERM leadership	21%	18%	19%	16%	22%
Legal or regulatory barriers	6%	3%	4%	6%	6%

As the authors say:

Some of the overall reluctance to embrace ERM across an organization may be due to a lack of understanding and knowledge of what an enterprise-wide risk management process actually entails relative to traditional approaches organizations use to manage risks. ERM is a relatively new business paradigm that business leaders are hearing about but may lack an understanding of how it might help them achieve their strategic objectives.

On the other hand, at least more people than I would have thought realize risk is not just downside.

The definition of “risk” focuses	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Both on “upside” risks (risk opportunities) and “downside” risks (threats to the organization)	60%	58%	54%	63%	68%
Only on “downside” of risks (threats to the organization)	39%	41%	44%	36%	31%
Neither	1%	1%	2%	1%	1%

The table below shows that the speed and volatility of risk are certainly not being addressed.

Frequency of Going Through Process to Update Key Risk Inventories	Full Sample	Largest Organizations (Revenues >$1B)	Public Companies	Financial Services	Not-for-Profit Organizations
Annually	41%	57%	55%	43%	41%
Semi-Annually	10%	12%	13%	9%	11%
Quarterly	16%	14%	20%	21%	15%
Monthly, Weekly, or Daily	7%	9%	7%	11%	5%
Not at all	26%	8%	5%	16%	28%

As I said in the table, the report indicates that the current practices around risk management are woeful.

We need to change everything, including the guidance from the various consultants, risk institutes, COSO and ISO (sorry, advocates), to help lead practices away from management of risk (doom management) and towards the informed and intelligent risk-taking through quality decisions that will enable the achievement of objectives (success management or, more simply, effective management).

Unfortunately, the professors failed to ask what might be the most important question:

Does risk management at your organization help you and others understand what might happen so you can make the informed and intelligent decisions necessary for success, taking the right level of the right risks and exploiting appropriate opportunities?

Maybe this will be in the 2023 edition! One can only hope.

What do you think?

Useful work by COSO on managing at speed misses the point

I enjoyed COSO’s latest publication, Enabling Organizational Agility in an Age of Speed and Disruption. This is how COSO described it:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals, according to new guidance issued today from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enabling Organizational Agility in an Age of Speed and Disruption is intended to serve as a guide to help organizations succeed by being more anticipatory, agile, and adaptable. The guidance highlights many of the COSO ERM risk principles and how they relate to an agile business environment, and numerous ways are identified that show how the COSO ERM principles link to agile approaches.

Frankly, while COSO has to support its own ERM framework, the important message in the document has little, if anything, to do with developing and maintaining the risk inventory (another term for a list of risks) advocated in the COSO framework.

I suggest reading the publication and setting aside the references to COSO ERM.

In fact, the overall message is correct and is quite different from maintaining a list of risks, even if that list is linked in some way to strategic objectives. To quote again:

As radical change transforms the world we live in, organizations should regularly align their enterprise risk management (ERM) process with the current business environment and their strategic goals.

The way to do this, IMHO, is to recognize that when organizations are moving at speed and with agility, it has to make decisions at speed. It also means being willing to take more risk – because it is justified on business grounds.

If you want your speedy decisions to be right (given constraints), you need quality, reliable, current, and timely information about where you are and what may lie ahead.

Risk management is all about providing decision-makers with the information they need about what might happen, and then helping them evaluate the situation and alternative actions (balancing opportunities and potential harms).

While the new COSO paper says a lot of good stuff, a search for “decision” gives you just ten mentions, while “decision-making” returns just three.

• A few ERM leaders have been pushing the identification of risk into decision-making and an agile organization seems to be a good place to continue doing that.
• Operating structures could be redone to reconsider traditional hierarchical approaches and traditional decision-making processes and replace with agile practices.
• Part of the past bureaucratic problem was too much of a silo approach within the organization that limited collaboration and slowed down decision-making.

In other words, COSO’s new guidance essentially ignores the need for quality, informed and intelligent decisions.

That is surprising and disappointing.

It also continues the focus on managing and mitigating harms, without pressing the risk practitioner to apply the same principles and techniques to opportunities – let alone helping management weigh one against the other to determine which risks should be taken.

The publication does have a lot to say, and I recommend reading it carefully. Here are a few quotes with my emphasis.

Note how the document quotes CEOs saying there should be a focus on taking risk!

