Posts Tagged ‘GRC’

Most read posts of 2020 and all-time

December 28, 2020 6 comments

It is interesting to me that the blog post that has attracted the most views in 2020 is also the most read post all-time.

It seems people continue to be very interested in risk appetite – signaling that I need to share more thoughts on why this is a concept with serious flaws, which I shall in January.

In any event, the top 12 are shown below. A further 17 had more than 1,000 views.


When it comes to all-time views, these are the posts that have garnered more than 10,000 views.


Please share which posts you enjoyed the most – and why.

Do you hire people who can think?

December 15, 2020 3 comments

In Auditing that matters (which I strongly recommend for every internal audit practitioner or consultant), I have a chapter on making sure you have the audit team you need.

Here is an excerpt from the start of that chapter. I talks about probably the most important skill I needed from every member of my team.

The need to think

I ask a great deal from my team.

I need them to THINK.

Thinking is not, sad to say, something that every internal auditor does.

In fact, most auditors are trained NOT to think! They are told to ‘follow the audit program’ and do what they are told. Sometimes, they are even told to do the same work as the last time the area was audited.

As we know today, the risks of today are very often not the risks of yesterday. Doing the same audit means we are auditing what used to be the risks, not necessarily what they are today.

While I would always prefer to hire people who have never been trained to “do what I tell you and follow the audit program”, that is not always possible. Very often, I can see in the interview process who has the capability of thinking for themselves. If they have high potential, I will hire them and unlock their chains by insisting that they always use their intelligence. If they drift towards following the same program as last year, I ask them why – and persist until I get their answer, not an answer provided by somebody else.

If we are to gain insights and provide management with meaningful, valued assurance and advice, I need auditors who can:

  • Think
  • Imagine what might be
  • Suggest options for improvement that management has not considered

People can be trained in technical matters such as auditing skills. They can learn the business. But, it is much harder to learn to be imaginative or to think logically.

As long as individuals have intelligence and their curiosity, imagination, and creativity can be unlocked, they have the potential I am looking for.

It takes an unusual recruiting and interviewing process to identify individuals with high potential. It takes a manager who acts more like a mentor and teacher than a supervisor to help those individuals further develop and realize that potential.

I am proud that I have been able to staff my teams with individuals who can think, are willing to challenge traditional thinking (whether by the business, internal audit, or me), and suggest creative solutions to today’s and tomorrow’s challenges.

They have told me, even people who have worked for me for years (or decades, in one case), that I have always challenged them.

One key is to never answer a question – if at all possible. Instead, help the questioner find the answer themselves.

Ivy Yeo worked for me at Maxtor and this is what she had to say on this topic:

“You are the best teacher in my life! You just know when is the time to give me a straight answer to my question (for questions which are beyond my ability to solve). You know just when is the time to answer my question with another question to stretch my ability to think further and discover the answers on my own.”

As a child, I learned the value of a short word: “why?”

In my 2nd grade math class, Professor Taylor asked the class a very simple question: “what is the square root of 4?” I put my hand up, but when I said the answer was 2, the learned professor asked me “why?” He made me think. Answering that this is what I had been told, or that 2 X 2 = 4 was not sufficient. He made me think through and come up with an explanation that demonstrated my understanding of the mathematics involved.

As a manager of people, I also use this simple question. It doesn’t matter whether the individual has the right answer or not. I want him or her to explain to me why it’s the correct answer.


This skill, the ability to think, is not only critical but in this dynamic and turbulent environment absolutely essential for success.

When the world is changing, blindly following the practices and principles of the past should not be acceptable.

Use that question, why, as often as you can:

  • Why should we do this?
  • Why does it matter?
  • Why should we do it the same way as last time?

Then follow up with related questions, such as:

  • What are we (the organization) trying to achieve?
  • What is the best way to achieve that?
  • Is there a better way?
  • What would happen if we stopped doing this?

…and so on.


What do you THINK?

Do you emphasize independent thinking?

Do you encourage imagination and creativity?

Are you willing to listen to crazy thoughts?

Delivering value from IT audit

December 8, 2020 2 comments

Some of you may not know this, but earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, thereby, business operations.

I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.

Anyway, IT audit has been a passion of mine for many years.

So, when I saw that Deloitte has published a piece, The Future of IT Audit[1], I was interested.

Here are some excerpts with my comments:

  • In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.

Comment: being an auditor is being an adviser. That should not be a change.

Comment: what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.

  • As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.

Comment: again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters.

Comment: IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See Making Business Sense of Technology Risk. It’s not about IT risk, it’s about business risk.

Comment: the greatest risk may be taking too little risk.

  • Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue.

Comment: nothing new here.

  • Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.

Comment: this sounds good but is misdirected. Focus on the business, not technology out of context.

  • Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk.

Comment: there is so much more, as I will explain.

  • Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.

Comment: this sounds good, but what does it mean?

So what is my advice for IT auditors? What is the future of IT audit?

  1. The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
  2. Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology – and a failure would be serious from a business, not just an IT perspective.
  3. Audit any IT risk assessment (see the guidance in Making Business Sense of Technology Risk). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes; a risk-prioritized list of information assets simply doesn’t cut it.
  4. Don’t underestimate the need to participate and advise on development and major maintenance projects.
  5. Don’t do work where the results wouldn’t matter to leadership.
  6. Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
  7. Provide the insight, advice, and assurance that leaders need if they are to manage the organization for success.
  8. Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
  9. Don’t ‘audit what you can’ – audit what you should because it matters. Get extra resources if there’s a gap.
  10. The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.

What do you think?

[1] Deloitte has done something crazy, at least in a Windows environment. If you cannot see the article because of their advertising, move your mouse over to the left and it should disappear.

Internal Audit in Crisis Times

November 16, 2020 4 comments

My friend, Hal Garyn, has shared his views on Internal Audit in these difficult times: It’s Crisis Time: Does Internal Audit Have a Say?

He makes several first class points and I strongly recommend this article to you. For example, he says:

  • Just because internal auditors want a seat at the table, doesn’t mean senior executives will automatically pull back the chair and gesture for audit leaders to sit. It must be earned. Once it’s earned, it must be retained. Auditors earn and keep a seat at the table by continuously providing valuable insights, making commitments, and delivering on promises.
  • Just because we think we have something important to say, does that information matter to our colleagues? Is it the right information, at the right time, delivered to the right people, and is it insightful?
  • Internal audit, even with its reliance on technology, data analytics, and electronic communication, will still be most successful because of the interpersonal relationships it has now and will develop over time.
  • Look at internal audit from the outside in, not the inside out: Focus on what the organization really wants from internal audit, not just what we believe we should provide.
  • Consider and prioritize the work that is absolutely necessary, even if it is outside the typical internal audit work, and leave the work that doesn’t address the immediate problems for another time.
  • Volunteer to help: Determine how you can help and figure out how to do it. Don’t wait to be asked. The four words every internal audit leader should be asking senior executives is: “How can I help?”
  • Be more flexible with risks to objectivity: While objectivity is fundamental to internal audit, in times of crisis, what the organization needs should potentially take precedence over preserving objectivity.
  • Move to a near-continuous risk assessment: Risk is dynamic, not static. Right now, risks are quickly evolving in terms of impact, likelihood, severity, duration, and velocity. If you are conducting risk assessments on a quarterly or, dare I say, annual basis, your assessments are yesterday’s news.

