Archive

Posts Tagged ‘ISO’

PwC confuses boards on risk oversight

May 27, 2017 18 comments

I want to start with two admissions:

  • I worked for 10 years at PwC and still have friends and respect for many of the professionals there.
  • I am hopeful that the pending update to the COSO ERM Framework, written by PwC, will be a leap forward in the practice. In fact I am more optimistic about the COSO initiative than I am that the ISO 31000:2009 update will reflect current leading (that risk management is about disciplined risk-taking through informed and intelligent decisions).

Then I read the latest advice for boards from PwC on risk oversight.

Why your board should take a fresh look at risk oversight: a practical guide for getting started is hugely disappointing.

While the PwC team on the COSO project recognize explicitly that risk management is far more than a periodic review of a list of risks, the authors of the board governance report are on a totally different page.

For example, the report says:

“It’s helpful for the board and committee chairs to work together to ensure all key risks are subject to board-level oversight. Some boards find it helpful to use a risk allocation matrix, which extends the key risk summary that many boards currently receive. Some companies even show overall risk allocation graphically in their proxy statements.”

They are talking about a list of risks, not about the achievement of objectives.

The report has a useful discussion about whether the organization’s disclosures about risk are complete and sufficient to satisfy investors.

It also asks interesting questions about the competence of the board members in risk management.

But, the role of the board is not to second-guess management and perform their own identification and assessment of risk.

The role of the board is to ensure management has the capability to do this and is in fact doing it well.

Frankly, the PwC report advises boards in a way that will lead them all astray!

It suggests the wrong questions.

I have written about this before, but here are the questions I would ask the executive management team if I were on or advising a board:

  1. What does risk management mean to you? Is it something you have to do (for compliance purposes) or does it actually and significantly help you determine and execute on strategy? If the latter, please explain.
  2. How effective do you believe, Mr. or Ms. CEO, is the management of risk is? Does it give you a strategic advantage?
  3. How effective does your CRO believe it is (if you have one. If not what does the responsible executive think?)
  4. How effective does your internal audit team think it is? How did they assess it? If they didn’t, why not?
  5. How do you factor in the consideration of risk (“what might happen”) into the selection of strategies and objectives?
  6. How do you factor in the consideration of risk into the selection, planning, and execution of major initiatives? Where can I find it in the proposals you submit to the board for approval?
  7. How do you and your management team make decisions in the face of uncertainty?
  8. What is the likelihood of achieving each of our strategic and major operational objectives? How do you assess not only performance to date but anticipate what might lie ahead? What are you doing about the latter?
  9. How do you know all decision-makers are taking the desired amount of the right risks? Do you help them at the point of decision-making or only after the fact through risk reporting against risk appetite? Does what you are doing work?
  10. What are you doing to improve the ability to address and respond to likely future events and situations?

The conversation about risk management expertise is, in my opinion, misplaced.

Members of the board should, for the most part, be able as former executives themselves to assess the competence of the executive management team in addressing what might happen.

That doesn’t require skills and knowledge in risk assessment techniques.

It requires the ability to listen, challenge, and think about how the CEO and his/her team are managing the organization with an eye on the future that is realistic about what might happen and what to do about it.

I welcome your comments.

Important new IFAC paper on risk management

May 9, 2015 21 comments

With help from Grant Purdy, IFAC has published an excellent Thought Paper on risk management. From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organization.

This is one of the most important papers on risk management in recent years – not because it says something new, but because it (a) comes from this well-respected, global organization, (b) is contrary not only to many current practices but also to how guidance from several regulators is being interpreted, and (c) is expressed forcefully and eloquently.

The IFAC paper has a wealth of good advice. I can only excerpt portions because if I quoted everything of note, I would end up copying most of the document!

I encourage everybody to download and read the paper for themselves.

