Posts Tagged ‘GRC’

What if we just abandon “risk management”?

August 15, 2022 5 comments

Earlier this year, Marco Nutini asked this challenging question in a newsletter he shared on LinkedIn.

He starts with:

Calm down, I don’t want to ruin my source of daily bread, let alone create a fuss.

Several internationally recognized authors have already addressed a recurring theme in the Risk literature: if a company does not manage risks, but manages decisions, why use the term “Risk Management”?

For example, Grant Purdy and Roger Estall devoted an entire section of their book, Deciding (2020), to propose the temporary eradication of the term. Grant was a nominated expert to the working group that wrote ISO 31000 and ISO Guide 73. Both standards were inspired by AS/NZ 4360:2004, to which Grant was a key contributor. So, I guess he is in a privileged position to give his opinion.

Marco quotes Grant and Roger’s argument that the terms “risk” and therefore “risk management” have multiple meanings and that means they really have no meaning. Therefore, we should stop using the terns.

This is not a view I ascribe to, although I do dislike the four-letter word “risk” because it sparks a negative reaction from most business executives.

Instead, Marco suggests:

“…what we now call ERM (Enterprise Risk Management) is a tangle of three distinct, yet interconnected fields of knowledge, something like modes of Risk Management:

  • Strategic Assumptions Assurance: A set of tools developed to assess an organization’s chance of achieving its goals and honoring its performance forecasts. It is supposed to support the strategy execution and monitoring processes.
  • Risk-Informed Decision Making: This mode has a diffuse, broad scope. As the name implies, it aims to ensure that the organization’s decision-making processes gather and use intelligently the necessary information for decision making under uncertainty. This mode is called Sufficient Certainty by Grant Purdy and Roger Estall, also the name of their consultancy from Australia.
  • Risk Control: A mode that has a transactional and compliance scope. It seeks to design and maintain a control environment that keeps residual risks at the planned levels. It is analogous to the “routine management” of Quality. Many people think that this is what Risk Management is all about.

This resonates more with me (see my last blog post).

The first of the three seems very similar to my idea of top-down risk management, which focuses on whether there is an acceptable likelihood of achieving each of the enterprise’s objectives.

The second is what I referred to decision-based risk management.

But I see the third as a subset of the first two. Some might say that this is how an organization responds to, manages, or mitigates risk.

The problem is that it overlooks the positive aspect of risk: opportunities. We need controls to ensure that they are taken as and when appropriate.

Marco’s newsletter/LI post is quite long, and I will let you read the rest. The only comment I will make is that he makes everything seem complicated, whereas I always seek (but don’t always find) simplicity.

Please share your comments here as well as against his post.

P.S. Happy belated birthday, Marco!

Decision-based Risk Management

August 12, 2022 9 comments

WARNING: This is likely to be a controversial post!

I have been talking (OK, preaching) about the need to manage the likelihood of achieving objectives (i.e., success) rather than limiting yourself and the organization by managing or mitigating risks. You need to take risks if you ever want to achieve objectives; the key is taking the right level of the right risks. I especially dislike managing individual risks, or a silo of risks, absent the context of what we are trying to achieve as an organization.

To repeat: we need to take the right level of the right risks for success.

That’s a top-down approach to risk management.

But there is another dimension to risk management.

Both ISO 31000 and COSO ERM talk about the need for intelligent decision-making, where leaders understand:

  • Where they stand
  • Whether that is a problem
  • What might happen going forward, both risks and opportunities
  • The best path to follow, balancing or weighing risks and potential reward

I recently did a video presentation on this topic that will be shown as part of the RAW 2022 conference in a couple of months.

The idea is that if risk practitioners want to help people make informed and intelligent decisions, they must:

  • Understand what decisions (especially crucial decisions for success) are to be made, both strategic and tactical
  • Make it easy for decision-makers to find and then use the information they need about what might happen
  • Help them have all the important information they need for their decision, not just threat assessments or information from a silo perspective (like cyber, supply-chain, compliance, etc.)
  • Help them see the big picture and weigh the pros and cons of each option

Decision-makers won’t find the actionable information they need if all they have is the same huge list of risks everybody has. They need something designed to help them make the smart decisions they need to make at the speed of the business; something tailored to them and their needs.

The information must be:

  • Relevant
  • Reliable
  • Complete
  • Current
  • Timely
  • Easy to find and use

Those risk functions that have changed the name to “decision support” or similar are going to be ahead of the game in this respect.

But practitioners have to satisfy the need for both dimensions: decision-based and top-down (also known as success management or objective-centric risk management – see the work of Tim Leech).

Some might add a third dimension: bottom-up.

This is where somebody identifies a risk (or opportunity) by reading a paper, hearing from a board member of a concern, or as the result of a silo risk management function’s work.


In order to properly assess the bottom-up risk, it needs to be added to the big picture. Given all other sources of risk, how would it, affect the achievement of enterprise objectives?

For example, a board member reads an article that talks about risks to the supply chain if you are importing goods from Taiwan. (A purely hypothetical situation.) In order to assess the risk, you need to know what you might be importing from Taiwan and how any disruption might affect your revenue or other aspect of the business. It has to be put into context and considered alongside other related sources of risk.

You add it to the top-down dimension to see a revised big picture.

Big picture

In my books, I mentioned the concept of a tipping point[1]. While from a siloed perspective (in this case, supply-chain risk management) the risk may seem low and acceptable, when added to the big picture it may take the whole past the tipping point. While it was previously seen as acceptable, adding one more source of risk makes it unacceptable.

But there’s another dimension. That supply-chain risk might also potentially affect decisions, so it should be added to those pictures as well.

Yes, risk criteria (my preferred language, from ISO 31000) may exist and be used to evaluate risk. That’s OK if the criteria or risk limits are derived based on the achievement of objectives and updated as conditions change. But its not OK if they are based on risks to the silo instead of to the whole business and its success.

One word of caution.

Risk practitioners don’t have to provide all the information themselves. It’s perfectly fine, even desirable, if management is able to find and use the information they need to achieve success through informed and intelligent decision-making by themselves.

The risk practitioner, in my opinion, should be an enabler and an aide. If management doesn’t need your help, step aside – your job is done, at least for now.

But often, the information needs to be gathered from sources across the extended enterprise. It needs to be brought together to see the big picture. That can be hard when different methods are used (such as when the CISO insists on reporting risk to information assets in his silo rather than to the business objectives).

The risk officer can be the linguist and translator, the big picture painter. (They should fight for risk assessments that are apples to apples, even from diverse sources.)

Sometimes, the information may appear to be in conflict, requiring facilitation by the risk practitioner. Bring people together to resolve these conflicts, and help everybody involved.

The risk practitioner should collaborate with performance management and the finance team for management and board reporting, so they can see the big picture likelihood of achieving objectives.

In other words, there remains a role for the risk officer, but the primary role is to help management see the big pictures and make informed and intelligent decisions on the path to success.

The risk team needs to talk to and (especially) listen to leaders and decision-makers.

  • Understand their needs (and that may mean changing their perception of what they need if they are not managing the likelihood of success, or are satisfied with making decisions based on the rumbling of their gut)
  • Make sure their needs are met
  • Stay alert to changes in those needs
  • Help them (individually and together) be successful

What do you think?

[1] Made famous by Malcom Gladwell in The Tipping Point, How Little Things Can Make A Big Difference (2006)

More Risk Assessment Danger

August 4, 2022 15 comments

When I was setting up ERM for Business Objects S.A., I was surprised by the reaction of the General Counsel, David.

I had already met with the CEO and his other direct reports. Now David and I were meeting so I could get his insights on the more significant sources of risk to the company and its objectives.

“I’m not going to answer your questions about risk.”

I was shocked and asked him why, since both the board and his boss, the CEO, wanted this done.

Even though I told him that his insights were critical, he politely but firmly told me he would not share what he thought the likelihoods were of each of the events and situations most likely to cause a significant problem for Business Objects.

He went further, saying he would not provide any assessment of risk relating to legal actions by or against the company that would be documented by me.

David believed, with some justification, that documenting his (and the company’s) assessment of risks could itself create an unacceptable level of risk.

Why is there danger in risk assessment? (Beyond the risk of getting the risk assessment wrong, leading to bad business decisions, as discussed in my last post.)

Consider safety risk: the possibility that an individual might sustain serious harm while on our premises or when using our products. The company may publish a risk appetite statement that declares it has zero appetite or tolerance for safety risk. Yet, it continues to operate – meaning it is actually accepting some level of risk.

Now consider that management performs a risk assessment and (correctly) assesses that there is a low level of safety risk. For the sake of argument, let’s say it determines that the likelihood of loss of life is 0.5%, of serious injury 2.5%, and of minor injuries 3.75%. Relying on that, management decides not to upgrade some of their equipment using the argument that the cost would be prohibitive and the benefit (including the reduction in safety risk) minimal.

Then there is an incident with loss of life and other serious injuries to personnel, including both employees and contractors.

A lawsuit surfaces the risk assessment and management’s decision to accept the risk.

The union and the press blame the company for accepting the likelihood of death and injury for the sake of profit.

A similar situation can arise with compliance risk.

In theory, and probably in public, no company will accept any level of compliance risk.

In practice, they must if they are to be in business.

So when they decide not to hire additional compliance personnel because the cost exceeds the benefit, and they then violate data privacy laws or anti-money-laundering regulations, significant penalties and business disruption may ensue.

Taking this to a practical example, I have been working with a nonprofit that helps refugees in the Ukraine and many other nations around the world.

The chair of the audit committee would like to know what its risk appetite is, meaning the total amount of risk the organization is willing to take in pursuit of its objectives.

But how do you set an acceptable level of risk when people’s lives are at risk? It can’t be zero, because taking risk is necessary if you are going to send employees and others into a dangerous area to rescue people.

My point is this. The risk practitioner should understand where and when a formal, documented risk assessment or statement of risk appetite might be a source of risk should it become public.

I am certainly not saying that there is no need for or value in a risk assessment for compliance and safety risk.  There is value, especially when allocating resources to areas of greatest compliance risk.

What I am saying is that we have to be careful how we quantify, document, and report it. At Business Objects, I found a way to perform the analysis “at direction of counsel” to provide some level of safety.

What do you think?