I usually end my posts with, if not criticisms, additional perspectives and suggestions.

I don’t want to dilute Hal’s article and leave you to read it in its entirety.

I welcome your thoughts

Talking sense about the Audit Committee

November 9, 2020 5 comments

I am tired of seeing nonsense written about the responsibilities of the audit committee when it comes to their oversight of risk, especially cyber risk. The latest (members-only, which may be a relief) is from Compliance Week; it says the audit committee must have an in-depth understanding of cyber risk – and pays no attention to whether a breach might affect either the integrity of the financial statements or the achievement of enterprise objectives. It also confuses the roles of management and the board.

McKinsey has a far better article, but still misses the mark.

It’s time to go back to basics!

What are the responsibilities of the audit committee of the board?

In 2018, Deloitte published a sample audit committee charter designed for US public companies. It said that:

The audit committee is established by and among the board of directors for the primary purpose of assisting the board in:

  • Overseeing the integrity of the company’s financial statements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] and the company’s accounting and financial reporting processes and financial statement audits [NASDAQ Corporate Governance Rule 5605(c)(1)(C)] • Overseeing the company’s compliance with legal and regulatory requirements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the registered public accounting firm’s (independent auditor’s) qualifications and independence [NYSE Corporate Governance Rule 303A.07(b)(i)(A) and NASDAQ Corporate Governance Rule 5605(c)(1)(B)]
  • Overseeing the performance of the company’s independent auditor and internal audit function [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the company’s systems of disclosure controls and procedures
  • Overseeing the company’s internal controls over financial reporting
  • Overseeing the company’s compliance with ethical standards adopted by the company

Note that there is no legal requirement (yet) in the US for the audit committee to oversee the management of risk, but we can certainly add that to the list above.

Let’s add to the above with the important section from COSO’s Internal Control Framework (2013) on effective internal control:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.

I will return to that definition at a later date.

Let me keep my advice for audit committee members and their advisors simple.

I will start with what we all know:

  1. The role of the board is not to run the organization. The role is to ensure it has the right management team and they are running the organization effectively. They have a governance and not a management role.
  2. The board and its committee should be focused on obtaining assurance that management prepares accurate financial statements and makes other required disclosures not only to the regulators (SEC, etc.) but also to other stakeholders (banks, etc.).
  3. In addition, it needs assurance that management has an effective system of internal control in place, not only for financial reporting and other disclosures, but also for the achievement of the objectives approved by the board for the organization.
  4. It also needs assurance that management is properly addressing the risks and opportunities (as called out in the King IV and other corporate governance codes) that might affect the achievement of enterprise objectives.
  5. Finally, the board needs assurance of the effectiveness of both the internal and external auditors.

Now here are my specific recommendations. They recognize the true role of the board as a governance body and not a management body, and the specific duties of the audit committee as described above.

When it comes to specific sources of risk of whatever color ask:

  1. Will this significantly affect the reliability and integrity of the financial statements?
  2. Will this significantly affect our compliance with required disclosures, including the effectiveness of disclosure controls?
  3. Will it significantly affect the effectiveness of internal control over financial reporting?
  4. Will it significantly affect the effectiveness of the system of internal control for other enterprise objectives?
  5. Will it significantly affect the likelihood of achieving our objectives?
  6. Is there a significant problem with relying on our systems and processes for managing risk to objectives?
  7. Will this have a significant adverse effect on our reputation?
  8. If this source of risk is not significant, given the answers to questions 1-7, why is it being brought to us for discussion? Why can we not rely on management to handle it?

I welcome your thoughts.




Apparently, there are legal minds who disagree with my statement that “The role of the board is not to run the organization.”. They point to the obligation of the board under Delaware law: “The business and affairs of every corporation organized … shall be managed by or under the direction of a board of directors.” 

There is a difference, as every lawyer would tell you, between the words “run” and “manage”.

Clearly, members of the board can be held liable (although I am not an attorney so its not a legal opinion) if the organization fails in some way.

But I am not talking about that. I am talking about running the company, and that is something the management team does with oversight by the board.

The board only has periodic involvement (at least the independent members) and it is totally unreasonable (in my lay experience and opinion) to expect them to run the company.

Instead, they appoint a management team and are entitled (given reasonable processes for hiring, reviewing, and terminating them) to rely on them to run the organization. However, they need (not a legal requirement in the US but a practical one everywhere) to have assurance on things like internal control and risk management.


IT audit and IT risk

November 5, 2020 3 comments

I have to admit, I was a halfway decent senior financial auditor with (what is now) PwC. I was no star. But my life as a recently qualified chartered accountant changed when I was given a couple of career choices.

The first was to follow my heart and relocate to the Paris office. I loved France (and French women, let alone the food), having spent multiple summers there with French families or working in a warehouse in the East of Paris.

The second was to follow my head.

I had been a guinea pig in an experiment involving flowcharting and evaluating the controls over a client’s computer systems. It was weird: I had done my best with the new purple Internal Control Questionnaires (ICQs), but both they and the flowcharts could hardly be seen under the barrage of critical review comments and corrections by the Computer Audit Group (CAG). When I met with the CAG Supervisor to hear in person what he had to say about my pitiful attempt, I have to admit being more than a little upset by his harsh words. He asked if I had listened to a word of the training – and I replied that I had not received any training at all! He went from my greatest critic to an admirer, saying that while I had messed everything up it was a great job for somebody with zero experience or training.

Shortly after that strange episode, I met with my manager and he told me that in addition to the opportunity to move to France, I also had an offer to join CAG as a senior computer auditor.

It was a tough decision but CAG was a life-changing experience.

The trainers at the introductory training (CAG College) saw something in me. Even though I had no programming background and was learning COBOL for the first time, they asked me to become the technical expert. In addition to helping others with their COBOL programs, I was to research new developments in technology and interpret how they might affect our clients and our audits.

I fell in love with technology and it changed my life. I was promoted to manager and then senior manager very quickly (I believe I was the youngest manager in the firm at that time).

After I left PwC, it didn’t take long before I was able to move from IT audit to a VP position in IT with responsibility for multiple areas including information security. I hoped to become a CIO. But life intervened and the company I was with outsourced IT and I moved to a new company as CAE.

As CAE, as much as 25% of my team were IT auditors!

I am sharing this to explain why technology, its management and audit, has always been dear to my heart. I am no longer the techie that I was; I now have more of a business executive perspective.

So when I see interesting articles on IT risk and IT audit, my passion resurfaces.