• Astute leaders get this and know that long-term strategic plans and assumptions are not the best approach in times like this. Examples of this are everywhere. A recently appointed CEO at a Fortune 100 company changed the company’s motto to “Faster, stronger, and better.” A chief strategy officer of one of the world’s largest energy companies declared, “We’ve given up trying to predict the future. We just want to be agile.” A new CEO of a not-for-profit adopted a strategic vision focused on speed, adaptability, and taking risk. Other headlines in the news have CEOs telling employees to make mistakes and Wall Street analysts warning companies, “Disrupt yourselves, or else!” Further, this occurred before the pandemic, social unrest, political climate, continued calls for climate change, or ESG (environmental, social and governance) action — plus a host of other globally challenging uncertainties. It is not surprising that companies are looking for ways to improve, adapt, and become more agile as they also search for the new normal.
• The new normal likely includes new anticipatory risk skills and new agile and adaptability skills. For those responsible for understanding and managing risks — including business owners, enterprise risk management, internal audit, senior leadership, and boards — the new normal includes a rethinking of when, how, and where to apply strategic risk thinking and ERM.
• Adopting agile practices at the organizational and strategic level encompasses a few key concepts. The obvious first concept is speed. Companies believe that their world is changing, and they must adapt more quickly. A second and related key concept is direction. The combination of speed and direction is known as velocity. In guiding an organization, leaders cannot just move fast; they must also have a sense of direction. Note that this direction can be a broad window. There can be a sense that the future is fairly clear and the organization just needs to compete in that future. It can also mean that the direction is completely unclear. In this case, direction and steering the organization, even moving fast, must account for a wide variety of options and business models that could play out. This leads to other key concepts, including the ability to pivot, the ability to adapt, and the ability to accelerate (when needed). Pivoting, adapting, and accelerating all are about managing strategic and business risk but they also can create risk.
• Board members are critical in helping organizations see and understand the necessity and importance of new strategic and organizational approaches and the related risk. It is also important that the business leaders, those who provide products and services, be involved and aligned with the change and agile efforts. This could require broad acceptance and a culture change and might even mandate that the business units adopt agile practices. When external parties, senior leaders, and others are pushing agile methods, the ERM function can feel completely out of sync with the business and will need to rethink its approaches and methods. ERM leaders will be more likely to stay in sync with the business when they regularly rethink and improve their ERM approach.
• The ERM function can provide normal ERM tools to enable teams to properly understand, identify, and manage all related risks. Such tools may need to be customized and other tools may become necessary, but the basic ERM tools, technology, framework, risk cadence and reporting, risk identification templates, and action plans are still valuable and should be made available. The tools can help provide consistency. At some point, it is important that the ERM function provide the context and help others connect the risks to other risks and to the broader spectrum of risks and emerging risks facing the organization. Knowing and linking the velocity of emerging risks and other organizational risks that impact the agile teams can increase the teams’ chances of meeting objectives.
• Companies that take an agile approach of speed and empowerment in innovations can improve risk-taking and ideation by encouraging this risk and opportunity mindset. When companies define the desired culture as one that accepts and allows for failure, they are building a culture that encourages new ideas and encourages risk-taking. Companies that do not accept failure or limit creativity create a culture that is risk-averse. If the strategic environment necessitates risk-taking, speed, and new ideas, then this risk-averse culture is the wrong fit to compete in that environment.

Now contrast that with an excellent post by an esteemed friend and practitioner, Hans Læssøe. In Effective Risk Reporting he explains how the focus should be on achieving targets or objectives (very similar to what I wrote about in Risk Management for Success and elsewhere, and what Tim Leech also advocates as objective-based risk management).

As he wisely says:

Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

I believe management should be focused on whether there is an acceptable likelihood of achieving each of their enterprise objectives. Hans says the same thing:

… shows a 40% likelihood of meeting the revenue target based on a 45% likelihood of having the targeted customer base.

Such a chart is certain to invoke a management discussion on whether or not this is satisfactory or something must be done to enhance the likelihood of meeting certain targets.

With this, risk management (reporting) affects decision making, which is paramount according to both the COSO and the ISO 31000 standards.

While COSO has shared some good advice about speed, I believe risk practitioners need to adapt on two fronts:

1. Focus on how they can help decision-makers, ensuring they not only have quality information but are able to use it effectively.
2. Partner with performance reporting staff to help management and the board understand whether there is an acceptable likelihood of meeting targets. At the same time, help management understand when the targets need to be moved as situations change.

I welcome your thoughts.

Risk Management and Cloud Computing

There’s a new COSO preacher in town. Is he or she a threat or an enabler of a peaceful and safe community?

Should we embrace him or her and listen to their advice?

Enterprise Risk Management for Cloud Computing is an interesting document.

I am not a fan of the document, but if you are in IT or responsible for addressing IT-related risk you might find it of some interest.

It starts reasonably well with:

Leveraging cloud computing in some industries may have been a strategic advantage at one point. What the pandemic brought to light was the need for more remote and flexible work environments and the IT infrastructure to support the organization in that effort. Utilizing cloud computing has become an essential element to compete in the marketplace.

The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments.

Let’s acknowledge, though, that cloud computing is not new. It has been with us for many years.

I am (just) old enough to remember some of the first database systems. I was a manager with a major public accounting firm, responsible for the technical IT audit approach, when I heard Tom Gilb address the British Computer Society.

Tom shared his experiences helping a major Swedish car company implement an integrated set of applications using one of the first database management systems from IBM on their newest and most powerful mainframes.

He told us that he was often asked about the differences in deploying database vs. traditional systems. His answer was:

“It’s just another file structure.”

In many ways, cloud is similarly a simple evolution rather than a gigantic leap. Many of the issues related to managing a traditional outsourced computing system continue in a cloud environment. There are a few more challenges, but not so many that IMHO justify a publication from COSO specifically on cloud computing.

COSO would have done better if they had simply shared their thoughts on integrating IT-related risk into enterprise risk and performance (or success) management. (Actually, they would have done better to read and build on my book, Making Business Sense of Technology Risk).

They get this right:

An organization’s management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program so that risk management is integrated with the organization’s strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the strategy of the organization and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value.

The rest of the document takes each of the five components of the COSO ERM Framework and explains how they relate to cloud computing, with suggestions on how each of the related principles might be addressed.

But, and it is a huge but, they start with Governance and Culture. Now I agree that is an important topic, but you don’t establish governance structures and processes before you understand the risks and related processes.

They are starting with the COSO model and plugging cloud into it, rather than understanding what risks (both positive and negative) flow from the use of cloud and only then determining what governance-related processes and structures are needed.

So, let’s leave COSO behind and take a far simpler approach:

1. Understand what the organization is trying to achieve, its business objectives.
2. Consider what might happen (a phrase I far prefer to the four-letter word starting with ‘R’) that could affect the achievement of those objectives: the extent and likelihood of achievement.
3. Include consideration of both what is needed to go right (to achieve enterprise business objectives) and could go wrong.
4. Understand how the above depend on or are the consequences of the use of technology. You might define a subset of things that involve cloud computing.
5. Given all that, are we OK? Is the likelihood of success (achieving enterprise business objectives) acceptable?
6. If not, what are you going to do about it?
7. Is it best to change processes and such that relate specifically to cloud, or is there a better way?