Risk Assessment Danger

July 31, 2022 26 comments

Every so often, we hear about a military mission where something went wrong. The intelligence might have said, for example, that a targeted individual was thought to be in a certain location – so the military attacked that location but did not find the sought-after person.

In the same way, business leaders make decisions based (at least in part) on information about risks and opportunities.

If a risk assessment is unreliable, wrong decisions may be made with serious effects.

For example, if the risk is seen as ‘high’ that a competitor will shortly release an advanced version of a competitive product, the management team may decide to accelerate the launch of its own product even though its development team say they are not quite ready.

On the other hand, if the competitive product release risk is assessed as ‘low’, then management may wait and spend more time on product quality.

If the risk assessment is faulty and leads management to make the wrong decision, there may be severe damage.

Going to market too early with a less than perfect product can lead to customer dissatisfaction and longer-term revenue losses.

Going to market too late allows competitors to steal market share and for people to question the ability of the company to be a market-leader.

Are risk officers (CROs and their teams) confident in the risk assessments they make or facilitate?

If a risk (of any type) is assessed as, let’s say, ‘high’ (whatever that means), how confident is the CRO and/or the management team in that assessment?

Are they 100% confident? I doubt it.

How about 90% or 80%?

In fact, I doubt that many CRO’s think about the likelihood that any of the risk assessments they make or facilitate are reliable.

I believe that CROs need to understand the likelihood that each risk assessment is or is not reliable.

Related risk factors may include:

  • Cognitive bias. See previous posts: Understand your own bias as a practitioner and Are your business decisions failing because they are biased?
  • Incomplete information, including not involving all the people who have relevant information and insights
  • Information that is out of date
  • Inaccurate information, for example portraying risk as a point instead of a range
  • Hidden or difficult to find and use information. For example, I understand some organizations have a risk matrix with more than 50 columns let alone the number of rows. How can decision-makers be expected to find the nuggets of actionable information they need in such a mess of data.

Of course, many factors may lead to risk assessments that need to be taken with a grain, a pinch, or a bucket of salt.

The issue is whether the CRO understands the level of salt required. Should management make business decisions based on the available risk assessments.

If the likelihood of error in a risk assessment is unacceptable, should the decision be delayed until improvements are made – if that is even possible?

What do you think?

There are other dangers in risk assessment, which I will discuss in a later post.

Talking about Risk Governance

July 25, 2022 12 comments

My thanks to Alex Sidorenko, who recently wrote about The Directors and Chief Risk Officers Group (DCRO) on his blog in Companies need intelligent risk-taking to survive according to DCRO Institute.

I really like the shift from talking about risk management to risk-taking.

Alex says:

Avoiding risk altogether is the single surest way to fail over time, as innovation, competition, and customer lethargy will slowly eat away at the advantages you currently enjoy. Because there is plenty of evidence that organizations don’t take risk well – or at least well enough for long-run interests – we need to adopt practices that ensure our future.

The DCRO Institute [is] a collaboration among practicing board members and C-suite executives has developed an extensive program to help current and aspiring board members become comfortable with the positive governance of risk-taking. In just its first year, registrants for its programs come from more than 65 countries, and graduates of its flagship Board Members’ Course on Risk, an intensive study program, are found serving in boardrooms and C-suites on five continents.

He goes on to assert:

Boards and senior executives who embrace risk in this framework foster an environment of innovation, allowing organizations to grow at rates that allow them to escape the well-documented corporate fade in performance.

When a board changes its view of how risk is governed and taken, the transition to embracing risk carries throughout the organization to every employee, especially those that face customers. Today when most talk about risk, they still think of the fear of loss or uncertainty, especially given our current health, social, economic, and political climate. Loss and uncertainty are partially correct conceptualizations of risk, but both fall short of the approach we need to take to be our best fiduciaries.

The staged transition from the board’s embrace of risk-taking, to the C-suite’s implementation of that guidance, to the frontline employees’ management of essential risk-taking, leads us to the most crucial conceptual change of risk-taking: its impact on the trust that all capital providers and external influencers have in us. Organizations have an expressed purpose and stakeholders trust us to pursue that purpose in value-enhancing ways. That trust, in turn, makes all transactions more effortless and less expensive.

DCRO’s Guiding Principles for Board Risk Committees (published in 2018) lists seven principles:

  1. At any organization, the full board has the overall responsibility for risk governance. In many cases, the full board will benefit from the focused and specialized support of a well-structured and competent board risk committee.
  2. The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives. It provides the full board with the capacity to evaluate the risk management infrastructure and capabilities of the organization and to challenge the effectiveness of management’s pursuit of strategic objectives from a return-on-risk perspective.
  3. Board risk committee meeting agendas should be guided by best practices, stakeholder expectations, and regulatory requirements. Agendas should cover topics that include a review of risk culture, strategy, tolerance for loss, and both internal and external communications.
  4. Regular meetings with key executives and independent information gathering from stakeholders are both essential for the board risk committee to develop a full narrative of a company’s risk-taking activities.
  5. The board risk committee must interact with other board committees to ensure full coverage of the organization’s risk profile and the interdependencies across its risk and performance drivers.
  6. Board risk committees should be populated with Qualified Risk Directors who are competent to govern the risks to which the organization is exposed.
  7. The board risk committee should provide sufficient guidance and information to allow the full board to issue a simple-language disclosure about the organization’s risk culture and control processes. Further, and only if warranted, the full board should issue a statement that the organization’s risk philosophy, infrastructure, processes, and capital base are “fit for purpose.”

Frankly, the only one that resonates with me is the second. The rest are ho-hum. The first sentence in #2 is the key:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

I will come back to that, but first want to share some interesting excerpts, with my highlights.

  • Formal and effective implementation of a board risk committee fosters a corporate environment in which the most value can be created from an organization’s limited risk-taking capacity. Garnering the most benefit from risk-taking requires both an understanding of downside risks, from either action or inaction, as well as an understanding of the drivers of success.
  • The full board’s responsibility for risk oversight and governance mirrors its responsibility for oversight of strategy and the evaluation of results.
  • A board risk committee helps the full board to evaluate if the organization is taking risks that will truly generate value after accounting for their costs, both actual and prospective. It further helps to focus the full board’s attention on the organization’s most critical risks and risk management capabilities.
  • Board risk committees should meet quarterly or monthly, depending on the complexity of the organization and overall cadence of full board meetings. The focus of the conversations should be on linking the organization’s risk-taking activities with its strategic objectives and evaluating whether the return on risk-being-taken is sufficient to support strategic goals.
  • At least annually, the committee should independently gather information from key stakeholders in their supply chain, from customers, line employees, securities analysts, investment bankers, and regulators. The committee may go even further and create a stakeholders committee to advise it on external perceptions of the organization for alignment with the representations made by internal sources. To be clear, this is not intended to be a two-way flow of information, but rather a way for the board risk committee to receive additional perspectives on the work of the organization.
  • The committee should always consider ways to avoid barriers that prevent risk information from reaching the highest levels of an organization. Regular meetings with randomly selected line employees from key business and operational units may provide additional perspective on emerging risk or cultural issues that have not yet garnered the attention of senior management or that may contradict the representations they are making to the committee. These types of conversations can also help to identify obstacles to the free flow of critical information to the board.

The last two bullet points are controversial, at least in my opinion.

The idea that the members of the board committee should meet with “randomly selected employees” and other stakeholders is a strange one. I am not persuaded that directors should do that, especially as I am not sure they will receive sufficient information from a small sample to challenge management’s position. I would prefer that management justify how they arrived at their assessments.

Another controversial suggestion relates to where there is a combined Audit and Risk Committee.

DCRO points out that there is a lot of work for such a committee. It has a full slate just on the Audit Committee side. DCRO also asserts that understanding financial reporting doesn’t mean that you understand risk and risk-taking.

So they suggest that there might be dual chairs, one for each responsibility of the committee.

I am not in favor of that, although I do agree that combining Audit and Risk may give short shrift to the oversight of risk-taking.

The same criticism applies when the Audit Committee is expected to address risk, even though it is not part of their name. In those cases, DCRO points out that attention to risk-taking is often one of the last items listed in the committee’s charter.

My personal belief is that there should be a Risk and Strategy committee.

When you have a Risk committee, it may devolve into a focus on managing and mitigating risk (a list of risks, more often than not). This is especially true when there is a separate Strategy committee.

Going back to the second DCRO principle:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

Isn’t this best achieved by a Risk and Strategy committee?

Whatever you believe, I think the DCRO guidance is useful and should be considered by every Risk, Audit, Audit and Risk, and Risk and Strategy committee.

What do you think?

A brave root cause analysis and how COSO might help

July 22, 2022 7 comments

I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.

A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).

The lead-in paragraph says:

Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.

Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.

However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.

She says this well:

Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.

In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only the symptom is identified and addressed, rather than the underlying disease.

RCA should not be considered an additional step. It should be mandatory for every identified control weakness.

The author has a useful section on the different ways a root cause analysis can be performed.

  • Five Whys: Asking “why” five times to drill down to the true cause of a finding.
  • Pareto Chart: Presenting potential causes for the identified problems on a chart from the highest to the lowest frequency to focus on areas of improvement with the greatest impact.
  • Fishbone Diagram: Assessing potential causes grouped into categories (people, process/methods, equipment, materials, measurement, environment) to establish a relationship with the identified problem.
  • Scatter Plot Diagram: Testing correlation between variables by plotting potential root cause (an independent variable) against the effect (dependent variable).

I would add a caveat: whichever method you choose (I prefer the first), you have to keep inquiring until the true root cause is identified.

In other words, you may have to ask “why” six, seven, or more times until you are satisfied that the root cause has been identified, and only then can corrective actions be considered.

Consider this. An audit or review has identified that reconciliations are not being completed on time.

  1. Why? Because people are too busy.
  2. Why are they busy? They have too much work to do in other areas and the reconciliations are lower priority tasks.
  3. Why do they have too much work? People have left and not been replaced.
  4. Why have they not been replaced? The manager has not been able to fill the positions.
  5. Why hasn’t he been able to fill the positions? Candidates are asking for too much money, more than the company can offer.
  6. Why is the company not able to offer sufficient compensation? Because the Human Resources department mandates a salary and bonus range for these positions that is lower than candidates with the required experience and ability demand.
  7. Why…..?

And on it goes until the true root cause, which in this case is in a different department than the symptom, is identified.