I have known Matt Kelly for many years from when he ran Compliance Week. He is now the Editor and CEO of Radical Compliance, a newsletter I enjoy.

He has penned a piece for Galvanize, a “GRC” software vendor. The article is A better approach to managing IT risk.

Unfortunately, I cannot recommend the article. It has far too much of a compliance focus for me (understandable, since that is Matt’s professional focus and background).

I will just pick out a few statements for comment.

The article starts with this assumption and following statement:

IT security is fundamental to achieving business objectives—which means that understanding and managing IT risk is also fundamental to achieving business objectives.

This is because IT risk evolves across two fronts:

    1. The constantly growing number of regulations that govern issues like privacy or system integrity
    2. The always-shifting design of IT systems themselves.

What is wrong with that?

  • IT security’s potential effect on business objectives varies from organization to organization. Unfortunately, most do not assess how a breach could affect those business objectives (which I why I wrote a book about it). For some, it is huge; for others, not so much.
  • IT risk is far broader than IT security. It includes any failure in the use (or misuse) of technology, including such issues as:
    • The availability of the systems and so on relied on to support business operations
    • The availability of the systems relied on for delivery of services to customers
    • The quality of both, including providing the functionality needed by the business
    • The reliability of those systems to deliver what is needed when it is needed, etc.
    • The ability to support an agile organization
  • Few perform the quality assessment of technology-related risk and opportunity sufficient to make informed and intelligent business decisions. They assess risk to information assets instead of risk to business objectives.
  • There is no such thing as “IT risk”, only business risk (to quote Jay Taylor, former head of IT audit and then CRO at GM).
  • Sometimes, taking more IT-related risk (because of the opportunities) is the right business decision.
  • There are many other factors that can change IT-related business risk, such as a change in the business or an acquisition, a desire for new software by the business, an increase in software purchased or subscribed to directly by the user, an increase in the volume of network traffic that threatens reliability, the loss of maintenance support by a vendor, rapid testing of application changes, operating system changes, the delay of a major systems project, and so on.

Matt doubles down with (emphasis added):

One way a company ends up with too much IT risk is to let those IT systems fall out of compliance with regulatory obligations. Even worse: as we look at the business landscape today, it’s also painfully clear that this is becoming the primary way a company ends up with too much IT risk, too.

Compliance is probably the least concern for CIOs outside financial institutions.

If you want to understand “IT risk” it starts with understanding the reliance placed on technology by the business. Ask:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

But management should be the one understanding and assessing risk, including risk related to technology.

While internal audit needs to understand technology-related risk (a far better term than IT risk, since technology is not managed only by the IT function), that is for audit planning purposes. It shouldn’t be for reliance by operating management – even though that is what Matt is saying in his article.

In fact, internal audit should be assessing how well management understands and addresses business risk, including but not limited to technology-related risks and opportunities.

IT audit and the understanding and management of technology-related risks and opportunities are very important (and dear to my heart).

But please, start with understanding the business and how it relies on technology.

Then ask those two questions:

  • What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
  • What could go wrong in such a way that it imperils the achievement of objectives?

Obtain answers that are ‘valued’ based on how they might affect the achievement of business objectives.

IT auditors: the best ones are those who not only have technology skills but have a deep understanding of the business.

Above all, there is far more to technology-related risk than information security.

I welcome your thoughts.

A simple risk-driven decision technique

October 29, 2020 5 comments

Even as a youth, I was told to consider my options when I was making an important decision.

My parents taught me to take a piece of paper, draw a line down the middle, and write down the “pros” on one side and the “cons” on the other.

Pros and Cons

This simple tool can be very effective.

Imagine we are considering opening an office for our business in Poland.

There are both risks (bad things that might happen and their effects) and opportunities (good things and their effects).

We fill in the table:

  • The Pros might include additional revenue over the first year, with a springboard built for continued growth in Eastern Europe over the following years. We might also include the possibility of hiring additional talent in cybersecurity that could help us with some global challenges.
  • The Cons could include risks related to cyber, trade compliance, ethics, reputation, and more.

But before we make a decision, we need to have more than a description of each of the Pros and Cons. We need some form of measurement.

We also need clarity on our overall objective: what we are trying to achieve. Let’s say that the overall objective is to increase enterprise revenue by 5% and that opening a new office in Poland is one option, one strategy we are considering.

We could add traditional measures of forecast revenue dollars for the first year and subsequent years to the Pros, and put some value on the possibility of hiring cyber talent.

We could add traffic light (high – medium – low) ratings to the risks in the Cons column.

But those measures are not really helping us with our decision.

So we add a likelihood estimate to the revenue forecast numbers. If we are sophisticated, we change the single point revenue numbers to revenue ranges with associated likelihoods.

We also change the risk ratings to some valuation of the potential effect and indicate the likelihood – again, upgrading from single point effects to ranges if we are sophisticated.

We are now getting close, but how do we weigh the Pros and Cons?

Weigh pros and cons

Maybe everything is now quantified so you can determine whether there is a net positive (Pro) or negative (Con) to opening the office.

The next question is whether that net is sufficient for you to achieve the overall enterprise objective.

Maybe there is a positive return, but is it sufficient? How does any ROI compare with other uses of the necessary funds?

Are there better options?

What would happen if you accelerated the opening, perhaps increasing some Cons but also increasing the Pros?

…and so on.

I suggest that this simple technique is one we should always consider when making important decisions.

A risk register or heat map simply doesn’t come close to adding the same value to a decision-making process.

The risk practitioner can help with the Pros and Cons in many ways, from facilitating the identification of the Pros and Cons, to assessing each of them in a way that enables them to be aggregated and compared, and then with tools and techniques to weigh everything together and determine whether they are likely to satisfy enterprise objectives.

In fact, the sophisticated practitioner can take a simple Pros and Cons list and transform it using models and tools like Monte Carlo.

What do you think?

Agile Risk Management

October 25, 2020 7 comments

Peadar Duffy of Solux[1] has shared a marketing piece that contains some valuable content, although it is (IMHO) incomplete.

He explains the need for risk management to be agile – with which I totally agree. By the way, I recommend reading pieces by McKinsey on Agile Organizations. To quote their headline,

“New ways of working are needed to survive and thrive in a fast-moving, technology-driven world.”

These excerpts from the Solux piece, Agile Risk Management (ARM): Continuous & Dynamic Decision Support, help us understand the need:

  • …an environment where the speed of disruption across multiple fronts is on the increase demands of organisations that they similarly need a comparable speed in decision making.
  • 21st century levels of uncertainty mean that there is zero chance that decision makers can reasonably expect to consistently plan perfectly and predict the future accurately. For this reason, organisations need to be prepared to fail fast and learn quickly such that scarce resources can be preserved and re-directed to where lessons learned, and continuous improvements increase the chances of success as soon as possible.
  • Organisations clearly need to be more agile than resilient. Put simply resilient football teams don’t win championships as preparing and responding to opposing team tactics is a defensive play. It is akin to asking players to run onto the pitch with a given number of set-pieces in mind. Alternatively, anticipating opposing team tactics, being agile and bouncing forward ahead of less responsive players is what wins games. Agile players run onto the pitch with a game plan in their minds, thinking of winning with set pieces and rules of the game so embedded in their state of being that it is instinctive.