The theme is captured in this:

In some organizations the approach to management of risk and internal control has deviated from its original purpose: to support decision making and reduce uncertainty associated with achieving objectives. Instead, risk management in these organizations has become an objective in itself, for example, through the institution of a nonintegrated, stand-alone risk management function. This typically removes responsibility for the management of risk from where it primarily belongs: incorporated into line management. A separate risk management function, even though established with the best intentions, may hamper rather than facilitate good decision making and subsequent execution. Managing risk in an organization is everyone’s responsibility.

The paragraph makes some essential points:

  • Risk management (and the part of risk management that is internal control, as controls only exist to provide reasonable assurance that risk is at acceptable levels) is all about enabling informed, intelligent decisions
  • The overall purpose is to set and then achieve the right objectives
  • A separate risk management function often separates the consideration of risk from the running of the business – degrading rather than enhancing decision-making and organizational performance

IFAC continues the theme:

This Paper contends it is time to recognize that managing risk and establishing effective control form natural parts of an organization’s system of management that is primarily concerned with setting and achieving its objectives. Effective risk management and internal control, if properly implemented as an integral part of managing an organization, is cost effective and requires less effort than dealing with the consequences of a detrimental event. It also generates value from the benefits gained through identified and realized opportunities.

Risk management should not be separate from management processes. It is more than embedding the consideration of risk into management processes. It is an integral part of decision-making and running the enterprise.

This is stressed:

Risk management should never be implemented in isolation; it should always be fully integrated into the organization’s overall system of management. This system should include the organization’s processes for good governance, including those for strategy and planning, making decisions in operations, monitoring, reporting, and establishing accountability.

Note that risk management helps organizations select objectives and related strategies as well as enable optimal performance and achievement of the objectives. Risk management does not start after objectives are established, but before. “Setting objectives itself can be one of the greatest sources of risk.” IFAC explains that:

Risk management assists organizations in making informed decisions about:

  • objectives they want to achieve;
  • the level, nature, and amount of risk that they want to assume in pursuit of those objectives; and
  • the controls required to support achieving their objectives.

IFAC emphasizes that the management of risk is not for its own sake. It is to enable the achievement of the right objectives.

The main objective of an organization is not to have effective controls, nor to effectively manage risk, but to properly set and achieve its goals; to be in compliance and capable of managing surprises and disruptions along the way; and to create sustainable value. The management of risk in pursuit of these objectives should be an inseparable and integral part of all these activities.

In IFAC’s discussion of maturity, they say something that sounds very similar indeed to OCEG’s definition of GRC: “Effective risk management supports management’s attempts to make all parts of an organization more cohesive, integrated, and aligned with its objectives, while operating more effectively, efficiently, ethically, and legally.” (They continue with a very high-level example of a four-stage maturity model.)

I like how they say that the owner of the enterprise objective (responsible for performance against it) should also be the owner of related risks, not any risk officer:

As an organization’s risk is inextricably connected to its objectives, the responsibility for managing risk cannot lie with anyone other than the person who is responsible for setting and achieving those objectives.

Line management needs to accept its responsibility and not delegate risk management and internal control to specialized staff departments. Placing responsibility within the line also implies that staff or support functions should not, or no longer, be the “owner” of risk management in organizations. However, these support functions nevertheless play a crucial role in supporting line management in the effective management of risk.

There is a critical discussion of risk management flaws, with not only a list of the most serious but a table that compares good and bad practices. Some of the flaws they identify as serious are:

  • “Having a compliance-only mentality ….. ignoring the need to address both the compliance and performance aspects of risk management.”
  • “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and, thereby, creating and preserving value.”

Some of you know that I am writing a book about world-class risk management. When it comes to risk reporting, I found the topic tough to write about because so many risk reports (and risk registers) are just a list of risks and their risk ‘levels’. They are not focused on how each of the enterprise’s objectives is affected. I will include this section as a quote because it gets it right and says it well:

As risk is the effect of uncertainty on achieving objectives, it would be inadvisable to manage risk without taking into account the effect on objectives. Unfortunately, in some organizations the linkage between the risks periodically reported to the board and the strategic objectives that are most critical to the long-term success of the company is at best opaque and at worst, missing completely. As a consequence, risk is insufficiently understood or controlled, even though the organization devotes some attention and resources to the management of risk. Risk management without taking into account the effects on objectives is thus ineffective.