The other three methods (Pareto chart, Fishbone diagram, and Scatter plot diagram) may not be sufficient. For example, you may identify a common point of failure for multiple control issues. But then you have to ask “why” several times to get to why that cause existed.

Where the article goes astray is in its attempt to list ‘common root causes’ for deficiencies in particular areas. If you have been able to access and read the article, you will see what I mean. We can set aside the rest of that article.

So are there common root causes?

I would start with the principle that holds true in 99.99% of cases: the root cause is people related. It may be:

  • Controls are performed by people with insufficient training, experience, or competency (addressed by a COSO principle). The author has identified competency weaknesses and lack of training as common root causes, but they are not root causes. The auditor needs to ask why these conditions exist. Why didn’t competent people get hired? Why wasn’t adequate training provided? Several more whys may be needed before the true root cause is identified.
  • Controls are performed by people who have not received the information they need to do their job well (another COSO principle). Again, the article just says the common root cause is insufficient internal communication. But why did that happen? And why, and why, and why.
  • Management is lacking in some way, whether it is in how people are directed, how they are motivated, or some other issue.

Take one example from Auditing that Matters. Loretta Forti is our heroine, conducting an audit that focused on the timeliness of approval for capital expenditures (Authorizations for Expenditures, or AFEs).

I had asked her to perform an audit of the AFE process after I discovered that expenditures with a very high ROI were taking so long to be approved that the opportunity passed!

It was relatively easy to find out how the process worked. Once a month, the division CFO gathered all the Vice Presidents and they collectively reviewed all the AFEs and the analysis prepared by Mike Passaretti and his team [the Capital Expenditure department]. They would take about half a day to discuss them and decide which they would propose should move forward and what the priority was for each.

The next meeting, typically the following day, was with the division CEO, Bob. The CFO and all the Vice Presidents would review with Bob the AFEs they believed should go forward. When he felt that the total was too high or disagreed with the VPs’ recommendations, the executives had to debate which would be approved, which might be deferred, and which would be declined. This meeting also took a half-day on average.

Because of the intense review and approval process, each executive was careful to ensure all the AFEs they proposed had complete and accurate analyses included in the package. Mike and his team were equally careful with their review and analysis. This all took time.

It was clear to Loretta, as it was to all the Vice Presidents and the CFO, that the process was too long, consumed far too much executive time, and often cost more than the spending itself (if you count the cost of the VPs’ time)!

The question was why the process was this way.

The CFO and VPs all agreed, usually with language they wouldn’t use with children around, that they hated both the all-VP meeting and the meeting with Bob. They said they didn’t have the time to spare and asked for our help to get the process – both time and cost – under control.

Loretta and I met to talk about what we were to do. Rather than share my opinion, for once I did the smart thing and asked Loretta for her opinion.

At first, she didn’t know what to say. But as she realized she could say what was on her mind, and with some gentle guidance from me, she said it: the CEO was the problem. He was the only one who wanted these long and expensive meetings. Only when he was persuaded to change his mind could it be changed.

I knew Bob quite well, having worked with him before he moved into his current position with the company. He was one of the executives with whom I met frequently to discuss the business and he had shared a number of confidences with me.

I was sure that he would listen to Loretta and had a suspicion he would find it easier to understand himself if he met one-on-one with her. Both a formal meeting with the CFO present and a larger meeting with the three of us (Bob, Loretta, and I) might make it harder for him to look in the mirror.

And so it was. I persuaded him to meet with Loretta and she, in turn, trusted me when I told her she would not only be safe but would enjoy herself.

I admit that I was a little nervous as I waited in my office for Loretta. Then she appeared in the doorway, all smiles!

She told me that the meeting went brilliantly. Bob was charming, as usual, and showed great respect for her – even though she was ‘only’ a manager. He let her explain what she had found and that the long process was preventing timely investment to seize market opportunities. In addition, not only was it consuming a lot of expensive executive time, but it was taking them away from running the business.

This was critical, explaining the issue in terms of how it affected the business and its success. Auditors who talk in their language (what I call “technobabble”), rather than the language of the executives they are attempting to inform or persuade (which is the objective of an audit report) are unlikely to succeed.

Loretta said that Bob responded with silence, clearly thinking about what she had said.

Then he shocked her by telling her that he was the problem. He recognized that his insistence on discussing and approving every AFE could not continue. Bob told Loretta she had done an excellent job and that he would like to talk to me.

When I met Bob later that week, he repeated his praise for Loretta. Then he asked for my opinion. Again I was smart and didn’t give him my opinion straight away. Instead, I asked him why he wanted to approve every AFE.

After a short hesitation, he said that perhaps he should only approve major capital expenditures instead of every one. I concurred, saying that was what I was used to and would advise.

But I kept at it. Why had he insisted on approving every AFE? This was not what he had done in his previous positions with the company, nor was it what he was used to working directly for Tom O’Malley – a consistent and effective delegator.

Then he looked again in the mirror and saw his true self.

“Norman, I can see now that I didn’t trust my direct reports enough to make these decisions!”

We talked about this for a while. Either he had the wrong people in these key positions, in which case he needed to replace them, or he needed to trust the people he had and delegate more effectively. He didn’t hesitate before saying he had excellent people; he just had to let go, take a little more risk, and trust and delegate.

For the next couple of weeks, Loretta and I had a trail of VPs visiting us to express their thanks for Loretta’s great work. Bob had changed the entire process, with new delegations of authority such that the VPs could approve most AFEs, the CFO would have to approve all over a certain value, and Bob was only involved in truly major capital expenditures.

Going back to the statement I made earlier, that PEOPLE are almost always the root cause, in one way or another, root cause analysis may surface some ugly truths.

It can take a lot of interpersonal and even political skills for the auditor (with the CAE’s active assistance) to discuss the issue and root cause with management, obtain their agreement on the facts, and work with them on the appropriate corrective action.

They are often unable or unwilling to face those facts.

Consider situations where:elephant in the room

  • A manager is a poor leader, failing to delegate, motivate, inspire, etc.
  • The employee charged with performing the control has too much work and management is unwilling to hire additional staff.
  • A manager is unable (might be incapable) to persuade more senior management that there is a need to address a risk, to hire more people, to change direction, etc.
  • People are talking in different languages, such as senior management and the cybersecurity staff.
  • The company’s systems are old and need to be replaced at a cost of tens of millions, which is not in the budget.
  • The CEO is a bully and gets his direct reports to compete instead of working together.
  • The Marketing team distrusts the people in the front lines, and therefore loses touch with the needs and wants of the customer base.
  • The manager is biased against individuals who don’t look like him or her, creating a hostile environment and failing to get the best out of employees.
  • The culture established and reinforced by management’s actions discourages creativity and risk-taking, and stifles performance.
  • Management is not trusted or respected.
  • People are motivated to achieve their personal performance goals rather than what is best for the organization.

A root cause analysis that is not afraid of identifying and reporting people failures is essential.

The COSO principles are useful, but they are insufficient. Only some of the bulleted situations above are covered by them.

I am reminded that the former CEO of GE, Jack Welch, was once asked what problems he faced every day. His answer was:

  1. People
  2. People
  3. People

They are the root of (almost every) control failure.

We need to be brave to see and help others see the true situation.

I welcome your thoughts.

The agile risk appetite

July 18, 2022 4 comments

If you have been reading this blog or my books, you know I have significant reservations about the concept of “an amount of risk” that would be acceptable in pursuit of objectives.

However, I recognize the need for limits and policies when it comes to risk-taking. They help guide decision-makers on what risks and outcomes are desirable to leaders of the organization. We could call them ‘risk criteria’ (ISO), while some refer to them as ‘risk appetites’ or ‘risk tolerances’ (COSO). I prefer to avoid those terms as they focus on ‘risk’ with the inevitable negative connotation (i.e., we must manage or mitigate risk) instead of guiding people to take the right level of the right risks in the circumstances (such as the potential for reward). Let’s use ordinary business language instead of risk technobabble.

For example, these are useful:

  • Spending approval authorities
  • Credit limits
  • Policies on the level of credit that can be given to customers, with escalation to more senior individuals or even the board as needed
  • Approval levels for capital expenditures, including reserving certain expenditures to the CEO or the board
  • Policies of who can approve journal entries, purchase orders, inventory write-offs, etc.
  • Policies with limits on the use of derivative instruments
  • Policies on commodity or currency hedging
  • …and so on

My point today is that all of these, whatever you call them, need to be “agile”.

The environment within which organizations function is volatile – as or more volatile than any prior period.

There is uncertainty about:

  • Local and global economies
  • The supply of raw materials and components
  • The speed of the supply chain
  • The availability of personnel, both in specialist positions and minimum wage jobs
  • Disruption caused by sanctions
  • Consumer confidence
  • …and more

In these times, organizations need to be agile. They need to be able to adapt intelligently and at speed, without sacrificing the long term at the altar of the short.

If policies and limits, etc. don’t change as business needs change, you are highly unlikely to be taking the right level of the right risks.

I am reminded of a real-life situation that I wrote about in World-Class Internal Auditing.

The Treasurer at Tosco was a senior member of the Finance team, highly respected by company leadership. He had been a key member of the management team during the lean years at Tosco; shortly before I joined when the company was “leaking cash”, he had led twice-daily meetings of the financial team to ensure there was sufficient cash to make it to the next day!

So it was important that we make a good impression when we performed our first audit of his area.

At the same time, he was a gruff curmudgeon (he reminded me of the late, great Alastair Sim as Scrooge in “A Christmas Carol”) that scowled every time I saw him – and other executives told me that he shared that disposition with everybody except the CFO.

So, I set the auditor, Laura Morton (now Nathlich), two tasks: the first was to perform an audit and provide an objective assessment of whether the Treasury function was meeting the needs of the corporation; the second was to get the Treasurer (Craig Deasy) to smile!

Laura exceeded my expectations (something she went on to do regularly).

As I had expected, Craig’s area was in very good shape. It reflected his personality as a disciplined, careful individual that had a deep understanding of the business and its needs.

But, Laura identified one issue that only deepened Craig’s frown.

She pointed out that the company’s investment policy limited overnight investment of cash to the safest of all investments, which had the lowest of all rates of return. While this was the policy that had been approved by the board, the level of risk being taken (clearly a very conservative one) was inconsistent with the general attitude of the company to taking risk!