Let me put this in my words:

  1. The world in which we live and work is not only massively disruptive but the speed and volatility of change are increasing.
  2. Decisions need to be made at speed if organizations (and people) are to both seize opportunities and navigate risks.
  3. Those decisions are dependent on reliable, timely, and current actionable information about what might happen.
  4. That information is derived, at least in part, from risk management activities.
  5. Those activities, risk management, need to function at the speed of change – the speed of risk and the speed of the business.
  6. Risk management also needs to adapt and change to meet the needs of a changing business and environment.

Hence, there is a need for agile risk management.

Peadar explains the relationships between the Purpose or Mission statement, objectives, and the taking of risk. After all, it is supposed to be ‘risk to objectives, not risk for its own sake.

  • Purpose is determined by stakeholders. Founders, shareholders, boards and their management teams determine core purpose given the needs of customers, society and employees as well as the partners, suppliers and most significantly those statutes and regulations which organisations need to observe. Thereafter corporate objectives, business and operating models required to deliver corporate purpose are selected as appropriate.
  • Purpose to risk management is what true north is to navigation. Why? A risk is simply a thing which can stop you or slow you down on your journey to a given objective. For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
  • Clearly when decision makers know why their organisation exists/what it is there to achieve, they are better equipped to do the right thing (making a decision) in the right way (process) as the organisation moves forward.

This is all excellent.

The next step, not addressed in his article, is weighing the pros and cons (the positive and negative effects) to see whether it is right to take a risk or not.

To repeat a quote:

For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.

How do you know whether to speed up (take the risk), slow down (minimize a risk), or even stop if you don’t understand all the things that might happen? You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable.

I will continue to share and write about this (especially when I announce my new book).

I welcome your thoughts.

[1] It has not affected my writing, but I have an emerging business relationship with Peadar. He is one of the reviewers of my upcoming book.

Auditing in a turbulent and dynamic environment

October 5, 2020 4 comments

There’s little doubt that this year has brought many challenges to organizations and their internal audit teams in every corner of the world.

It has been both a challenge and an opportunity: an opportunity to sit back and consider whether there is a better way for internal audit to work.

For example:

  • How often should we update our understanding of the risks and opportunities facing the organization?
  • How often should we update the audit plan?
  • How do we make sure we know about new or changed risks so we are in a position to update the plan?
  • If we update the plan at the speed of risk, how do we communicate that to management and the audit committee? Do we continue to measure ourselves based on completion of the annual audit plan?
  • Do we have the right people and resources to address all the issues that matter to the success of the organization?
  • Are we auditing issues that are not worth our time? Do our audits include in their scope issues that, should we find deficiencies, would not be significant to top management and the board?
  • How do we change from full-scope audits to those that only focus on things that matter?
  • Are we lean in our approach? Do we include activities, such as careful and extensive documentation, that we could and should cut back?
  • Can we audit faster, using fewer resources?
  • Do we have the people capable of doing sufficient work to reach an opinion at speed?
  • Do we know how to stop when we have done enough and accelerate when we have not?
  • Are we timely in sharing our assessments and insights?
  • Are we agile?

Every CAE and audit management team should be asking these and similar questions – and being prepared to change.

Nobody likes change, especially if you might be giving up something that has served you well in the past.

But now may be the time to embrace it.

Richard Chambers has a short video that I recommend on having an agile mindset.

But while an agile mind is very important, the body has to be able to respond with agility.

If you take a month or more to complete an audit, are you agile?

If it takes you a couple of weeks before you issue the audit report, are you agile?

If your process requires two weeks of planning and such before you even start, are you agile?

If you are leaving many important risks untouched every year, are you sufficiently agile? I am not referring to the size of your budget but your ability to make the best and most efficient use of limited resources.

To quote Richard, are you smart and fast enough in your auditing?

For more on this, read (or re-read):

I welcome your thoughts.

Are you hungry for a better approach to risk appetite?

October 1, 2020 24 comments

Recently, Chris Burt of Halex Consulting sent me a copy of a paper he had written, Feeling hungry? A simpler, more intelligent approach to risk appetite.

There’s a great deal to like in his approach:

  • Your organisation is clear on its purpose and values, has a clearly-defined corporate strategy and has even set SMART strategic objectives for the executive. But how much risk should the organisation take in trying to achieve its objectives and deliver its strategy?
  • Unfortunately, the generally accepted approach is to develop a board-level risk appetite statement. Such statements tend to be theoretical, static documents that jump through the hoops of addressing how much – or how little – of key types of risk the organisation is willing to accept or avoid.
  • What about Board decision-making? Ideally, it should be informed by risk appetite. But how many boards consult their own risk appetite statement when considering major decisions, including changes to strategy? The answer is, unsurprisingly, very few. And the reason: board-level risk appetite statements tend to be difficult to understand and impractical to use in real-world decision-making situations.
  • The key weakness of the current approach to risk appetite (including risk appetite frameworks derived from the Board’s risk appetite statement) is that it places undue emphasis on risks, rather than focusing on outcomes in decision-making.
  • What this approach fails to recognise is that successfully achieving an objective relies not just on preventing bad things from happening (mitigating risks), but also on making good things happen. That is, taking active steps to deliver the objective. Current approaches to risk management tend to gloss over the importance of this activity, paying lip-service to exploiting ‘opportunities’ while focusing on lists of risks.
  • The Board should clearly prioritise and set targets for certainty of achievement for each primary objective across a range of categories – such as strategic, operational, financial, compliance, CSR/ESG and viability. Those objectives most critical to the organisation – and thus requiring a very high certainty of achievement – should receive more Board attention and management resources than less important objectives.
  • Current risk management thinking requiring definition of a risk appetite is flawed and unhelpful. A better approach is to focus on the certainty of achievement of objectives.

All of the above is, IMHO, 100% correct. It is very much in line with a new book I am finalizing that will be published (hopefully) before the end of the year. The working title is Risk Management for Success and talks about how organizations can change from using risk management to understand potential harms to using it to increase the likelihood of achieving objectives, i.e., success.

Unfortunately, I think Chris has not taken the argument to the next logical step. He stumbles instead.

He suggests that:

The organisation’s aim should be to increase the certainty of achieving its objectives through minimising residual risks to the point of residual risk/cost of control equilibrium and taking active steps to deliver the objective – i.e. ‘making good things happen’

While the cost of control is certainly something to consider, there are times (many, many times) when more risk should be taken because of the potential for increased reward. For example, organizations will introduce a new product to the market to drive new revenue even though they know that it is not 100%  perfect. Waiting until it is perfect (which may never be achieved with certainty) may mean losing the opportunity. It is worth taking the risk.