One concern with starting, as this COSO guidance does, with a focus on cloud is that you might end up dedicating scarce resources to a source of minimal risk to the enterprise.

There is, as always, more to be said. The COSO document can be of value by considering all of its detailed suggestions as ‘food for thought’.

But I cannot recommend adopting it as a framework.

I welcome your thoughts.

How to build credibility with management

There is a story about this: the story of the biggest lie in the world. The practitioner enters the executive’s office and says, “I am here to help you”. That is not the biggest lie. The biggest lie is when the executive says, “I know, and you are welcome”.

XX

It is one thing to explain how risk management or internal audit can and should add value.

It is quite another to get to where the key players in management actively welcome you to their table because they know that:

• You want to help them succeed (instead of pointing out their failures) and
• You have proven your ability to do so.

I am going to share a couple of relevant pieces and then add my own comments.

First, let’s read what Carol Williams has said in 5 Ways to Improve ERM ‘s Reputation with Executives.

XX

She tells us, accurately in my opinion, that most “executives continue to see ERM as a check-the-box compliance exercise solely focused on preventing failure and not helping the company achieve goals and objectives and make informed and timely decisions.

That is not a reputation you want. It means you are not considered a credible partner. At best, you are credible as a barrier to their entrepreneurship.

Her 5 Ways are:

1. Start thinking like management– ERM practitioners “need to stop thinking like ‘risk people’ and start thinking like management.” This includes talking the language of the business, not using risk terminology. What are ways that risk can be integrated into executives’ daily conversations and decisions?
2. Examine potential scenarios– when it comes to big decisions involving uncertainty, work with relevant individuals and departments to develop scenarios, determine which ones are most likely to occur, determine how to ensure success, and develop plans around these likely scenarios. Consider also developing high-level plans for those unlikely scenarios; after all, you do not have a crystal ball into the future to know what will happen.
3. Consider rebranding – this may be the biggest step you can take and one I’ve addressed in the past. If ERM is there to be an enabler of success and not a roadblock or “Debbie Downer” to initiatives, should its name within the company change? Some companies refer to it as “Enterprise Risk Advisory.” Or, you can take the “risk” out of the name altogether. Our friend Hans suggests that risk management should really be thought of as “Decision Quality Assurance.” Another potential option includes “Decision Management,” or as Norman Marks suggests, “Success Management.” Whatever title and branding you choose, it should be made clear that you are there to provide support, not follow a strict process.
4. Closely examine reporting structure – where ERM resides in the company hierarchy is also important for improving the perception of ERM. If it’s housed within the internal audit function, executives and managers may feel they’re under the microscope. If it is taken out of management altogether and reports directly to the Board, ERM will be seen as preventing management from taking too much risks, as explained by Norman in this recent piece.
5. Whatever you do, it’s important to quit doing the things you’ve been doing all along and expect a different result as Norman points out in his analysis of the NC State report. After all, that is the definition of insanity–you keep doing the same thing and expecting a different result.

These are all great ideas, but there is (as always) more to consider.

XX

In 2012, McKinsey shared a great piece, The Executive’s Guide to Better Listening”.

While it may on first glance seem to be off-topic, active listening is a great way to gain credibility with executives.

There are just three important points:

1. Show respect. That doesn’t mean you have to be subservient; it just means that you should show respect to everybody for their experience and insight – even if you disagree. Respect their opinion and make sure you listen to it! If your opinion is different, explore why.
2. Keep quiet. The author says this, although I have been saying this for decades myself (and I heard it from someone else.) “I have developed my own variation on the 80/20 rule as it relates to listening. My guideline is that a conversation partner should be speaking 80 percent of the time, while I speak only 20 percent of the time. Moreover, I seek to make my speaking time count by spending as much of it as possible posing questions rather than trying to have my own say.” I add to that that keeping quiet doesn’t mean that you are just waiting for them to stop speaking so you can talk. It means you are paying careful attention, listening actively.
3. Challenge assumptions. I would add that you should understand and address your own biases. They adversely affect your ability to listen.

XX

All of this is good advice.

Let me add my own:

1. Have the right attitude. If you believe in your heart that your mission is to help each executive succeed, then that will influence your demeanor, words, and actions.
2. Understand what they need to happen as well as not happen to be successful. Then focus on that rather than (only) a compliance checklist, a standard, or so-called best practices. Help them manage (including taking more ‘risk’ when appropriate) all the things that might happen so they can achieve their and enterprise success.
3. Stop doing stuff that is not necessary. Work on potential issues that would never be a significant risk to enterprise objectives is wasting not only your time but theirs as well. In fact, take care not to waste their time to any degree. If they don’t see the value of what you are doing, are you sure you should be doing it?
4. Make them champions. If they do not believe you are adding value, perhaps because until now work by your function has focused on a list of risks or on finding fault, ask them for an opportunity to prove what you can do. Is there a problem, or a difficult decision, that is troubling them? Perhaps there is a situation where they cannot obtain agreement with another department on how to move forward. Suggest a workshop that you could facilitate with all the parties so everybody can share perspectives and reach a consensus on how to resolve the issue. Or perhaps your team could consult with everybody, analyze the situation, and then lead a discussion on your assessment and insights – without an audit or other report to senior management.
5. Celebrate management success rather than the length of your report. When management has everything under control, that is good news. A clean internal audit report is excellent.
6. Work with management to upgrade. If issues are identified, listen actively to management; agree with them on the level of risk to objectives (and be specific as to which objectives); and discuss the best course of action. Take a business perspective and don’t recommend what you wouldn’t do in their shoes.
7. Be humble and listen actively. I repeat this because it is so important. People love to vent; let them; encourage them; and don’t betray that trust be sharing their words with others. If you listen and help them believe you care about their success, their attitude towards you will change. Similarly, listen actively and discuss rather than preach when the results of your work disclose an apparent issue.