The company was a significant “player” in the commodity derivatives market, not only to hedge the price it would pay for its raw materials (crude oil) and the price it would obtain for its refined products (gasoline, diesel, jet fuel, and so on), but it also had a truly speculative position. (The manager in charge of our derivatives trading desk was permitted to make speculative trades of several million dollars, subject to supervision by Pete Sutton, a Vice President. Over the years, he was consistently profitable.)

So it was taking millions of dollars of risk in the commodities market but unwilling to take any risk in its overnight investments?

Laura recommended that the investment policy be reconsidered. That was a wise move. Only management can decide how much risk it is willing to take, but we (as the independent and objective internal audit team) can challenge them when appropriate.

Craig reluctantly agreed that Laura had a point – not on technical controls philosophy but on business grounds. He discussed it with the CFO and they agreed to change the policy.

I met with Craig and Laura to review the final report before it went to the audit committee. He gave Laura a reluctant smile and acknowledged that it was a professional audit.

Since then, when I talk to groups of internal auditors about ‘world-class internal auditing’ and ‘how internal audit can add value’, I ask “Do your audit customers smile?”

But the other lesson for me was that internal auditors should not try to eliminate every risk they see.

In my early years, we would identify “findings” and assess the level of risk they presented. The level of risk (high, medium, or low was the typical scale) would drive the sense of urgency when we reported the issues and recommended corrective action by management.

This audit was one of the first where I applied the lessons I had learned in line management, that it is not about eliminating risk – it is about taking the right risk, based on understanding the potential downside, the potential upside, and the cost of any actions.

When the policy was developed, it was the right policy for those times. But times had changed, without the policy being updated.

Some will tell you that policies and other guidance should be reviewed on a regular basis. They will suggest an annual review.

That’s fine, but is it fast enough in these turbulent times?

Are we being agile if we only update policies and practices annually (if that)?

Let’s recognize that agility requires being flexible, with appropriate reviews and approvals, with our risk criteria and other guidance.

Let’s encourage everybody to challenge existing policies and procedures, drawing the attention of management to guidance that used to be but is no longer best for our business.

Don’t accept “we can’t do that because of our firm’s policy” if that is holding us back from success.

I welcome your thoughts.


The Woeful State of Enterprise Risk Management

July 14, 2022 15 comments

My thanks go to Professors Mark Beasley and Bruce Branson of North Carolina State University’s Poole College of Management (the Enterprise Risk Management Initiative).

They recently published 2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 13th Edition.

I believe this is their best edition and thank them for the detail it includes.

The information has value, but it is very important to understand that the survey on which the report is based was sent only to current members of the AICPA (in other words, CPAs). What they have to say is likely to be very different from what a CEO, COO, or other business executive would say. It is also likely to be different from what a board member would say.

Data was collected during the first few months of 2022 through an online survey instrument sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, we received 560 fully completed surveys.

A variety of executives participated in our survey, with 21% of respondents having the title of chief financial officer (CFO), 18% serving as chief risk officer (CRO), 6% as controller, and 8% leading internal audit, with the remainder representing numerous other executive positions.

The respondents represent a broad range of industries. Consistent with our prior year survey, the four most common industries responding to this year’s survey were finance, insurance, and real estate (27%), followed by not-for-profit (28%), services (21%), and manufacturing (10%). The mix of industries is generally consistent with the mix in our previous reports.

The respondents represent a variety of sizes of organizations. As shown in the table on the next page, 47% of organizations have revenues $100 million or lower while 30% have revenues over $1 billion. So, there is nice variation in organization size in our sample. Almost all (89%) of the organizations are based in the United States.

My intuition says that they are more likely to be positive about ERM at their organization, as well as being more risk averse than other executives in operating management positions.

Their introductory statements are solid, and I am pleased to see them recognize the need to take risks and exploit opportunities. (The emphasis below is mine.)

Many business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.

Many organizations are recognizing the need to enhance the formalization and robustness of their risk governance processes. Boards and C-suite executives of these organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s leadership a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.

However, even these CPAs are saying that current risk management practices are failing to deliver.

The professors ask: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?”

  • Not at all – 37%
  • Minimally – 26%
  • Somewhat – 25%
  • Mostly – 9%
  • Extensively – 3%

That’s pretty awful!

This is what they say about the “Strategic Value of Risk Management” (with my highlights):

  • Less than 20% of organizations believe their risk management processes provide strategic advantage. This is surprising given most leaders understand that risk and return are inseparable [Marks: it’s not much more than 3% and not close to 20% according to their own numbers.]
  • Organizations continue to struggle to integrate their risk management and strategic planning
  • Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.
  • Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.
  • There is noticeable room for improving ERM processes to help manage risks impacting reputation and brand.
  • There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.

The say this about the “Overall State of Risk Management Maturity”:

  • While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.” [Marks: and those that do are not saying that their ‘complete ERM’ is effective!]
  • Large organizations and public companies are more likely than other organizations to report a complete ERM process.
  • The level of robustness and maturity of risk management oversight remained relatively steady with the prior year; however, fewer than half of respondents describe their organizations’ approach to risk management as “mature” or “robust.”
  • Just over one-half of the public companies surveyed do not describe their risk management processes as robust or mature. Non-profit organizations are less likely to have structured risk management processes relative to other organizations.

They also point out that “Many organizations are concluding that their approaches to business continuity planning and crisis management are not at the level of preparedness desired, with almost three-fourths indicating significant changes in those processes will occur”.

The report has a number of important tables. I have highlighted a few points.

Description of the State of ERM Currently in Place Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
No enterprise-wide management process in place 15% 2% 2% 6% 14%
Currently investigating concept of enterprise-wide risk management, but have made no decisions yet 10% 3% 2% 6% 10%
No formal enterprise-wide risk management process in place, but have plans to implement one 8% 3% 4% 4% 10%
Partial enterprise-wide risk management process in place (i.e., some, but not all, risk areas addressed) 34% 36% 35% 36% 38%
Complete formal enterprise-wide risk management process in place 33%


56% 57% 48% 28%

Many are reporting that they have a “complete and formal” ERM process in place, but at the same time they are not saying that it is delivering the value it should. They are also saying it is not robust (see the next table).

I believe that these people don’t understand the need for ERM to inform both strategic and tactical decision-making. They are satisfied with they have (a list of risks, which is often quite short and only occasionally updated according to the survey), even if it fails to help the organization achieve its objectives.

What is the level of maturity of your organization’s risk management oversight? Full Sample Largest  Organizations (Revenues >$1B) Public  Companies Financial Services Not-for-Profit Organizations
Very Immature 13% 3% 5% 5% 15%
Developing 22% 14% 11% 17% 29%
Evolving 35% 39% 39% 43% 33%
Mature 25% 36% 37% 29% 20%
Robust 5% 8% 8% 6% 3%

If only a handful of the CPAs in a firm see ERM as “robust”, and 18% of them are CROs, what would the heads of manufacturing, sales, and marketing have to say?

Description of the Current Stage of ERM Implementation Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. 39% 70% 70% 52% 35%
Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. 28% 16% 11% 28% 31%
We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. 18% 13% 17% 12% 17%
There is no structured process for identifying and reporting top risk exposures to the board. 15% 1% 2% 8% 17%

So 70% of large organizations and public companies report at the highest level in the table above, but they don’t say the same in the next table.

Extent to which the organization’s ERM process formally identifies, assesses and responds to emerging strategic, market, or industry risks: Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Extensively 14% 22% 26% 19% 9%
Mostly 31% 41% 42% 37% 27%
Somewhat 27% 28% 23% 21% 33%
Minimally 14% 7% 7% 17% 11%
Not at all 14% 2% 2% 6% 20%

The next two tables demonstrate what I have believed for a while. Top executives don’t see the value of ERM as it is practiced at their organization (or believe it will be practiced if additional resources are provided).

Percentage of respondents indicating that each of the following “Mostly” to “Extensively” is impeding risk management progress Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Risks are monitored in other ways besides ERM 29% 28% 18% 30% 24%
Too many pressing needs 16% 27% 26% 19% 19%
No requests to change our risk management approach 19% 17% 23% 12% 21%
Do not see benefits exceeding costs 13% 17% 12% 15% 12%
No one to lead effort 12% 9% 12% 7% 16%
Would overcomplicate what can be best done ad hoc 11% 8% 9% 17% 8%
Percentage of respondents who describe each of the following as being a “barrier” or “significant barrier” to effective ERM Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Competing priorities 44% 35% 36% 47% 50%
Insufficient resources 43% 41% 40% 43% 52%
Lack of perceived value 28% 31% 27% 25% 29%
Perception ERM adds bureaucracy 24% 25% 23% 21% 26%
Lack of board or senior executive ERM leadership 21% 18% 19% 16% 22%
Legal or regulatory barriers 6% 3% 4% 6% 6%

As the authors say:

Some of the overall reluctance to embrace ERM across an organization may be due to a lack of understanding and knowledge of what an enterprise-wide risk management process actually entails relative to traditional approaches organizations use to manage risks. ERM is a relatively new business paradigm that business leaders are hearing about but may lack an understanding of how it might help them achieve their strategic objectives.

On the other hand, at least more people than I would have thought realize risk is not just downside.

The definition of “risk” focuses Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Both on “upside” risks (risk opportunities) and “downside” risks (threats to the organization) 60% 58% 54% 63% 68%
Only on “downside” of risks (threats to the organization) 39% 41% 44% 36% 31%
Neither 1% 1% 2% 1% 1%

The table below shows that the speed and volatility of risk are certainly not being addressed.

Frequency of Going Through Process to Update Key Risk Inventories Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Annually 41% 57% 55% 43% 41%
Semi-Annually 10% 12% 13% 9% 11%
Quarterly 16% 14% 20% 21% 15%
Monthly, Weekly, or Daily 7% 9% 7% 11% 5%
Not at all 26% 8% 5% 16% 28%

As I said in the table, the report indicates that the current practices around risk management are woeful.

We need to change everything, including the guidance from the various consultants, risk institutes, COSO and ISO (sorry, advocates), to help lead practices away from management of risk (doom management) and towards the informed and intelligent risk-taking through quality decisions that will enable the achievement of objectives (success management or, more simply, effective management).

Unfortunately, the professors failed to ask what might be the most important question:

Does risk management at your organization help you and others understand what might happen so you can make the informed and intelligent decisions necessary for success, taking the right level of the right risks and exploiting appropriate opportunities?