Yes, organizations should seek to have an acceptable likelihood of achieving their objectives. That requires making informed and intelligent decisions and taking the right risks.

A better approach to risk appetite? Do what you need to comply with regulations and then run the organization for success.

I welcome your thoughts.

When a technologist is a business leader

September 28, 2020 1 comment

I have had the privilege of working with and for a number of superb technologists, many of whom were Chief Information Officers (CIO) or equivalent.

I am going to pick just one: Ron Reed.

I first met Ron when I was a vice president, internal audit, for a large financial services company. He was the senior vice president for IT (i.e., CIO) for the insurance subsidiary.

Although it was polite and professional, our first contact (a data center audit of that organization) had friction. He didn’t believe the facts behind our finding; but, we worked together to understand and then appreciate the reality and he then moved quickly to implement appropriate corrective actions.

A year or so later, he moved to the primary business unit as senior vice president responsible for all IT functions apart from application development and maintenance, where I got to work with him closely. (I ended up working for him.)

Now Ron’s background is deep in technology. He probably knew more about the operating system and related products than our systems programmers. But he was able to rise to leadership within the company because he also made sure he had a deep understanding of the business.

Ron spent time with the business leaders, getting to know them, the operation, and how it was run.

By understanding the business and knowing what it needed to be successful, he ensured the leaders of the business had the right IT services and functionalities.

He didn’t try to sell them what they didn’t need.

A friend of mine told me that I should buy a Tesla. (He owns one and loves it.) He gave me several reasons, including:

  • It’s fast – he can beat any car from a standing start at a traffic light
  • It’s fast – he can safely pass other cars
  • It’s economical because you don’t have the expense of gasoline
  • It’s green
  • It’s fun
  • You can afford it, Norman

I continue to drive my Acura TSX.

I don’t need a Tesla and cannot justify buying one when I don’t drive a lot now that I am (mostly) retired.

Having set the table, let’s place a dish on it.

The Harvard Business Review is an excellent source of challenging and insightful thought leadership. In November, they published Companies need to rethink what Cybersecurity leadership is.

The author (a senior manager with Boston Consulting Group) is clearly a smart guy. As far as I can tell, he has lived within the technology field and has not led an IT or business operation (other than consulting).

The article gets a number of things right, such as:

  • Yet for all the investments they’ve made to secure their systems and protect customers, companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture.
  • Cyber leaders have the monstrous and all-important goal of securing a business, but when companies make big, strategic decisions — about business models, digital strategy, product mix, M&A — cybersecurity is an afterthought.
  • Business leaders must thoroughly analyze their “why” for cybersecurity and be very clear regarding their choice.
  • …your best cyber leader might be a proven non-cyber executive who knows the business, has key relationships throughout the company, and has a general appreciation for technology.

But, I have a serious problem with his solution.

  • Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead.
  • Giving the cyber leader and program proper authority is … vital; they must have political sway and a top-level mandate to orchestrate change across the business.
  • …business leaders need to incentivize the right stakeholders to work closely with the function.

The solution reminds me of the Tesla salesperson.

A better approach is for the CISO (or the CIO, to whom I believe the technologist CISO should report) to have a deep understanding of the business and help them with the information security they need. Give them what is justified on business terms, not what is fast, green, and sexy.

Help them understand, from their business point of view, how much security they need, why, and what it is worth spending on it.

Forcing people to buy stuff they don’t need, or costs more than it is worth, will not get you accepted by them as a business partner.

Boards and executives have some tough choices to make, including how much money and resource to allocate to cyber.

Is $100 million too much? How about $75 million, $50 million, $20 million, or even just $5 million?

Does it make sense to invest $50 million when there is only a 5% (hypothetically) chance of a breach that causes losses of that amount or more?

It’s a business decision that business leaders should make, not the CISO. (Even better, it’s a decision made together – recognizing that the business leader has the casting vote.)

If the CISO, perhaps in partnership with the CIO, can work with the business leaders to give them the security they need (an Acura instead of a Tesla), they will be given a place at the executive table.

People only get invited to participate in strategy and other discussions when they make a positive contribution to the decision-making process. That requires understanding what they really need, not trying to sell them what they don’t believe they need and are unwilling to invest in.

Companies are not giving the CISOs the support and resources they want because the leaders are not convinced it’s a good way to spend their limited resources.

Talk to them about the business, not about breaches and vulnerabilities.

Sometimes, leading requires understanding and listening more than anything else – but that is not what the author suggests.

For him, leading starts with authority and incentives for others to listen.

I welcome your thoughts.

Risk in two rooms

September 24, 2020 10 comments

The twins, J and K, want a hot tub. They decide to approach their parents, A and Z, but separately rather than together.

J finds A washing the car in the driveway. A is interested in the idea and they share dreams of soaking in the hot tub after a long day at work and school (after homework, of course). They think about the possibilities of inviting friends and family over for a party with the hot tub at the center. Ahhh!!!

Meanwhile, K is chatting with Z in the garden. Z immediately thinks about the cost. They will have to cancel the planned purchase of new laptops for the twins. Then the hot tub will have to be cleaned, and that will fall to J and K. As they talk about how disruptive it would be to have new water and power lines installed for the hot tub, they hear a car – their car – driving away.

A and J are on their way to the store, excited at the opportunity to buy a hot tub with installation included. After all, there’s a sale on that ends today!

Did anybody make an informed and intelligent decision?


Each pair only considered one side, either the risks or the opportunity. Nobody considered both or found a way to see whether one side weighed heavier than the other.

This is what happens with traditional risk management. It provides a list of risks. It doesn’t help you figure out which risks to take.

This is what happens with the traditional board. The risk or audit committee talk about risks while another group talk about strategy and performance.

I am working on a new book that will talk about moving from managing risks to managing for success.

Is this something you do? Is it something you want to do?

I welcome your thoughts.

The latest information on cyber

September 20, 2020 1 comment

The Australian Cyber Security Center (ACSC) has published its annual Cyber Threat Report. The ACSC is an operational arm of the Australian government. It is responsible for “strengthening the nation’s cyber resilience, and for identifying, mitigating and responding to cyber threats against Australian interests. The ACSC also manages ReportCyber on behalf of federal, state and territory law enforcement agencies, providing a single online portal for individuals and businesses to report cybercrime.”

Over the year ended June 30th 2020, they “responded to 2,266 cyber security incidents and received 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes.”

Of the cyber security incidents, 803 (35.4%) were reported by government agencies. Healthcare was the sector with the next highest level of incidents at 164.

To put those statistics into context, according to the Australian government, as of June 30, 2019 there were “2,375,753 actively trading businesses in the Australian economy”. Of those, 141,628 were in healthcare.

So there was roughly 0.6 security incidents reported per thousand businesses, 1.2 per thousand in healthcare.