XX

One of the things that bothers me is the desire of many practitioners to have a ‘seat at the table’, by which they mean an official and formal position within the organization (such as reporting to the board or to the CEO) that puts them on an (apparent but not real) equal level to top executives.

Trust me.

Your title does not mean you are invited and welcomed to meetings of the management team.

It does not mean that they listen to you.

It does not make you credible.

XX

Your actions make you credible. They make you trusted and respected – not for your title, but for your insights and contributions to their personal and the organization’s success.

XX

I welcome your insights and comments.

The positive side of risk

While both ISO 31000 and COSO ERM recognize that risk can have a positive effect on the achievement of objectives, I don’t see that aspect being covered well if at all.

I discussed the positive side of risk in 2019 (which you may want to re-read), but let’s examine some more examples. Each of these are based on real life situations.

• The company is part-way through a project to build an additional processing unit in its New Jersey refinery. The commercial team inform management that the prices for the mix of products from the new plant have changed significantly since it started. If the design is modified to create more of what are now high-value products, the additional revenue should be significant. Of course, there are cost implications and the schedule for completion of the new unit might be adversely affected.

Management needs to understand the range of additional revenue and the likelihood of each point on that range – just as they need to understand the cost implications and the possible effect of a schedule delay.

The techniques used by risk practitioners to understand, assess, and evaluate the potential for harm work well when applied to the potential for reward.

In addition, it should be possible to use techniques like Monte Carlo simulation and business judgment to weigh the potential benefits of the design change against the potential harms.

• The CIO is asked by the Senior Vice President of Marketing to change the scope of a systems development project. The project is about 30% completed, so any change can have adverse effects. But the SVP points out that the change he is requesting will support a surge in demand for on-line shopping by customers around the world.

As in the previous example, the risk practitioner can use their tools and techniques to assess all the pros and cons of the change, enabling an informed and intelligent business decision.

• A member of the board alerts the CEO that there are rumors about the financial health of a major competitor. If the other company falters, there would be an opportunity to seize a larger share of the market. However, there is no certainty.

The risk practitioner can work with the management team to assess the situation. How likely is it that the other company will fail completely vs. have to cut back? If they fail, how likely is it that they would do so in three months, six months, a year? Given that, what is the range or potential benefits and what is the likelihood of each point? The practitioner can also help management determine what it will take to seize the market, what it will cost (in dollars spent as well as what is given up to free resources to prepare to seize the day), and how to evaluate what is best for the business considering all of the above.

• The vice president in IT is told that a third-party expert in a system they just purchased has just become available. If they hire that person, it would not only speed implementation but reduce the risk of getting it wrong. However, the budget would be blown.

The risk practitioner can help evaluate the options and enable an informed and intelligent business decision.

• A data privacy bill is working its way through Congress. There is no certainty it will pass, although it seems more likely than not, and the final form of the legislation is unclear. If it passes, it will affect a profitable revenue stream of a subsidiary. Action will be needed to avoid losing that revenue. However, the company believes it is in a better position to make necessary changes than its competitors and, if it moves aggressively, it might be able to capture a larger market share.

This is one of those situations where an event or situation does not have only a negative or only a positive effect on objectives.

The risk practitioner can help management consider all the uncertainties, both now and as the situation unfolds, and make informed and intelligent decisions.

XX

What should be clear to everybody is that pretty much every situation has several things that might happen, some of which are positive while others are negative.

Evaluating the downside and hoping somebody else has equivalent tools and techniques to evaluate the upside (the ‘it’s not my job’ disease), in a way that enables informed and intelligent decision, doesn’t make business sense to me.

I welcome your thoughts.

Agile Risk Management

Peadar Duffy of Solux[1] has shared a marketing piece that contains some valuable content, although it is (IMHO) incomplete.

He explains the need for risk management to be agile – with which I totally agree. By the way, I recommend reading pieces by McKinsey on Agile Organizations. To quote their headline,

“New ways of working are needed to survive and thrive in a fast-moving, technology-driven world.”

These excerpts from the Solux piece, Agile Risk Management (ARM): Continuous & Dynamic Decision Support, help us understand the need:

• …an environment where the speed of disruption across multiple fronts is on the increase demands of organisations that they similarly need a comparable speed in decision making.
• 21st century levels of uncertainty mean that there is zero chance that decision makers can reasonably expect to consistently plan perfectly and predict the future accurately. For this reason, organisations need to be prepared to fail fast and learn quickly such that scarce resources can be preserved and re-directed to where lessons learned, and continuous improvements increase the chances of success as soon as possible.
• Organisations clearly need to be more agile than resilient. Put simply resilient football teams don’t win championships as preparing and responding to opposing team tactics is a defensive play. It is akin to asking players to run onto the pitch with a given number of set-pieces in mind. Alternatively, anticipating opposing team tactics, being agile and bouncing forward ahead of less responsive players is what wins games. Agile players run onto the pitch with a game plan in their minds, thinking of winning with set pieces and rules of the game so embedded in their state of being that it is instinctive.

Let me put this in my words:

1. The world in which we live and work is not only massively disruptive but the speed and volatility of change are increasing.
2. Decisions need to be made at speed if organizations (and people) are to both seize opportunities and navigate risks.
3. Those decisions are dependent on reliable, timely, and current actionable information about what might happen.
4. That information is derived, at least in part, from risk management activities.
5. Those activities, risk management, need to function at the speed of change – the speed of risk and the speed of the business.
6. Risk management also needs to adapt and change to meet the needs of a changing business and environment.