Let me close this post with a quote from Unilever that is included in the IFAC document:

“At Unilever, we believe that effective risk management is fundamental to good business management and that our success as an organization depends on our ability to identify and then exploit the key risks and opportunities for the business. Successful businesses take/manage risks and opportunities in a considered, structured, controlled, and effective way. Our risk management approach is embedded in the normal course of business. It is ‘paper light—responsibility high.’ Risk management is now part of everyone’s job, every day! It is no longer managed as a separate standalone activity that is ‘delegated to others.”

What do you think? I welcome your comments.

By the way, I hope those involved in the COSO ERM update, as well as those working on an update of the ISO 31000:2009 global risk management standard, pay attention. IFAC has proved that accountants can publish excellent guidance on risk management!

A Rant about the GRC Pundit’s Rant

April 18, 2014 24 comments

Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.

Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.

My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.

Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:

  • The term ‘GRC’ is one that is interpreted in many ways.
    • When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
    • When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
    • When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
    • When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
    • When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
  • GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
  • The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
  • No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
  • The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.

Where I believe we differ is that I do not advocate the use of the term ‘GRC’.

As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.

I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.

For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.

Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.

Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.

Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.

Good Riddance grC.

I welcome your comments.

What is effective risk management?

April 12, 2014 15 comments

Some say that risk management is effective when it has all the components described in their favorite standard (ISO 31000:2009) or framework (COSO ERM). (COSO ERM specifically states this as the requirement).

Some say that risk management is effective when all the principles in their favorite guidance are present and functioning. (ISO talks about its “set of principles that organisations must follow to achieve effective risk management.”) The principles are (from a consultant’s site that provides a high-level view of the standard):

  • Creates and protects value;
  • Is an integral part of all of the organisation’s processes;
  • Forms part of decision making;
  • Explicitly expresses uncertainty;
  • Is systematic, structured and timely;
  • Is based on the best available information;
  • Is tailored to the organisation;
  • Takes human and cultural factors into account;
  • Is transparent and inclusive;
  • Is dynamic, iterative and responsive to change; and
  • Facilitates continual improvement of the organisation.

Some say that risk management is effective when activities are compliant with the organization’s related policies and standards. But are those policies and standards adequate?

Some will say that risk management is effective when the board, operating and executive management believe it adds value and are satisfied that it provides the information they require. I believe that has merit but they may be satisfied with less than mature risk management (that seems to be the case with many current organizations who are satisfied with enterprise list management, until they are caught short).

Some will say that risk management is effective when an independent assessment/audit/examination is performed and the report says so. The trouble is that the people who do such audits generally rely on one of the above criteria (components present, principles in operation, etc.)

I would like to suggest a different approach.

Let’s start by considering why organizations should have risk management. It’s NOT because laws and regulations mandate it in many cases. It’s NOT because people say you need it. It’s because effective risk management provides a level of assurance that an organization will not only achieve its objectives (or exceed them) but will set the best objectives.

Quoting from COSO ERM:

“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

COSO explains that effective risk management enables:

  • “A greater likelihood of achieving business objectives”
  • “More informed risk-taking and decision-making”

Irish guidance on the ISO 31000:2009 risk management standard says:

“The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.”

The Australian mining company, BHP Billiton, has a risk management policy signed by its CEO. It includes:

“Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.

  • By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
  • Successful risk management can be a source of competitive advantage.
  • Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.

“The effective management of risk is vital to the continued growth and success of our Group.”

I like what E&Y has to say:

“An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it.

“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”

So we can see that, as the BHP CEO said, effective risk management is not only essential to the success of an organization but “can be a source of competitive advantage”.

For the last year or two, I have been saying that you assess the effectiveness of risk management by asking decision-makers at all levels whether the risk information is enabling them to make better decisions and be more successful.

In other words, assess risk management not by its structure but by its effect.

I still think that is a key test, but I am going to add a new dimension to my thinking.