Maybe this will be in the 2023 edition! One can only hope.

What do you think?

How do you audit enterprise risk management?

July 11, 2022 16 comments

The IIA published a Practice Guide, Assessing the Risk Management Process, in 2019. It is recommended guidance and not mandatory. What is mandatory in the IIA Standards is performing an assessment, and this Practice Guide (PG) is intended as helpful advice on how to do it. (While the Standards say that you must perform an assessment, I am assured that you don’t need to do so every year (regardless of the actual words used) when the risk is low – for example, if it was assessed and found effective the prior year.)

The PG starts well:

Around the world, risk management activities and initiatives are required and expected by regulators, rating agencies, and a host of other stakeholders in major industries including financial services, government, manufacturing, energy, health services, and more. However, risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.

Internal auditors must evaluate the effectiveness and contribute to the improvement of risk management process (Standard 2120 – Risk Management). Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity. This information also enables internal auditors to appropriately tailor each engagement, taking into account the maturity of the area or process under review.

I like the fact that the PG promotes the use of a maturity model. I recently shared one that Michael Rasmussen developed and have a more extensive on in Risk Management for Success.

While the PG appears to understand that there is a “positive side to risk” (i.e., good things can happen, usually referred to as opportunities, as well as negative, generally referred to as risks), it falls into the same trap as almost everybody else by focusing on the negative side. For example, it talks about risk registers (lists of risks, also known as risk profiles), heat maps, and risk appetite. It fails to recognize the need to take risk, even taking more risk when the business opportunities and needs require.

The PG contains material that is worth considering (especially if you are only interested in auditing compliance with risk policies and procedures), I think there is a better way.

It starts with the recognition that if risk management is effective, leaders and other decision-makers will say so.

They will acknowledge that risk management is helping them make better informed and intelligent decisions that are contributing to the success of the organization, the achievement of objectives.

By ‘risk management’, I am not talking only about any risk function; I am talking about how the organization as a whole understands the more significant things that might happen, and uses that information in setting objectives, goals, objectives, and strategies, and then executing on them through every-day decisions.

So the audit starts by asking leaders and decision-makers, not only at the top but in other positions:

  • Does risk management (broadly defined) help you set your goals and objectives and then execute on them for success? If so, to what extent? Is it sufficient?
  • Is it helping you make informed and intelligent decisions? If so, to what extent? Is it sufficient?
  • Do you have confidence that others are making the best informed and intelligent decisions?
  • What is working well?
  • What needs improvement?
  • Are risk practitioners (if there are any such specialists) effective? Are they proficient? Are they helping you succeed?
  • What should be changed?

While this can be asked in a survey, I strongly encourage the auditor to sit down with each individual and listen carefully. Start here and see what answers you get. Listen carefully.

If there are issues, understand the root causes and go from there.

You may find that everybody is complying with stated policies, risk limits, and even risk appetite statements – but this is not helping the organization succeed!

Seek to assess effectiveness rather than compliance. Help the organization succeed rather than avoid failure.

I welcome your thoughts.

An Excellent Article on Risk Management

July 5, 2022 11 comments

I commend Marco Nutini for his recent LinkedIn post, Risk and decision: egg or chicken?

He asks:

In your opinion, which of the two alternatives best represents the Enterprise Risk Management process?

1) From an Objective >> Identify a Risk >> Analyze and prioritize >> Decide how to treat it; or

2) From the need to make a Decision >> Analyze the existing Options, weighing Risks and Gains >> Select an Option >> Monitor the risks taken to review the decision.

Marco suggests:

If you answered 1, you are being consistent with the main standards (ISO 31000 and COSO) on Risk Management and you are concerned about structuring of the system.

If you answered 2, you are thinking strategically and considering risk management (in lower case) as something natural that does not need to be very structured.

If you answered that 1 and 2 are important and simultaneous, your opinion agrees with mine, that is, people might drive you to a shrink.

ISO 31000 and COSO present the Risk Management process as a linear sequence, with no feedback loops, whose mission is to mitigate risk, one-on-one. Lenders, regulators and customers are demanding Risk Management in capitals, in compliance with these standards, as a basic matter of improving trust on companies.

While his questions are challenging, I prefer option 3:

3a) When setting objectives, goals, and strategies, consider the things that might happen (both positive, opportunities, and negative, risks) and set achievable (if a bit of a stretch) objectives that will achieve the purpose of the organization over time.

3b) For each objective, identify what might happen that could have a significant effect on achieving it, both risks and opportunities >> Assess the likelihood of achieving each objective >> If that is not acceptable, consider the options, which can include modifying one or more risks (changing their range(s) of effects and likelihoods, taking more, or taking less), modifying opportunities, or both >> Select an option >> Execute >> Monitor performance and changes to either risks or opportunities, and continuously assess the likelihood of achieving objectives >> Adjust as needed, including changing objectives were appropriate!

3c) Identify the need for a decision, which can be a problem or an opportunity, or something different >> Understand the current situation and whether action is needed >> Understand the things that might happen (good and bad) >> Understand and assess the Options >> Make the right Business Decision to achieve objectives >> Execute >> Monitor >> Adjust as necessary.

3d) For those sources of risk that are of special concern (for any reason, such as those that can have a major impact on multiple objectives or those that are getting board or regulator attention), continuously monitor and assess, taking action as needed. These are risks that are of such individual significance that they merit special attention by top management and perhaps the board. (It is not a top-ten list!)

IMHO, all four are needed! (Alexei, is this RM2+ or 3?)

By the way, I disagree with Marco on a few of his statements:

  • The ISO 31000 standard may read as if it addresses one risk at a time, out of context with potential gains (opportunities), but that is not its intent. It also has a requirement for monitoring, which requires a feedback loop.
  • Decisions are not the same as controls. Controls exist to provide reasonable assurance that people and systems will perform as desired – which can be to achieve gains as well as limit losses.
  • Decisions can be made to limit or reduce losses, not just realize gains.

But these are quibbles that should not diminish the work Marco has done.

Where do you stand?

A Wake-Up Call for Risk Managers

July 1, 2022 5 comments

Nick Sanna, the CEO of RiskLens, a software company specializing in cyber risk management, recently issued a wake-up call for risk managers in a presentation at a Professional Risk Managers’ International Association (PRMIA) conference. It was covered in an article by Jeff Copeland: How to Integrate Cyber Risk Management with ERM.

He “encouraged risk managers to rise up against the status quo of cyber risk management”.

“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:

    • Reliance on qualitative, red/yellow/green risk ratings based on no formal risk measurement model.
    • Risk registers that are a “dumping ground” of issues and concerns, with “most of the entries not really risks.”
    • Inability to communicate to the rest of the organization in terms the business understands – not just “trust me.”

I agree. (NIST advocates should note his point about risk registers, which are where NIST suggests cyber risks should be listed.)

But I don’t agree with his next comment:

“Risk models matter,” Nick said. They should generate analysis in a consistent, quantifiable format that enables business decision-makers to prioritize among risks based on loss exposure and justify investments in mitigations to reduce risk.

I keep saying: it’s not about mitigating or managing risk. It’s about knowing which risks to take, and that can include taking more risk.

Every dollar spent on mitigating a source of risk is a dollar that can’t be spent on upgrading your product or service, bringing it to market, delivering it to customers, upgrading systems to cut costs, and so on.

Risk management should be about helping decision-makers run the business for success, informing decisions and optimizing performance.

Michael Rasmussen ‘gets it’. I congratulate him on the risk maturity model he has shared on his web site, Five Stages of Risk and Resilience Maturity.

In his description of the highest level of maturity in his model, Agile, he says:

  • At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives.
  • Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.
  • But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats.

In Risk Management for Success (my most recent book on risk management), I included a more complete maturity model that includes, for example, how risk is integrated into the setting of objectives and strategies. But Michael’s model is first class and I recommend it to you.

However, I join Nick in a wake-up call for risk managers.


  • Focus on helping people at all levels make the informed and intelligent decisions necessary for success, taking the right level of the right risks.
  • Recognize that risk registers (or profiles) and heat maps do not consider the effect of risk on objectives. They lead to managing the list of risks instead of the business.
  • Recognize that there is always a range of potential effects (not a single point), each with its own likelihood.
  • Get everybody to assess risk the same way! While sometimes expressing the risk in financial terms may suffice, remember we are talking about the effect on objectives (see both ISO and COSO definitions). I prefer talking about how all the risks and opportunities combine to affect the likelihood of achieving objectives.
  • Make sure opportunities are assessed the same way as risks!
  • Help the business succeed instead of being the department of “No, we can’t do that because of the risk”.

I welcome your thoughts.

NIST discovers that impact on the business matters

June 28, 2022 4 comments

Congratulations to NIST for recognizing that what matters is not risk to information assets, but risk to enterprise objectives. Or so it might seem at first glance when you read their draft Using Business Impact Analysis to Inform Risk Prioritization and Response.

But first, I want to thank and congratulate Matt Kelly, editor of Radical Compliance, for his summary of the NIST draft. (I recommend subscribing to his newsletter.)

A well-run business impact analysis (BIA) that involves multiple parties from the business as well as IT is absolutely essential.

In fact, a BIA should be mandatory and not just recommended. It helps management understand how a cyber event or other disaster might affect the business.

My only quibble with Matt’s analysis is that it is management’s responsibility to perform a BIA and then maintain it, and internal audit’s responsibility to ensure management has done so.

However, I have many quibbles, in some cases severe criticisms, of NIST.

But first, I want to share my experience with BIAs.

As a vice president in IT for a couple of financial institutions (and occasional acting CIO), my team was responsible not only for information security but also for both IT contingency planning and business resumption planning.

Data services can be lost or degraded as the result of multiple events, including:

  • Fire
  • Earthquake
  • Floods
  • Storms
  • Power outages
  • Network disruption
  • Sabotage
  • Military actions
  • Cyber breaches (internal or external)
  • System failures
  • A plane crash (we were on the flight path into Burbank airport)
  • …and more

We did what we could to be resilient in the face of all such threats. In many ways, it didn’t matter what caused the loss or disruption of services. What mattered was our ability to maintain, or at least recover affected services in an acceptable time.

Once we understood the risk, which was expressed in terms of the impact on the business and what it was trying to achieve (enterprise objectives), we could prioritize our efforts: people, tools, and so on.