Hence, there is a need for agile risk management.

Peadar explains the relationships between the Purpose or Mission statement, objectives, and the taking of risk. After all, it is supposed to be ‘risk to objectives, not risk for its own sake.

• Purpose is determined by stakeholders. Founders, shareholders, boards and their management teams determine core purpose given the needs of customers, society and employees as well as the partners, suppliers and most significantly those statutes and regulations which organisations need to observe. Thereafter corporate objectives, business and operating models required to deliver corporate purpose are selected as appropriate.
• Purpose to risk management is what true north is to navigation. Why? A risk is simply a thing which can stop you or slow you down on your journey to a given objective. For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
• Clearly when decision makers know why their organisation exists/what it is there to achieve, they are better equipped to do the right thing (making a decision) in the right way (process) as the organisation moves forward.

This is all excellent.

The next step, not addressed in his article, is weighing the pros and cons (the positive and negative effects) to see whether it is right to take a risk or not.

To repeat a quote:

For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.

How do you know whether to speed up (take the risk), slow down (minimize a risk), or even stop if you don’t understand all the things that might happen? You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable.

I will continue to share and write about this (especially when I announce my new book).

I welcome your thoughts.

[1] It has not affected my writing, but I have an emerging business relationship with Peadar. He is one of the reviewers of my upcoming book.

COSO still believes in risk appetite statements

My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.

He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).

Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!

Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.

Personally, I see the growing chorus as progress!

We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the informed and intelligent decisions necessary for success.

This is what the COSO announcement on May 20th said:

In an effort to help boards, executives, and managers recognize how a better understanding and communication of risk appetite will help their organizations succeed, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is releasing new guidance, “Risk Appetite–Critical to Success,” focusing on how organizations can promote risk appetite as an integral part of decision-making.

I have written extensively about the concept of risk appetite here and in my books. My most recent discussion was Do risk appetite statements add value? You should also consider “Should we tear up the risk appetite” statement? and Let’s talk about risk appetite.

The authors of the new COSO guidance are the same people who have written about risk appetite for COSO before. So it may be difficult for them to step back and challenge their own (and COSO’s) established thinking.

I have a few questions for them and anybody else who likes risk appetite statements.

1. Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?
2. What is your personal “amount of risk”? Do you have an amount of risk that includes the possibilities of family illness, job loss, auto accidents, problems with your home, serious family disputes, and so on?
3. If you don’t need a risk appetite statement in your personal life, why do you need one in your professional life?
4. How do you explain the act that an “amount of risk” is a concept that is wrong both logically and mathematically? Are you using the discredited formula of likelihood times effect? How do you come up with an “amount” when there are actually ranges of potential effects (not a single number) each with its own likelihood, as well as multiple sources of risk (such as compliance, cyber, human resources, treasury, and more)?
5. Why are there no examples of how you calculate risk appetite and then use it to compare it against the potential for reward and make quality decisions? Is it because that is not as easy (or practicable) in practice as it sounds in theory?
6. While COSO seems to recognize that what might happen includes not only harms (which they call risks) but also positive things (they call opportunities), the discussion of risk appetite only talks about the negative. How do you make intelligent and informed decisions without comparable information on both the positive and the negative? How can you weigh them against each other to see if the risk (negative) should be taken?
7. Isn’t it far better to use techniques like Monte Carlo Simulation that considers all the possibilities, not just harms?
8. Where is the guidance on how to measure the possibility of reward and then compare it to the possibility of harm, and do that for each option or scenario? Why only provide guidance on half of the equation? How do you ensure that the right risks are being taken and opportunities seized?
9. The guidance talks about operationalizing the risk appetite using risk tolerance. How are they any different from the limits and standards that have been in place for many decades? In other words, why can’t I simply retain my existing standards and polices and forget about risk appetite?
10. How do risk appetite statements help you ensure that you have an acceptable likelihood of success, whether that is measured by the achievement of objectives, strategy, purpose, or something else?

If you are still enamored with risk appetite, I hope you enjoy and benefit from this new guidance. Unfortunately, I find it of little use.

I welcome your thoughts.

PwC confuses boards on risk oversight

I want to start with two admissions:

• I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
• I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
7. How do you and your management team make decisions in the face of uncertainty?
8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

Compliance and risk appetite

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations	$1,000,000
Loss in value of foreign currency due to exchange rate changes	$1,500,000
Quality in manufacturing leading to customer issues	$2,000,000
Employee safety	$1,500,000
Loss of intellectual property	$1,000,000
Competitor-driven price pressure affecting revenue	$2,000,000
Other	$1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

• “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
• “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

A huge problem with risk appetite and risk levels

COSO’s ERM Framework defines risk appetite in a way that many have adopted:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”

The problem I want to discuss is whether there is such a thing as an “amount of risk”.

The traditional way of assessing a risk is to establish values for its potential impact (or consequences) and their likelihood. The assessment might also include qualitative attributes of the risk, such as the speed of impact and so on.

But, for many risks there is more than one possible impact, with varying levels of likelihood.

Take the example of an organization that wants to expand and sell its products in a new country. It has set a sales target of 10,000 units in the first year, but recognizes not only that the target may not be reached but that, if things work well, it might be exceeded.

If the sales target is not reached, the initiative will result in a loss of as much as 500 units of currency. The likelihood of that loss is estimated at 5% and is considered unacceptable. There is also a 10% likelihood of a 250 loss, also unacceptable.

Management decides to treat the risk through a number of actions, including advertising and the use of in-country agents, which should reduce the likelihood and extent of losses. However, the cost of these actions will reduce the profits achieved when sales reach or exceed target.

The chart below shows the distribution of possible P&L results, both before and after treating the risk.

So there is no single “amount of risk”. There are many possible outcomes.