Cybercrime is a very broad category, including not only fraud but also online bullying and the sharing of intimate images or videos. It is not clear from the report how many of these targeted individuals rather than businesses or government agencies.

It is also unclear what the impact has been of cyber breaches, ransomware attacks, etc.

The ACSC report references a Microsoft-commissioned study from 2018. That study said:

…more than half of the organisations surveyed in Australia have experienced a cybersecurity incident (55%) in the last five months while 1 in 5 companies (20%) are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

…a large-sized organisation (over 500 employees) in Australia can incur an economic loss of AU$35.9 million if a breach occurs. The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

Fear and doubt surrounding cybersecurity incidents are undermining Australian organisations’ willingness to capture opportunities associated with today’s digital economy, with 66% of respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Microsoft says “the potential direct economic loss of cybersecurity incidents on Australian businesses can hit a staggering AU$29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. Direct costs refer to tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.”

But that is simply the potential, a projection of some sort. But is that a credible or a scare number? What is the likelihood of losses that high? You can decide for yourself, but I just don’t see 2% of a nation’s GDP being lost to cyber.

Microsoft bemoans “fear and doubt” but they are stoking it!

We need, as I have said many times, to assess for ourselves how a breach could affect our businesses and the achievement of our objectives.

There will be a range of potential effects, from trivial to major. Each point in that range has its own likelihood.

Don’t assess cyber or any other source of business risk using a single point in that range. Consider that entire range and whether it is acceptable.

If it is not acceptable, then consider what defense, detection, response, and preparedness you need to bring it down to where you are willing to take the risk. Consider whether the cost is justified based on the risk reduction – given that there are other uses for those resources.

Everybody should gauge the level of resource that should be applied to cyber based on their organization’s specific circumstances.

Don’t spend more than the risk merits – but spend enough.

What do you think?

When risk management began

September 15, 2020 4 comments

Recently, I read an article that said risk management had been traced back to around 2,000 BC when there had been some commodity trading in India.

I think it dates back to at least the dawn of the human era, and was probably practiced in some fashion before. (I am not getting into the question of whether God thought about what might happen when he created the heavens and the earth.)

Consider the first people to discover fire. They soon realized not only the opportunities it presented for heat and safety but also for cooking. They also learned what happens if you are not careful and get burned by it.  They acted accordingly.


The fire discoverers had objectives: safety, food, heat, etc. They considered the current situation and what might happen, then decided whether or not to take the risk.

That was risk management.

Arguably, it was more effective than some practices today as the potential for harm was weighed against the potential for gain, and a calculated decision made.

They were not listing all the things that can go wrong with fire, holding a meeting to discuss them, and comparing each harm to a risk appetite.

Instead, they decided that if they were careful the benefits outweighed the risks.

How can we move risk management practices forward, away from enterprise list management to enterprise success management?

I welcome your thoughts.

What do you think of heat maps?

September 8, 2020 12 comments

Heat maps are one of the most popular ways of comparing individual sources of risk.

A heat map is suggested as a way of reporting in the COSO ERM Framework.

But I dislike them, as do many practitioners. My reasons include:

  • There is a range of possible effects from a possible event or situation, not a single point, and each point in the range has its own likelihood.
  • It doesn’t help you to determine whether to take a risk, because it is without any context of potential reward.
  • Decisions should be based on the big picture. An objective may be affected by multiple sources or risk and opportunity (things that can happen with positive and/or negative effects). Making decisions one source of risk at a time is clearly sub-optimal.
  • It focuses on risks while I want to focus on achieving objectives, what I call success management.
  • There are better methods, which I have described in this blog and in my books.

Grant Purdy shared an article with me (he dared me to write about it) that takes a more satirical view.

An exciting new lexicon for the professional risk manager has a different way of describing heat maps.

What do you think?

Let’s talk about assumptions and risk

September 4, 2020 13 comments

When we make a decision, we normally make a number of assumptions about what we expect to happen.

My view of risk management, or should I say risk management that adds value and helps an organization succeed rather than just avoid failure, is all about what might happen.

Anticipating what might happen, evaluating and assessing it, then taking appropriate actions through informed and intelligent decisions, leads organizations to success.

It helps them take the right risks, considering both upsides and downsides, to achieve enterprise objectives.

An assumption is made when you state that you think this or that will or will not happen. If you are smart, you define what event or situation that is, how it could affect your objective, and your assessment of its likelihood.

In other words, you are assessing a risk (if adverse) or opportunity (if favorable).

A forecast is also an assumption, or at least based on a set of assumptions about what will happen.

What we should do with assumptions is monitor them.

But, as Estell and Grant say in Deciding, not all assumptions are equal.

There are some that are incidental and some that are critical.

Critical assumptions are those that, should they not bear out, mean that your objective will probably not be achieved.

Other things are often documented as assumptions, but the desired outcome is not dependent on them.

Monitor the critical assumptions and be prepared to respond at the first indication that they will not hold up. If you want, you can refer to this as the monitoring of key risk indicators (KRI). But KRI normally refer to things that might happen to hurt you, and you should also be monitoring for things that might help you.

If the assumption is that a new product will be ready for market on June 1st, you need to be prepared to take action not only if readiness is delayed but also if it is early!

Understanding assumptions that have been identified as critical to achieving an objective is essential to effectively managing for success.

Do you agree?

Is this what your organization does?

The State of Decision-Making

August 20, 2020 5 comments

An UK software company, Board, has shared a perceptive report on the woeful quality of decision-making in the banking and finance sector, at least in the UK.

The State of Decision-Making is summarized in an article in Global Finance and Banking that says decision-making is making progress.

Some excerpts with my highlights:

  • Organisations need to be able to plan, adapt, and react with speed. The importance of breaking down data silos to gain a complete view of performance, connecting financial and operational planning and enabling the accurate simulation and testing of scenarios has never been greater.
  • Leaders need to think beyond survival and concentrate on how they can thrive in the “next normal”, and have the tools in place to enable better decision-making for a better, more profitable tomorrow.
  • However, across the world, business decisions are still being made across multiple functions of a business, and all too often the process is disconnected, modular or fragmented. Business critical information sits in silos, processes are disjointed and compounded by over-reliance on error prone, outdated tools such as spreadsheets – causing a disconnect between departments, a misalignment of people and resources and a lack of a single version of the truth.
  • No business can afford to waste time and talent on bets that may or may not come off. Effective decision-making requires integrated, real-time reporting, planning, forecasting, scenario-modelling and predictive analytics.
  • Despite many organisations making decisions that are implemented globally, the decision-making process is not joined up across the business, with 33 percent of businesses making decisions in departmental silos – potentially leading to a lack of cohesion between units and wasting of resources.
  • Just over half (54 percent) of respondents said they were making business decisions based on data and insights, while ‘gut feeling’ decisions are still made by up to 45 percent of companies – a concern in an unpredictable market.
  • When it comes to the tools businesses are using to inform their decision-making, 57 percent of companies rely on spreadsheets and 72 percent predominantly refer to internal company reports. Interestingly, the favoured tools differ depending on the level of decision being made. Those responsible for operational decisions are more likely to rely on spreadsheets (69 percent) than those making strategic (60 percent) or tactical (59 percent) decisions.
  • Research shows that up to 90% of spreadsheets could contain a critical error.