We established a communications plan so we could bring the necessary parties together to respond, in addition to ensuring we had appropriate measures in place to limit the likelihood and the potential impact of an event.

The risk from a cyber breach is only one of the sources of risk that management needs to consider in running the business, including making both strategic and tactical decisions. (I discuss this extensively in Making Business Sense of Technology Risk.)

In addition, much of what the organization does to be resilient in the face of a cyber breach will also help them recover from potential fires or earthquakes, and vice versa.

Management’s approach to resilience should not be determined one threat at a time, but should consider all the likely threats and outcomes.

Do you want one team established to respond to a cyber breach and a totally separate one to respond to a power outage or a fire? That doesn’t sound very efficient to me, especially if they use different processes and tools.

But the more significant issue is how risk should inform decision-making.

Imagine that our company is considering opening a new business in Moldova. Executive management needs to consider:

  • The forecast revenues for each of the first few years: the range of estimated levels of revenue and their likelihood.
  • The forecast profits (also a range) for each of those years.
  • The potential for the conflict in neighboring Ukraine to impact operations in Moldova.
  • The potential effect of Moldova being granted candidate status for admission into the EU, with full membership following.
  • The risk of non-compliance with local laws and regulations.
  • The added cybersecurity risk to the company of an extension of the corporate network into Moldova.
  • …and many other sources of risk, such as the ability to hire necessary management and staff.

The point is that cyber is just another source of risk to the business.

It should not be treated as if it is the only risk that matters. It needs to be put in context!

Yet NIST wants to put cybersecurity risk in a risk register!

The NIST Interagency or Internal Report (NISTIR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. Another critical artifact of risk management that serves as both a construct and a means of communication with the risk register is the Business Impact Analysis (BIA) Register.  The BIA examines the potential impact associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA Register.

What does this mean? In my humble opinion, NIST may have seen the value of a BIA but then destroys that value by continuing to talk about risk registers (that the rest of the world recognizes are a failed idea) and the value of information assets. They are addressing cyber in a silo, even separate from other IT disasters such as the low of power or the network.

My message to NIST: focus on the ability of the organization to achieve its objectives, which requires management to consider together all the more significant risks (positive and negative) that may affect them.

That requires assessing cyber-related risks in a way that enables aggregation with other sources of risk, such as compliance, safety, economic, supply-chain, etc., etc.

Assessing and prioritizing information assets is managing cyber in a silo.

I welcome your thoughts.

The risk of losing employees

June 24, 2022 4 comments

One of the reasons for spiraling costs and (in some cases) degraded service is insufficient staffing.

For example, economies have been hurt by a shortage of truck drivers, people to stack the shelves in the market, and more.

This week, I flew home from London’s Heathrow airport. United had warned us of long lines at security, advising us to arrive at the airport four or five hours before our flight. Some took it further, getting in line to check in six hours early.

The lines were very long but we had listened and were patient.

United employees told us that it was because of staff shortages – and that the lines were even longer the day before!

We should be concerned for our own organizations – not only because we are being constrained now, but because there’s a continuing risk of losing more employees.

Executives are not exempt from this situation.

A recent study by Deloitte and Workplace Intelligence, The C-Suite’s role in well-being shared some sobering findings:

There’s no question that well-being is at the top of the C-suite agenda right now. While the pandemic brought worker safety into the spotlight, there’s also been an increased focus on the overall poor state of workforce well-being and the role that organizations play in determining quality of life for employees and their families.

In fact, most companies now recognize the need to invest more in the holistic health of their employees, because it’s clear that workers are fed up—with outdated norms like the nine-to-five schedule, the expectation that they should be “always on,” substandard wages and benefits, and the idea that they should be willing to sacrifice their health and their personal lives for their job.

C-suite executives themselves are not immune. Although far less attention has been paid to well-being among the C-suite—how they’re faring, the increased demands placed upon them, and whether these factors are influencing their desire to stay in their leadership roles—some recent research points to increasing quit rates among executives.

And as we’ve seen with the Great Resignation, many people are no longer willing to tolerate jobs that leave them unhappy and in a constant state of stress and fatigue. Indeed, there’s been a notable power shift over the past few years, with workers demanding more from their employers than ever before and companies scrambling to adapt their employee value proposition to avoid a looming talent shortage.

…despite struggling with well-being themselves, it’s clear that the C-suite doesn’t appreciate the extent to which their employees feel the same way. In contrast with what employees reported, more than eight out of 10 global executives believe their people are thriving in all aspects of their well-being.

Many employees don’t feel that their executives have been supportive during the pandemic—but the C-suite sees things much differently. For example, only 47% of workers believe their executives understand how difficult the pandemic has been for them, yet 90% of the C-suite say they do recognize how challenging it’s been. Similarly, while only 53% of employees feel that their company’s executives have been making the best decisions for their well-being during the pandemic, 88% of the C-suite believe their decision-making has been exemplary.

Perhaps most alarmingly, we discovered that only 56% of employees think that their company’s executives care about their well-being. However, the C-suite sees things in a much different light: Ninety-one percent believe that employees feel their leaders care about them. It’s a notable gap, one that the C-suite must work to address.

The authors say:

While 57% of employees are seriously considering quitting for a more supportive job, nearly seven out of 10 executives are thinking about taking this leap.

Can we afford to lose more employees, including leaders of the organization?

The paper has advice that should be considered, but there is more.

For example, I recently read a report that said that employees are considering leaving because they don’t have the tools (read “toys”) they think they need.

There is more that practitioners can do to help their organization.

We can help answer three questions:

  • What is our current state? How has our ability to move the organization forward been affected, including our ability to perform the necessary internal controls, manage risk, and seize opportunities?
  • How are our people doing? How many are considering leaving? How serious is the risk?
  • Is management doing enough?

Practitioners can structure projects (perhaps in coordination with Human Resources) to address these questions. I suggest building something more continuous rather than one-off. I would also avoid surveys as you never know how open people are in responding. Face-to-face discussions are best.

But we can open our eyes and ears every day.

When we talk to people, ask:

  • What’s it like working in your department?
  • Is it a good place to work? Would you recommend a friend apply?
  • How are you affected by staffing shortages? I know many are working longer hours.
  • Have you lost key employees recently? How is everybody coping?
  • Have staffing shortages affected customer relationships?
  • What should management do?
  • And more

Are there more significant sources of risk today? Maybe not.

Practitioners should seriously think about how they can help.

I welcome your thoughts.

(See also The Great Resignation Risk.)

Seize the opportunity through strategic risk management capabilities

June 20, 2022 5 comments

PwC has shared with us the results of their 2022 Global Risk Survey.

It has some interesting stuff, although (as usual) doesn’t go far enough for me. Their food stuff includes:

  • In this turbulent business environment, many executives find the need to revise and adapt their strategies and operating models at a rapid pace. They know that capturing opportunity and avoiding disruption requires speed.
  • Organisations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making. In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy that are informed by a panoramic view of risk.
  • The organisations that have stood out from the pack in the past two years have not just managed risks. They’ve taken on risks, with confidence. These organisations have an agility advantage. They have the right resources engaged in making risk-informed decisions at the right time.

These are both excellent observations (in the midst of a discussion about the turbulent risk landscape).

Although an argument may be made that things are changing faster than ever before, the fact remains that if an organization is to be successful it has to do more than avoid disaster.

I congratulate PwC for recognizing this truth. I especially like the last excerpt above.

They sound a note of warning, reporting that only “39% of business executive respondents say they are making better decisions and achieving sustained outcomes by consulting with risk professionals”.

However, that is the highest percentage by far I have ever seen respond positively on this issue. Other surveys tell us that about 80% of executives see risk management as a “compliance activity. So I am taking the good news of 39% with a dose of salt.

Unfortunately, the greater part of their report still focuses on avoiding failures. For example, they talk about risk profiles (COSO-speak for risk registers), KRIs instead of KPIs, risk appetite (they would have done better by including a discussion of risk capacity), risk culture (instead of organizational culture), a common risk language (when we should be talking about performance), and a GRC platform (without saying it has to be objective and performance driven).

My advice:

Instead of talking about risk and trying to embed it into decision-making, make sure your decision-making processes consider all the events and situations that might happen. Then make the right business decision.

In the meantime, ask your executives whether “they are making better decisions and achieving sustained outcomes by consulting with risk professionals”.

I welcome your thoughts.

Risk Appetite that Makes Sense

June 16, 2022 12 comments

The traditional definition of risk appetite is:

The amount of risk an organization is willing to take in pursuit of objectives.

This is a mouthful that makes little sense, especially when you try to come up with “an amount of risk”.

Is that a bushel, a pound, a gallon, a million dollars, or what?

Some would argue with me (without success) that it makes sense to add up the level of risk (given that there is a range of effects from each source of risk, each with its own likelihood) from disparate and unconnected sources such as:

  • Cybersecurity
  • Exchange rates
  • Commodity prices
  • Supply chain
  • Competitors
  • Loss of key personnel
  • Regulation
  • Safety
  • Compliance
  • , etc., etc.

I can’t see where that makes sense for anybody. (See ** below.)


Let’s rethink what we are trying to achieve.

I think there’s a better way to frame any discussion.

Let’s replace the traditional, useless definition with a question:

What risks should we take to achieve success (achievement of objectives)?

I believe a discussion around this question will be productive and should lead to more informed and intelligent decisions – and they, in turn, should increase the likelihood of success.

In my books, I have suggested another replacement, which I still like and advocate. Instead of focusing on a level of risk, let’s talk about whether is an acceptable likelihood of achieving each of our objectives.

I continue to believe this is a great way to run any organization. It requires an understanding of where we are today (too often overlooked), what might happen (both risks and opportunities), and what that all means. Are we 50% likely, 70% likely, or 90% likely? Is that OK? Can and should we do better, and how?

**There may be some situations where individual sources of risk are being considered, maybe even one or two sources that need to be considered. In those situations, a defined level of risk (if properly calculated and balanced against the opportunity) can make sense. Some refer to this as risk appetite, but that doesn’t seem consistent with the COSO definition. I prefer to think of these as risk limits that may be specified in policies, etc.

I am suggesting that we stop talking about something that has next to no value in running the business and leading it to success. (Avoiding harm is not the path to success.)

So let’s have a discussion about what it will take to be successful – and what risks we should take.

I welcome your thoughts.