It is not sufficient to place a value on the distribution of all possible outcomes and compare that to some other value established as the acceptable level – because some of the points may individually be unacceptable and require treatment.

In this example, management has decided that the likelihood of the greatest levels of loss is unacceptable. If they had reduced the array of possibilities to a calculated number (perhaps based on the area under the curve), they probably would not have considered whether each possibility was acceptable and would not have taken the appropriate action.

Knowing whether the possibilities are acceptable or not, and making appropriate actions to treat them, is critical. A single “amount of risk” fails that test.

We could take this discussion a lot further, but I will stop here. What do you think?

Important new IFAC paper on risk management

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.

This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.

The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!

I encourage everybody to download and read the paper for themselves.

The theme is captured in this:

In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.

The paragraph makes some essential points:

• Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
• The overall purpose is to set and then achieve the right objectives
• A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance

IFAC continues the theme:

This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.

Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.

This is stressed:

Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.

Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:

Risk management assists organizations in making informed decisions about:

• objectives they want to achieve;
• the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
• the controls required to support achieving their objectives.

IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.

The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.

In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)

I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:

As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.

Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.

There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:

• “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
• “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”

Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:

As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.

Let me close this post with a quote from Unilever that is included in the IFAC document:

“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”

What do you think? I welcome your comments.

By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!

Lessons Learned from the Transition to COSO 2013

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013.

I especially like this section:

It is presumed that everyone understands that a top-down, risk-based approach remains applicable to Section 404 compliance, and the transition to the 2013 updated Framework does not affect this. While we don’t list this as a lesson, we could have, because some companies either forgot or neglected to apply this approach when setting the scope and objectives for using the Framework. As a result, they went overboard with their controls documentation and testing. We can’t stress enough that the COSO 2013 Framework did not change the essence of, and the need for, a top-down, risk-based approach in complying with SOX Section 404.

The report has a number of excellent pieces of advice. However, I wouldn’t be me if I didn’t have points of disagreement.

The first is on mapping. It is NOT necessary to map all your controls to the principles. If we take principle 10, for example, it states “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels”. Rather than map all your control activities to this principle (or to principle 11, which is the same – just for IT general controls), the organization needs to identify the control(s) it relies on for its assessment that the principles are present and functioning[1]. For principles 10 and 11, that will be the SOX scoping exercise. For the principle on fraud, the control that should be identified is the fraud risk assessment, not every control relied on to detect or prevent fraud.

Then there is the assertion that indirect controls are the same as entity-level controls. COSO (both 1992 and 2013) tell us, correctly, that activities in each of its components may operate at any level within the organization. For example, let’s say that an account analysis is prepared by Corporate Finance as part of the period-end close. This entity-level control may operate with sufficient precision to be relied upon to detect a material error or omission in that account. But the entity-level control is a direct control, not an indirect control. (A direct control can be relied upon to prevent or detect an error. An indirect control is one that serves to increase or decrease the likelihood that other, direct, controls will function effectively. Hiring, integrity, oversight by the board – these are indirect controls where a defect would increase the likelihood that affected direct controls would fail.)

Another example that helps us understand the difference is the hiring process (related to principle 4, in the Control Environment). The hiring process most often is at a lower level than the entity-level, often as deep as the activity level as that is where most hiring managers reside. Controls in the hiring process in this situation are activity level (or what I call ‘intermediate level’ controls, operating at a location or business unit rather than either the top or the bottom of the organization) and are indirect controls.

I could quibble with one or two more points, but I don’t want to detract from the report. I want, instead, to encourage you to read and discuss it.

What do you think?

What additional lessons have you learned?

[1] Full credit for this wording goes to the E&Y national office, who used it in a conversation I had with them about the firm’s training of its audit staff.

The most important sentence in COSO

In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.

That sentence is:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.

The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.

To me, this means that:

1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
2. You need to know the risk to those objectives
3. You need to know what is an acceptable level of risk for each objective, and
4. You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels

You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.

In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.

This is how that section starts:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

• Each of the five components of internal control and relevant principles are present and functioning
• The five components are operating together in an integrated manner

There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.

In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.

Let’s have a look at the very next paragraph in the section:

When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.

How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.

An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.

Let’s translate this as well:

1. If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
2. If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
3. When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
4. That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.

So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.

Do you see what I mean?

Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!

Why are so many blind to this most important sentence?

I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)

Do you have a better theory?

Can you explain the blindness of so many to the most important sentence in the entire Framework?

Does PwC understand risk management?

I would like to say that the answer is “yes”, because I used to work for PwC and know many of their people – very good people.

I would also like to say “yes” because COSO has hired PwC to lead the update of their Enterprise Risk Management – Integrated Framework.

But, I cannot say that they do – at least not what is required for the fully effective management of uncertainty.

I think they understand much of the common, traditional wisdom about risk management, that managing risk is about avoiding threats as you strive to achieve your objectives.

But, I think they fail to understand that uncertainty between where you are and where you want to go contains both threats and opportunities – and managing risk is about making intelligent decisions at all levels of the organization, both to limit the effect and likelihood of bad things happening and to increase the effect and likelihood of good things.

Risk management is more than a risk appetite framework set by executives and approved by the board.

It is more than “embedding” the consideration of risk into the strategy-setting and execution processes.

It is more than enabling the board and executive management to make informed decisions, or even for division leaders to make informed decisions. Every decision, whether by executives or junior employees, creates and/or modifies risk.

No. Effective risk management is something that is (or should be) an integral part of making decisions and running the business every minute of every day, at all levels across not just the enterprise but the extended enterprise.

It’s about enabling decision-makers to take the right amount of the right risk.

What’s the point of a risk appetite statement if it is not effective in driving decisions, which occur not only in the board and executive committee rooms, but in every corner and crevice of the organization?