This should be a concern for all of us.

Perhaps it is an issue that should be evaluated at your organization, its condition assessed, and actions taken as appropriate?

Are you aware of it as a problem?

Are you doing something about it?

I welcome your thoughts.

Internal Audit and Fraud Risk Management

August 10, 2020 10 comments

Described as a “joint research report by the Internal Audit Foundation and Kroll” (Kroll is a major investigation firm), Internal Audit’s Role in Fraud Risk Management has some truly excellent content.

It lays out extremely well the IIA’s position and guidance on this important topic. However, Kroll pretty much ignores that and continues with a report that pushes what I assume is its own opinion.

Here are some key points with my comments, but I strongly recommend a careful read with special attention to the IIA’s position laid out in the first three bullets below:

  • While the role of internal audit teams varies significantly across different industries, jurisdictions, and organizations, the predominant role of internal audit is, according to The Institute of Internal Auditors (IIA), “to provide independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” This includes assessing the design and effectiveness of controls in an organization, including controls involving fraud risk management, and providing assurance to management and the board that controls are designed appropriately and function effectively.
  • The IIA set out the following key points in relation to the role of internal audit in fraud risk management:
    • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls;
    • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situations. This should include digital data;
    • The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically;
    • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls; [Note: The IIA needs to update this Standard. The risk of fraud should be considered in the development of the audit plan. As stated, the Standards imply that controls over fraud should be included in every audit, regardless of the level of risk.]
    • Internal auditors should not investigate fraud unless they have specific expertise and experience to do so.
  • In the UK, the Chartered Institute of Internal Auditors takes the view that “internal audit has a role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organization….But it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit’s role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.”
  • In general, respondents were confident about the effectiveness of their fraud risk management programs, with 54% stating that they felt their organization’s fraud risk management was good, very good, or excellent.
    • Comment: 2.53% said their program was excellent and 16.54% very good. When evaluating on a 5 point scale, even“very good” indicates that there is significant room for improvement. Clearly, almost every respondent needs improvement!
  • 60% of those [where internal audit] had a leadership role [in enterprisewide fraud risk assessments said] they felt their organizations had good or better fraud risk management programs.
    • Comment: This is hardly a positive sign.
  • …the identification and management of other risks can … be enhanced by a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making.
    • Comment: Kroll ignores the IIA guidance and makes this assertion without evidence to support it. However, as I will discuss later, I tend to support a move in this direction in some organizations, with one very significant modification in approach.
  • Of all the teams taking a lead in fraud risk management within organizations, internal audit took the lead most frequently in organizations surveyed, with 41% of respondents stating that the internal audit team was the main leader in fraud risk management. Additionally, 91% of respondents stated that they had at least some involvement in enterprisewide fraud risk assessment.
    • Comment: Kroll did not ask why Internal Audit was taking the lead, only what the barriers were to doing so – a major failing in my opinion. They clearly started with the position that Internal Audit should be the driver, rather than management. They ignored the guidance which very clearly says that the program is a management responsibility.
  • The majority of survey respondents (80%) felt that there were barriers to internal audit involvement in fraud risk management. The most common barriers noted were lack of appropriate resources, lack of mandate and potential conflict of interest, and to a lesser extent the lack of adequate skills to undertake such work.

The lack of mandate is perhaps the area most prevalent in current debate, with approximately a quarter of survey respondents considering this as the largest barrier. It is common in our experience that business leaders do not perceive that it is the primary mandate of internal audit teams to take a leadership role in fraud risk management and operational activity for prevention, detection, and response. The business objectives, structural priorities, and risk appetite of individual organizations will impact whether or not internal audit is the appropriate place for fraud risk management to sit.

  • Comment: Following the IIA Standards and guidance is a barrier, true, and it should be an effective barrier to taking on a management responsibility!

As a retired CAE and CRO, I believe every organization should consider the risk of fraud. The consideration should not only consider the financial impact but, even more so, the potential to affect the achievement of enterprise objectives.

ACFE surveys consistently report every year that, on average, organizations lose about 5% of revenues to fraud of one kind or another. However, that number includes a cost attributed to employees’ use of corporate assets (like doing their taxes on company laptops), theft of time, and so on. So I tend to slice that 5% down in my mind.

Nevertheless, fraud can be a significant source of risk and every organization should complete and then maintain an enterprise-wide fraud risk assessment with appropriate controls and other risk responses in place.

Management’s risk assessment and the related controls and responses should be assessed on a periodic basis by Internal Audit.

The potential for fraud (including cyber breaches) to affect the achievement of enterprise objectives should be a consideration in developing and maintaining the audit plan – in the same was as other sources of business risk.

We should not assume that controls and practices related to fraud must be included in the audit plan or in any audit engagement. That diverts resources and attention from more significant sources of business risk.

Now for the question I said I would come back to.

Should there be, as Kroll says, “a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making?”

  • In many organizations, there is no good alternative to Internal Audit when it comes to leading a fraud risk assessment. Even in those situations (typically large companies) where there is a corporate security, investigations, or similar function, they may not have the experience and skills to lead the initiative.
  • Reporting to management and the board that an assessment is not being done, or is being done poorly, when there is no natural individual or function to do so, is pointing to a problem without offering a practical solution. The CAE should point out both the issue and a solution to that issue.
  • Somebody needs to do it, and the board and top management will generally support a CAE who is willing to take the lead.
  • Internal Audit may lead and facilitate the assessment with operating management making the assessment with IA help and guidance. They should make every effort not to be the assessor themselves. As CAE, this is the position I took. If there was nobody else to put the assessment together, I developed a draft after discussions with operating management and used that to elicit and facilitate senior management’s assessment.
  • Internal Audit should not “frame how this feeds into senior management decision-making.” No. Nyet. Nein. Non. Not on your life.

Kroll finishes their Conclusions section (except for their detailed recommendations, with which I disagree) with:

This may be a good opportunity for the internal audit profession to reassess and reconsider where it fits into the broader umbrella of fraud risk management to ensure that internal auditors support their organizations on the road to recovery in the most efficient and effective way.

It is always a good time to step back and reassess prior practice and guidance. But I don’t see it the same way as Kroll.

  1. The IIA should update the Standards to focus time and attention on enterprise risks and the achievement of enterprise The Standard that requires a second risk assessment for every audit is redundant and should be eliminated.
  2. The IIA should make sure that fraud risk is considered and given attention in the audit plan and engagements commensurate with the level of risk to the enterprise and its objectives.
  3. The IIA should engage with regulators to ensure that they do not mandate an excessive level of attention to a relatively low source of risk.
  4. Every organization should consider the level of fraud risk to its objectives and integrate that into their enterprise-wide management of risk (and success).
  5. CAEs should be willing, with board approval, to facilitate management’s fraud risk assessment.
  6. Nobody should be willing to accept an average grade.