Wasting time with audit reports

June 7, 2022 9 comments

Richard Chambers has returned to the topic of audit reports in 5 Strategies For More Timely Internal Audit Reports.

I agree with much of what he has to say, especially this:

…it can sometimes take as long to issue a report as it took to perform the audit!

This is a major problem, a total waste of scarce and valuable time.

There is never enough time to complete audits of all the issues and areas where there is a risk to the enterprise. The idea that we are wasting time writing and re-writing audit reports should turn everybody’s stomach.

Richard has some good ideas. His five strategies are:

  1. Share internal audit results with client “as you go”.
  2. Eliminate or reduce levels of review. 
  3. Use team editing or report conferencing. 
  4. Use automated working papers’ report-writing features.
  5. Streamline the report format.

That last strategy is, in many ways, the most telling. To quote Richard again:

Internal audit departments that have successfully reduced their reports’ cycle time generally produce leaner audit reports, which makes them not only easy to edit but easy to read. The shorter a report is, the less time it typically takes to write and edit. Complexity can also slow the review process, so generally speaking, simpler is better, too. And reaching consensus with clients can become onerous with longer reports, so streamlining formats pay dividends throughout the process. I have on occasion seen internal audit reports that exceeded 100 pages. I am convinced reports that long are not read in their entirety by all of those who were likely to benefit from the information. It’s always tempting to include more detail in an internal audit report than the minimum needed to make your point, but my advice to new auditors is to tell your story clearly and succinctly. There’s nothing worse than working hard and coming up with a good report that people then ignore. Think of it this way—the longer your report, the less likely it will be read by those in a position to take action on your recommendations.

I have also seen audit reports that are so long that they needed a table of contents to tell readers that the executive summary is on page 8.


How can you expect anybody to take time from running the business to read anything more than a page or two?

Yes, you can say that it is their job, and they need to. But do they really need to read an audit report?

That is the real question.

Why should anybody read an audit report?

Put a more meaningful way:

What will a leader learn from an audit report that will help them run the business?

Too often, auditors write for themselves, for history, rather than for their customers in top management and on the board.

As a reminder, I have written about audit reports twice recently:

If audit reports were banned

The inherent problem with (some) audit reports

We need to put ourselves in the shoes of our customers and consider the issue from their point of view.

1, Members of the audit committee of the board (or owners)

Our primary customers, the people to whom we report, need answers to these questions:

  • Is there a problem I need to know about, because it might affect the performance of the organization as a whole?
  • If so, what is it, how would affect the organization, what is being done, do I need to worry?
  • Can I rely on management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?

If there is nothing for them to be concerned with, why aren’t we telling them that in half a page or less?


2. Members of top management

Their needs are very similar to those of the audit committee members. The only difference is that they may (emphasis on ‘may’) be concerned with matters of less significance.

The questions they need answers to would be:

  • Is there a problem I need to know about, because it might affect the performance of my team or the organization as a whole?
  • If so, what is it, how would affect my area or the organization, what is being done, do I need to worry?
  • Can I rely on my team or other members of management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?

3. Members of operating management

The first inclination might be to assume they need to know everything. But do they?

The audit team should have been not only sharing their observations as they go (as Richard points out in his first strategy) but discussing them with management and agreeing on the facts, whether they represent a risk to the organization, whether the risk should be taken, and what action (if any) should be taken.

If that is the case, then where is the value in documenting what has already been agreed?

The problem may lie in the fact that many auditors will tell management what they have found, but don’t stay longer and engage in sharing with them to agree on actions.

I recommend communicating (and that is two-way) as you go and confirming the results in an email each time.

Now ask where the value is in a long report.

It may lie in confirming all the details discussed earlier (one line per issue) and then talking about what it all means when taken together.

What is the overall opinion, and what does it mean in terms of the ability of the area to achieve its objectives?

It may well be that even operating management only needs a page or two in a formal report at the end of the audit.



Let’s not do anything, especially anything that consumes a lot of our scarce and valuable resources, on work that has little or no value to our customers.

Speed is not the issue that it may seem: why tell them what they don’t need to know faster?

The IIA’s Standards do not require a formal audit report. Instead, they require that the auditor communicate the results of the engagement.

I would change the Standards to instruct the auditors to:

Communicate to those who need to know, what they need to know, when they need to know about the results of the engagement and what they mean to them, to the organization, and to its success.

Why do we do more?

I welcome your comments.

Assessing or Auditing Cybersecurity Risk

June 2, 2022 5 comments

One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an “IT risk”. No. It’s a business risk.

That is easy to say, and it makes all the sense in the world.

However, people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.

The truth is that cybersecurity MUST be seen within the context of the whole business, not in a silo.

What is the potential effect of a breach on the achievement of the enterprise’s objectives?

If we are to assess cyber-related business risk, we have to have the answer to that question.

That requires the involvement in the assessment process of both business and technical personnel.

Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer.

Yet, the most widely accepted cyber risk standards are written by information security personnel, for (in my opinion) other information security practitioners.


If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to that question: “What is the potential effect of a breach on the achievement of the enterprise’s objectives?”

An audit should probably include the participation of financial and operational auditors, not be limited to the infosec experts.


In fact, the first step in any audit should be to determine whether management knows the answer! Then see whether they continue to know the answer as the business, technology, and the environment (including the hackers’ tools, techniques, and favorite targets) change.

If management has not completed and then maintained a business risk-oriented risk assessment that is integrated with enterprise risk management and decision-making, the audit team should consider calling the audit to a halt.

If management doesn’t know where the risks are, what assurance does it have and what assurance can internal audit provide, that the right controls and security are in place?


The next step, the one I favor, is to determine whether the information security team has the necessary capabilities, position, and authority to address those risks.


Only then would I consider assessing whether the measures in place are sufficient and effective.


The IIA had different ideas when it published one of their newer pieces of ‘supplemental guidance[1]’ in their 2020 Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk.

The GTAG has some good and some not-so-good advice for auditors wishing to provide assurance, advice, and insight on cyber-related business risks.

This GTAG seems to fall into the trap of assessing risks to information assets, rather than risks to the business, IT risks (whatever they are, absent the context of what the business os trying to achieve) vs. risks to the success of the business.

Let’s look and comment first at some excerpts.

  • Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.


Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete,

(Later still)

The complexity of cybersecurity requires added layers of controls, such as monitoring for risk, detecting exploits as they happen, and prompting corrective action.

Comment: I couldn’t disagree more on the first two of these excerpts. ITGC includes information security, which includes cybersecurity. Cyber is no different from what I was responsible for when Information Security reported to me at two financial institutions; what I evaluated as an IT auditor; or what my various Internal Audit teams assessed after I became a CAE.

The third quote is fine, although every source of significant risk needs to be monitored and the assessment updated at the speed of risk.

  • Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access.

Comment: In other words, IT Information Security.

  • Cybersecurity risks are notably more dynamic than most traditional risks and necessitate a timely response.


    1. More dynamic (volatile) than currency or commodity prices? I doubt it.
    2. All risks require more than just a timely response, they require timely identification and assessment.
  • Cybersecurity is relevant to the systems that support an organization’s objectives related to the effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations. An organization typically designs and implements cybersecurity controls across the organization to protect the integrity, confidentiality, and availability of information.

Comment: The GTAG has correctly listed all the categories of objectives identified in the COSO Internal Control Framework. Nothing new here. But the controls need to be designed to address risks to the achievement of those objectives, a different dimension to “the integrity, confidentiality, and availability of information”.

  • Because assurance based on traditional, separate evaluations is not sufficient to keep up with the pace of cybersecurity risk, an innovative assurance strategy is required. Increasingly, continuous auditing techniques are needed to evaluate changes to security configurations, emerging risk outliers and trends, response times, and remediation activities.

Comment: 100% disagree, and this is one of my primary problems with the GTAG. I will explain shortly.

  • The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering: Who has access to the organization’s most valuable information? · Which assets are the likeliest targets for cyberattacks? · Which systems would cause the most significant disruption if compromised? · Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization? · Is management prepared to react quickly if a cybersecurity incident occurred?

To understand the cyber threats relevant to an organization, it is important to determine what information would be valuable to outsiders or cause significant disruption if unavailable or corrupted. Also, it is important to identify what information may cause financial or competitive loss or reputational damage to the organization if it were acquired by others or made public.

Comment: While the GTAG focuses on the protection of information assets, that is IT-centric and siloed and not a business-centric view. I will come back to that as well.

  • Management should consider performing a business impact analysis (BIA).

Comment: if management hasn’t done a BIA that identifies how a cyber incident could affect the achievement of its objectives, Internal Audit should immediately bring that to the attention of senior management and the board as a serious issue. Any risk assessment is likely to be wrong. If they have done one that only helps them prioritize information assets and does not enable multiple sources of risk (i.e., not only cyber but also compliance, human resources, etc.) to be considered together when making a decision, the issue remains serious – but is easier to remedy. See discussion later.

The GTAG includes eight questions that a CAE to consider.

It also has a Cybersecurity Risk Assessment Framework that has six components.

  1. Cybersecurity Governance
  2. Inventory of Information Assets
  3. Standard Security Configurations
  4. Information Access Management
  5. Prompt Response and Remediation
  6. Ongoing Monitoring

I will let you read and think about them. Instead, I want to be constructive. I will explain my two major issues and then suggest a far better approach (IMHO[2]).


It’s not about information assets.

One of the problems I have with the NIST, ISO, and FAIR standards and guidance is that they focus on ‘information assets’ and not on the business..

While the business cannot be considered absent IT-related risks and opportunities, those IT-related risks and opportunities cannot be considered absent the context of running the business and achieving objectives.

Cyber (and other IT-related risks) should not be considered in a silo.

Cyber (and other IT-related risks) is just one source of risk that needs to be considered in decision-making.[3]

In fact, a cyber incident can create a supply-chain, compliance, operational, financial, or other risk – because risk is inter-related.

Similarly, a change in the supply chain such as the use of a new logistics company, or a change in operations or financial advisor, can change cybersecurity-related risks.

Cybersecurity risk assessment and treatment should be an integral part of the organization’s enterprise risk management program (ERM) and decision-making, not a siloed operation.

If cybersecurity is not fully integrated, then Internal Audit should be reporting that to the board.

We need to be concerned with risk to the ability of the organization to achieve its objectives, its purpose over time.