I am using PwC’s latest publication as the basis for this opinion. While Risk in review: Decoding uncertainty, delivering value (subtitled How leading companies use risk management to drive strategic, operational, and financial performance) makes some good points, it also misses the key point about enabling decision-makers to take the right amount of the right risk. It focuses instead on a view of risk management that is centered on a periodic review of a limited, point-in-time list of negative risks – such as those found in a heat map.

(The good point made by PwC is that risk and strategy need to be entwined, both in the setting of strategy and its execution. It is also useful to see that few organizations, just 12% in their view, have achieved PwC’s limited view of risk management leadership.)

I will let you read PwC’s ideas and limit my comments to their Five steps to risk management program leadership.

1. Create a risk appetite framework, and take an aggregated view of risk

I have no problem with the principle that the board and top management should understand and provide guidance to decision-makers so that they take the right amount of the right risk. I also agree that there are multiple sources of risk to any business objective, and that it is necessary to see the full picture of how uncertainty might affect the achievement of each objective.

But, as I said, a risk appetite framework has little value if it is not sufficiently granular so that every decision-maker knows what he or she must do if they are to take the right amount of the right risk. Few organizations have been able to translate a risk appetite statement to actionable guidance for decision-makers, even when they try to use risk tolerance statements. Risk criteria at the decision-maker level must be established that are consistent with the aggregated enterprise view, and this is exceptionally difficult in practice.

In addition, decision-makers should not be excessively inhibited from seizing opportunities or taking/ retaining “negative risk” when it is justified. The focus is far too often on limiting risk, even when it is at a level that should be taken.

2. Monitor key business risks through dashboards and a common GRC technology platform

I agree that every decision-maker should know the current level of risk. But what is key is that the decision-makers have this information. While it is nice to have the risk function aware of current levels of risk, it is the decision-makers who have to act with that knowledge.

Further, why this nonsense about a “GRC technology platform”? Let’s talk about a risk management solution. I know that PwC makes a lot of money helping organizations select and then implement GRC solutions, but we are talking about risk management. Let’s focus on the technology needed for the effective management of risk by decision-makers at all levels across the organization. Integrating internal audit and policy management is far less important (IMHO).

Finally, people forget (and that includes PwC) that you need to monitor risk to each objective, not risk in isolation. Executives and managers need to receive integrated performance and risk information for each of their objectives.

3. Build a program around expanding and emerging business risk, such as third-party risk and the digital frontier

Everybody talks about risk expanding, that there is more risk today than in the past. I am not sure that is correct. Maybe we are just more attuned (which is a good thing) to thinking about risk, and certainly risk sources are becoming more complex. But is there actually more risk?

PwC talks about third-party risk, but that is not new at all. I wish they would talk about risk across the extended enterprise, which would broaden the picture some.

Technology-related business risk clearly merits everybody’s attention. It is unfortunate that insufficient resources are being applied by the majority of organizations to understanding and addressing both the potential harms and benefits of new technology.

4. Continuously strengthen your second and third lines of defense

Is there a reason we shouldn’t strengthen management’s ability to address uncertainty? (They are the so-called first line of defense.) Instead of the risk function feeding fish to management, why not train them to catch their own fish? Every decision-maker should be trained in disciplined decision-making, including the disciplined consideration of uncertainty.

Yes, the second line (risk management, compliance, information security, and so on) should be strengthened.

But, internal audit should not be limited to being seen as a “line of defense”. For a start, risk is not always something you need to defend against – often it should be actively sought as a source of value. Then, internal audit should help the organization actively take the right amount of the right risk, which it does by providing assurance that the processes for doing so are effective and by making suggestions for improvement.

I much prefer to talk about lines of offense. When you attack, you still need to be aware of IEDs, sniper positions, and mines. But the focus is on achieving success rather than avoiding failure.

5. Partner with a risk management provider to close the gap on internal competencies

Such a self-serving platitude! Yes, fill resource gaps with competent, knowledgeable professionals. But don’t hire a consultant to run periodic workshops – fill that need in-house.

 

Am I unfair to PwC?

Do they understand risk management and what it needs to be if an organization is to make the most of uncertainty?

We need to be tough on them if they are going to help COSO bring their ERM Framework up to the standard required for today and tomorrow – enabling better decisions so everyone takes the right level of the right risk.

I welcome your thoughts.

The effective audit committee

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
4. They need to be willing to ask a silly question.
5. They need to persevere until they get a common sense response.
6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

A Rant about the GRC Pundit’s Rant

Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.

Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.

My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.

Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:

• The term ‘GRC’ is one that is interpreted in many ways.
  • When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
  • When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
  • When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
  • When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
  • When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.

• GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
• The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
• No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
• The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.

Where I believe we differ is that I do not advocate the use of the term ‘GRC’.

As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.

I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.

For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.

Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.

Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.

Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.

Good Riddance grC.

I welcome your comments.

What is effective risk management?

Some say that risk management is effective when it has all the components described in their favorite standard (ISO 31000:2009) or framework (COSO ERM). (COSO ERM specifically states this as the requirement).

Some say that risk management is effective when all the principles in their favorite guidance are present and functioning. (ISO talks about its “set of principles that organisations must follow to achieve effective risk management.”) The principles are (from a consultant’s site that provides a high-level view of the standard):

• Creates and protects value;
• Is an integral part of all of the organisation’s processes;
• Forms part of decision making;
• Explicitly expresses uncertainty;
• Is systematic, structured and timely;
• Is based on the best available information;
• Is tailored to the organisation;
• Takes human and cultural factors into account;
• Is transparent and inclusive;
• Is dynamic, iterative and responsive to change; and
• Facilitates continual improvement of the organisation.

Some say that risk management is effective when activities are compliant with the organization’s related policies and standards. But are those policies and standards adequate?