What do you think?

Opportunities to upgrade your skills

August 7, 2020 1 comment

This pandemic has shut down, as you might expect, all the in-person conferences and seminars that I had expected to participate in this year.

However, I will be leading some small group online training starting in October. If you are interested, please follow the links below to obtain more information.

Each event will be what we call 3X3: three hours each day for three days.

Sarbanes-Oxley s404 Master Class October 20, 21, 22

GRC – A Corporate Discipline November 3, 4, 5

Risk Management that Helps the Organization Succeed November 17, 18, 19

Auditing that Matters: Building a World-Class Internal Audit Function

Board members should discuss this excellent paper on Boards and the Taking of Risk for Success

August 3, 2020 2 comments

The ACCA published an excellent product a couple of years ago. Risk and the Strategic Role of Leadership might have been written by three UK academics, but reflects the practical thinking of board members as well as risk practitioners.

Here are some notable excerpts, with some highlighted by me:

  • Boards have always been involved in the management of risk. Without appropriate risk taking, organisations cannot exploit the full range of strategic opportunities that are available to them, nor can they hope to protect themselves from less positive outcomes.
  • Effective risk assessment, reporting and control help to enhance a board’s governance and internal control activities, reducing the probability that an organisation may deviate from its stated objectives and so fail to meet the needs of its stakeholders.
  • Risk may bring with it the potential for losses, but it also offers the potential for opportunity.
  • Boards are still finding it hard to understand and address softer factors, such as culture and risk appetite. Often, this is because of a lack of clear information and difficulties in connecting them to organisational performance.
  • Regulation and compliance remain key drivers for board-level involvement in risk management. Nonetheless, some organisations are increasingly aware of the strategic benefits of risk management in helping them to exploit opportunities and so exceed their stated objectives.
  • Factors such as lengthy risk reports and insufficient time devoted to risk management at board meetings create significant challenges for board-level risk-management activities.
  • Today’s board has a key role to play here, helping its organisation identify and exploit opportunities, which is as much a part of maximising the long term sustainable performance of the organisation as well as overseeing the mitigation of threats.
  • Risk comes with the opportunity for returns, and even seemingly adverse events such as regulatory change or political uncertainty can create opportunities that may be exploited.
  • …highly strategic risks, such as the development of a new product or market, or an acquisition or merger, very clearly combine a range of positive and negative outcomes.
  • exploiting opportunities is as much part of risk management as controlling downside outcomes.
  • Viewing risk as ‘bad’ means that the potential for better-than-expected outcomes may be overlooked. It may also foster high levels of risk aversion in boards, a problem that was identified by a number of the participants in both large and SME organisations. The consequence of this approach is that innovations may be missed.
  • “In some areas there should be a willingness to proactively take risk and indeed that to take no risk is potentially the biggest risk of all because there’s a possibility that people innovate around you, you’re left standing, and as time goes by you become the dinosaur in comparison to the rest of the sector” (non-executive director).
  • In a small number of organisations strategy setting and risk were integrated to a much greater extent. The directors of these organisations indicated that their boards considered the risks associated with choosing or not choosing specific strategic options at the strategy setting phase, as well as the organisation’s risk-management competencies and capabilities.
  • …an extremely prescriptive [ndm: the paper talks about two approaches, prescriptive and principled] risk-management approach may cause board-level risk-management activities to become static and reactive, with board members getting lost in operational detail (a potential problem made worse by lengthy risk registers) and taking an overly negative view of risk.
  • …an extremely principled approach may make inconsistent decisions and may pursue upside opportunities at any cost, exposing an organisation to excessive amounts of risk
  • “So the classic thing, zero harm – we’ve got no appetite for something – it’s a complete misunderstanding of what risk appetite is. There is a wealth of metrics and information out there that you can tap into to articulate statements in a way which will actually add practical guidance to a business, and you’d be able to measure whether you’re operating within those parameters. But a lot of companies are just nowhere… they’re still doing the sort of high, medium and low, hungry-averse-type scales, which are just worthless” (Focus group).
  • …adopting a ‘compliance mind-set’ … may foster excessive risk aversion: ‘it’s the mind-set of actually, rather than helping us take risks better it’s about not taking risks at all’ (executive director).
  • Non-executives need to be assured that executives have ensured there is an appropriate risk-management framework that is operating effectively.
  • What was stressed by a number of participants was the need for discussion of risk at a strategic level – not at a level of governance and oversight that dwells on risk registers and frameworks – in order to be able to take advantage of opportunities.
  • The ability to move away from vast static risk registers that are essentially backward looking, towards a dynamic view of the real-world impact of risks on the activities of the organisation, was something that many have aspired to, but few have actually achieved, in their board’s approach to risk registers. All too often, and much to the disappointment of some participants, the use of risk registers was seen as a ‘tick-box’ exercise characterised as compliance, as opposed to one of many sources of information pertinent to strategic decision making.
  • The risk and/or audit committee was seen to act as a filter for the board, with a more succinct discussion taking place at board level.

The paper has a number of highly constructive suggestions. I recommend reading them all, but here are the ones I especially liked:

  • Place risk in a positive context. Consider the potential for outcomes to be better, as well as worse, than expected, making it clear when you are talking about opportunities and risks. If necessary, avoid using words such as risk if they have a negative meaning in your organisation; eg consider alternatives such as ‘volatility’ and ‘uncertainty’.
  • Integrate your strategy and risk decisions. When setting your strategy and business objectives, consider the potential for better or worse-than-expected outcomes from the outset.
  • Boards should adopt the 75:25 rule. Spend 75% of board meetings looking outwards and forwards. This will help the board to identify external and future threats and opportunities. Spend the remaining 25% of board meetings looking inwards and backwards. This will help the board to understand the organisation’s capabilities and competencies in areas such as finance and risk management.
  • All papers going to the board should have a dedicated risk section within the executive summary, highlighting their risk implications for the strategic objectives of the business. This provides visible anchor points for discussion of the strategic risk-reward equation.
  • Policymakers should revisit their risk mind-set: risk is not bad in itself and opportunities are never certain. Rather than considering risk management as a device for increasing certainty, it should be considered as a means for achieving ever more positive outcomes. Risk management should help an organisation to create value, as well as to protect it.
  • Always encourage boards to make links between strategy and risk. Potential risk exposures, along with the ability of an organisation to manage these exposures, should be considered as part of strategy setting. Risk management should not be a bolt-on activity after the strategy has been determined.

I recommend that the full board, not just the risk and/or audit committee, should receive a copy of this paper and hold a discussion with management on its key points, recommendations, and self-assessment questions.

I welcome your thoughts.