That is what a BIA should do, and it’s why the absence of one that is continually updated is a major issue that needs to be reported to the board and fixed.

Internal Audit needs to rise above the silo and use its ability to see the whole, not just individual parts.

Audit what might affect the organization, and that is likely to result in assessing cyber differently.


It’s not about doing it ourselves

There’s too much focus on assessing what defenses are in place, and not nearly enough about whether management knows they have the right level of cybersecurity in place all the time.

Note the ‘all the time’ qualifier in that sentence.

We shouldn’t be looking at continuously auditing cybersecurity (as suggested by the GTAG). Instead, we should be seeing if management not only has the right defenses at the time of our review, but will adapt them properly as risks change in the future.

Not only do we review their processes for cyber risk assessment (as an integral part of ERM), but review whether that assessment is continuously updated.


Provide forward-looking assurance, advice, and insight

Any audit should provide our professional opinion on whether management’s processes and controls provide reasonable assurance that there is a low (i.e., acceptable) likelihood of a breach with an unacceptable effect on the organization and the achievement of its objectives.

Auditing what is in place today and whether it is sufficient to address today’s known risks is of limited value.

Audit whether management has the right capabilities in place today and is reasonably likely to have in the future.


I welcome your thoughts.

[1] The IIA says “Supplemental Guidance provides additional information, advice, and best practices for providing internal audit services. It supports the Standards by addressing topical areas and sector-specific issues in more detail than Implementation Guidance and is endorsed by The IIA through formal review and approval processes”.

[2] Maybe not so humble.

[3] This is the focus of my book, Making Business Sense of Technology Risk.

Trends in SOX Material Weaknesses

May 30, 2022 1 comment

Last week, I shared a post about the firm of Audit Analytics’ report on 2021 financial restatements.

Today, I am going to cover their report, SOX 404 Disclosures: A Seventeen-Year Review. Admittedly, it analyzes 2020 filings, but I would expect that the results would be similar now.

Their report has some interesting news, notably that the number of adverse assessments of internal control over financial reporting (ICFR) decreased in 2020 despite the pandemic.

The percentage of adverse ICFR management reports and auditor attestations decreased in 2020, despite the impact of the COVID-19 pandemic throughout 2020 that necessitated changes to internal controls. The COVID19 pandemic occurring throughout 2020 had particular effects on public companies and their internal control structure and environment.

Some companies with existing control deficiencies disclosed difficulty remediating those weaknesses due to pandemic circumstances. Furthermore, rapid changes to the control environment were required in order for many companies to continue operating, including the need to reduce personnel to comply with pandemic restrictions or conserve cash. A reduced workforce can result in issues in the control environment related to segregation of duties and maintaining appropriate accounting personnel. Additionally, many companies increased reliance on information technology to accommodate a remote workforce, an area of controls ripe for deficiencies.

They also said that there was no significant change in the areas where material weaknesses were found.

Despite the unprecedented nature of the pandemic, little effect was noted in terms of the most common issues disclosed in adverse SOX 404 assessments. For example, the top two internal control issues cited in adverse ICFR management reports in 2020 – issues related to accounting personnel and segregation of duties – have been the top two issues for the previous five years. This illustrates that issues related to personnel are always common for smaller companies, regardless of circumstances arising from an event, such as the pandemic, that could significantly exacerbate existing deficiencies.

One ‘finding’ in the report astonished me.

The report says that the external auditors cited different material weaknesses than management.

  • In adverse ICFR auditor attestations for the fiscal year 2020, the most common internal control issue that led to the conclusion that ICFR was ineffective was the need to make year-end adjustments (51%). The second most common reason expressed by auditors was a need for more highly trained accounting personnel (42%). These internal control issues are common, appearing as the top two issues in each of the last five years.
  • In adverse ICFR management reports for the fiscal year 2020, the most common internal control issue that led to the conclusion that ICFR was ineffective was a need for more highly trained accounting personnel (75%). The second most common reason was related to segregation of duty issues associated with the design and use of personnel within an organization (63%). These internal control issues are commonly cited in management reports, appearing as the top two issues in each of the last five years.

This makes no sense to me for several reasons.

First and foremost, I find it hard to believe that they couldn’t agree on material weaknesses. If the audit firm said something was a material weakness, it would be next to impossible for management (and the audit committee) to refuse to identify it as such in their report. Similarly, I can’t see the audit firm passing up the opportunity to report something management said was a material weakness.

I am also surprised that the auditors thought having a lot of year-end adjustments reflecting an ineffective system of ICFR. The only explanation I have is that they related to errors during the year that were material to one or more quarters and corrected at year-end – and that should have been the disclosure. The problem with that is that the system of ICFR at the end of the year would probably have been effective! (Management also identified this area in 21% of their adverse assessments.)

The report lists other areas where material weaknesses were identified, either by the audit firm or by management.

  • The audit firms identified issues related to IT in 36% of their adverse opinions.
  • Both the audit firms and management identified inadequate disclosure controls (21% of the adverse audit attestations, and 25% of management’s). But disclosure controls (the subject of s302 of the Act) are not subject to s404 opinions. This makes no sense to me.
  • Management identified an insufficient audit committee as a material weakness in 21% of their reports. It is hard to see how this can be correct. While it is one of the Principles in the COSO Internal Control Framework, defects in the audit committee are highly unlikely to result in a material error or omission in the financial statements.

The report has some more useful information. Again, they contrasted the reports of the audit firms to those of management.

  • In adverse ICFR auditor attestations for the fiscal year 2020, the most common accounting issue that led to the conclusion that ICFR was not effective concerned revenue recognition. The second most common reason expressed by auditors was related to taxes. Taxes were the number one issue in 2016 but were less common between 2017-2019. Accounting issues related to PPE, intangible or fixed assets jumped in rank from eighth in 2019 to 2020. In a bigger jump, accounting issues related to the recording of debt and warrants identified in adverse ICFR auditor attestations went from being far outside the top five issues in the last five years to being the sixth most common issue in 2020.
  • In adverse ICFR management reports for the fiscal year 2020, the most common accounting issue that led to the conclusion that ICFR was ineffective concerned the recording of debt/warrants/securities. This issue ranked fourth in 2015, but historically, the recording of debt and warrants was not a prevalent accounting issue cited in management reports with adverse ICFR.

I am drawn to conclude that people are having difficulties in this area. I strongly suspect that some auditors and some management teams are not testing their identification of material weaknesses against the definition of “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”

I also suspect that the audit committees of these companies are not challenging management and the audit firms to report the same and not different material weaknesses.

Finally, too many seem to be failing to assess and report on the state of ICFR at the end of the year, which is the requirement.

Reports like these are useful information to all involved in SOX. We should pay attention and makes sure we have the right top-down and risk-based scope, and test any deficiencies against the definition of a material weakness.

I welcome your thoughts.

Where do material errors occur in the financial statements?

May 27, 2022 1 comment

Every so often, the firm of Audit Analytics shares a report with information of interest.

Their latest is 2021 Financial Restatements: A Twenty-One-Year Review. They introduce it:

In this report, we cover twenty-one years of trends in financial restatements – including a closer look at the effect of SPACs on recent trends in financial restatements. We also cover materiality, impacts, severity measures, size and location, and the top accounting issues.

If you are involved in preparing or auditing financial statements or the system of internal control over financial reporting (e.g., for SOX compliance), or on the audit committee of the board, you should read the report.

The big news is that the great majority of restatements were due to issues around the use and accounting for special purpose acquisition companies (SPACs). As the report says:

On April 12, 2021, the SEC’s Acting Director of the Division of Corporation Finance John Coates and Acting Chief Accountant Paul Munter issued a joint statement urging companies with warrants issued by Special Purpose Acquisition Companies (SPACs) to reconsider the accounting treatment of those warrants.3 In November, hundreds of SPACs reclassified redeemable shares from permanent equity to temporary equity.

The SEC’s guidance on accounting for redeemable shares and warrant liabilities resulted in significant increases observed in both the number of restatements filed and the number of companies that disclosed a restatement during 2021. Additionally, the composition of restating companies was altered from previous years, as these two accounting issues had a broad impact on a narrow population: SPACs and companies acquired by SPACs.

As a direct result, the positive trend in the number of restatements was interrupted in 2021. If you exclude SPAC-related restatements, the numbers continued to decline.

If you exclude SPAC-related restatements, the more significant accounting issues were:

  • Debt and equity securities – 19.1%
  • Revenue recognition – 12%
  • Liabilities and accruals – 11.7%
  • Expenses – 10.9%
  • Taxes – 8.8%
  • Cash flows – 7.3%
  • Share-based compensation – 7%
  • Acquisitions and divestitures – 7%
  • Inventories – 6.7%
  • Asset valuations – 6.5%

I find it interesting that a hot button in previous years, Revenue Recognition, has dropped from being the reason behind more than 20% of restatements in 2004, around 16% in 2018, to 12% last year.

What does all of this mean for those of us involved in preparing or auditing financial statements and related controls?

I believe this should be factored into your risk assessment activities.

The audit committee might include a discussion of this report with their external auditors.

I welcome your thoughts.

Risk and Strategic Intelligence

May 23, 2022 5 comments

One of the issues that has concerned me over the years is who is not only responsible for understanding what might happen (both risks and opportunities) but also has the capability to do so.

The easy answer is that operating management is responsible for understanding, evaluating, and addressing what might happen that could affect their business and its ability to achieve enterprise objectives.

That’s the easy answer, because I see the risk function as helping management do that. The risk function shouldn’t own the risk or be responsible for identifying and assessing it.

But do either have the capability to do it well?

A Wall Street Journal article, Building a Corporate Strategic Intelligence Program, got me thinking.

Should an organization establish a function whose job it is to survey and monitor the external environment? If so, should it be on targeted areas rather than the whole potential landscape? (The discussion in the article does not include threats or opportunities from internal sources.)

In the article (which has content by Deloitte but is written by an executive from Invesco, the company it profiles), the Strategic Intelligence function is not part of the risk function.

Effective strategic intelligence functions are often well connected across organizations, especially with risk management teams, and well positioned in the organization’s strategy-setting process. They also often report to a C-suite leader to enable intelligence to be elevated to the highest levels of leadership in the organization.

I think this is an idea that is worth exploring.

It would be a team with expertise in analytics and other tools, and access to other sources of research.

What do you think?