Some will say that risk management is effective when the board, operating and executive management believe it adds value and are satisfied that it provides the information they require. I believe that has merit but they may be satisfied with less than mature risk management (that seems to be the case with many current organizations who are satisfied with enterprise list management, until they are caught short).

Some will say that risk management is effective when an independent assessment/audit/examination is performed and the report says so. The trouble is that the people who do such audits generally rely on one of the above criteria (components present, principles in operation, etc.)

I would like to suggest a different approach.

Let’s start by considering why organizations should have risk management. It’s NOT because laws and regulations mandate it in many cases. It’s NOT because people say you need it. It’s because effective risk management provides a level of assurance that an organization will not only achieve its objectives (or exceed them) but will set the best objectives.

Quoting from COSO ERM:

“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

COSO explains that effective risk management enables:

• “A greater likelihood of achieving business objectives”
• “More informed risk-taking and decision-making”

Irish guidance on the ISO 31000:2009 risk management standard says:

“The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.”

The Australian mining company, BHP Billiton, has a risk management policy signed by its CEO. It includes:

“Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.

• By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
• Successful risk management can be a source of competitive advantage.
• Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.

“The effective management of risk is vital to the continued growth and success of our Group.”

I like what E&Y has to say:

“An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it.

“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”

So we can see that, as the BHP CEO said, effective risk management is not only essential to the success of an organization but “can be a source of competitive advantage”.

For the last year or two, I have been saying that you assess the effectiveness of risk management by asking decision-makers at all levels whether the risk information is enabling them to make better decisions and be more successful.

In other words, assess risk management not by its structure but by its effect.

I still think that is a key test, but I am going to add a new dimension to my thinking.

Let’s consider a company that has significant foreign currency exposure. It does business globally so it has bank accounts in a number of countries and has both payables and receivables in different currencies.

There are a number of strategies for reducing foreign exchange risk, but to manage the risk effectively you need to know what is happening with rates as well as how your bank account balances, payables, and receivables are changing.

If this company only has the ability to understand its foreign exchange risk once a month, in other words its monitoring of this risk is only monthly because that is the only time it is able to obtain all the necessary information and calculate its exposure, the risk is much higher than if it has the processes, people, and systems to monitor its exposure daily or better.

However, the investment necessary to upgrade the risk monitoring from monthly to daily may be significant. The company has to decide whether the reduction in exchange risk that can be improved by upgrading risk monitoring justifies the additional expense.

Until it upgrades risk monitoring, there is a risk that the information provided by risk management is insufficient. Management needs to decide whether that is an acceptable level of risk.

If management decides that the level of risk is too high, then I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks. But if management decides that the level of risk is acceptable, then that would not prevent me from assessing risk management as effective.

Let’s take another situation. An organization is concerned about its reputation risk. It has engaged a company to monitor reputation risk indicators (using social media analytics) and report once each quarter. However, it is in an industry where customer satisfaction can move quickly and significantly.

Quarterly risk monitoring creates a risk that the risk management program is not providing the information necessary to manage risks to the enterprise objectives. As in the prior example, management will need to decide whether an investment in more frequent reputation risk monitoring is justified by the potential reduction in reputation risk (because it would increase the ability to respond to customer complaints, etc.)

If management decides that quarterly risk monitoring represents a risk outside acceptable ranges, I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks, and management has determined that this is a risk (the risk of a bad decision) is unacceptable.

One final example. The company has an excellent risk management framework, formal policies and procedures, processes, and enabling systems. However, in the last year the level of staff turnover among the champions of risk management in the executive ranks and among the risk officers themselves means that the experience of the individuals relied upon to monitor, understand, assess, evaluate, and respond to risks has diminished.

There is an increased likelihood than in prior years that risks will not be managed as desired, the wrong risks taken, and that risk information that flows to top management and the board may not be reliable.

This is a deficiency in the operation of risk management and may represent a risk to the achievement of objectives because it results in less than reliable risk information on which decisions are based. If the risk is unacceptable, then until it is treated and brought back to within acceptable ranges I would say that the risk management program is less than effective.

So, where am I going?

If we revisit the objective of risk management, we see that we rely on it to provide management and the board with the information they need to run the business, make better decisions, and take the right risks.

But risk management is not and never will be perfect.

It is impossible to monitor every risk, including new risks, in real time and provide useful information – also in real time – to the people who need to act on it.

There will always be risk champions who are new to the company and because they don’t understand the business and their risk-related responsibilities, will fail in that respect.

There will be times when the people required to provide expert insight when assessing and evaluating risks are on vacation, sick, or otherwise unable to participate.

There will always be a risk that the risk management program fails to provide the information necessary for decision-making.

The key is whether that risk is known and is considered acceptable.

If the risk is acceptable, then I would consider the risk management program as effective.

That is not to say that all the principles described in ISO 31000 are not necessary, or that the components discussed in COSO ERM are not required. But, that is the structure of the program and that doesn’t mean it is effective and produces the results necessary for the organization to succeed.

Bottom line: CROs and executive management should assess their risk management program (auditors can help) and determine whether the level of risk that it will provide insufficient information to run the business, make informed decisions, and take the right risks is acceptable.

OK, I understand that this is a little complicated and a very different way of thinking about effective risk management. Does it make sense?

I welcome your views.

Missing the boat on IT and technology

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

•          What are you doing to become a pioneer of technological innovation?
•          Do you have a strategy for the digital age? And the skills to deliver it?
•          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

• An effective risk tolerance, appetite, criteria, etc. statement
• A discussion of Risk Appetite by thought leaders
• Just what is risk appetite and how does it differ from risk tolerance?
• The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?
• What is your risk appetite?
• New guidance on risk appetite and tolerance. I like some parts, disagree with others

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.