Let’s consider a company that has significant foreign currency exposure. It does business globally so it has bank accounts in a number of countries and has both payables and receivables in different currencies.

There are a number of strategies for reducing foreign exchange risk, but to manage the risk effectively you need to know what is happening with rates as well as how your bank account balances, payables, and receivables are changing.

If this company only has the ability to understand its foreign exchange risk once a month, in other words its monitoring of this risk is only monthly because that is the only time it is able to obtain all the necessary information and calculate its exposure, the risk is much higher than if it has the processes, people, and systems to monitor its exposure daily or better.

However, the investment necessary to upgrade the risk monitoring from monthly to daily may be significant. The company has to decide whether the reduction in exchange risk that can be improved by upgrading risk monitoring justifies the additional expense.

Until it upgrades risk monitoring, there is a risk that the information provided by risk management is insufficient. Management needs to decide whether that is an acceptable level of risk.

If management decides that the level of risk is too high, then I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks. But if management decides that the level of risk is acceptable, then that would not prevent me from assessing risk management as effective.

Let’s take another situation. An organization is concerned about its reputation risk. It has engaged a company to monitor reputation risk indicators (using social media analytics) and report once each quarter. However, it is in an industry where customer satisfaction can move quickly and significantly.

Quarterly risk monitoring creates a risk that the risk management program is not providing the information necessary to manage risks to the enterprise objectives. As in the prior example, management will need to decide whether an investment in more frequent reputation risk monitoring is justified by the potential reduction in reputation risk (because it would increase the ability to respond to customer complaints, etc.)

If management decides that quarterly risk monitoring represents a risk outside acceptable ranges, I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks, and management has determined that this is a risk (the risk of a bad decision) is unacceptable.

One final example. The company has an excellent risk management framework, formal policies and procedures, processes, and enabling systems. However, in the last year the level of staff turnover among the champions of risk management in the executive ranks and among the risk officers themselves means that the experience of the individuals relied upon to monitor, understand, assess, evaluate, and respond to risks has diminished.

There is an increased likelihood than in prior years that risks will not be managed as desired, the wrong risks taken, and that risk information that flows to top management and the board may not be reliable.

This is a deficiency in the operation of risk management and may represent a risk to the achievement of objectives because it results in less than reliable risk information on which decisions are based. If the risk is unacceptable, then until it is treated and brought back to within acceptable ranges I would say that the risk management program is less than effective.

So, where am I going?

If we revisit the objective of risk management, we see that we rely on it to provide management and the board with the information they need to run the business, make better decisions, and take the right risks.

But risk management is not and never will be perfect.

It is impossible to monitor every risk, including new risks, in real time and provide useful information – also in real time – to the people who need to act on it.

There will always be risk champions who are new to the company and because they don’t understand the business and their risk-related responsibilities, will fail in that respect.

There will be times when the people required to provide expert insight when assessing and evaluating risks are on vacation, sick, or otherwise unable to participate.

There will always be a risk that the risk management program fails to provide the information necessary for decision-making.

The key is whether that risk is known and is considered acceptable.

If the risk is acceptable, then I would consider the risk management program as effective.

That is not to say that all the principles described in ISO 31000 are not necessary, or that the components discussed in COSO ERM are not required. But, that is the structure of the program and that doesn’t mean it is effective and produces the results necessary for the organization to succeed.

Bottom line: CROs and executive management should assess their risk management program (auditors can help) and determine whether the level of risk that it will provide insufficient information to run the business, make informed decisions, and take the right risks is acceptable.

OK, I understand that this is a little complicated and a very different way of thinking about effective risk management. Does it make sense?

I welcome your views.

Missing the boat on IT and technology

March 29, 2014 8 comments

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

  •          What are you doing to become a pioneer of technological innovation?
  •          Do you have a strategy for the digital age? And the skills to deliver it?
  •          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

March 22, 2014 12 comments

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

New Paper on Risk Assessment and the Audit Plan

March 15, 2014 14 comments

One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.

Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.

Unfortunately, it fails to deliver on that promise.

While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.

I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”

The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”

Here are the two main problems with that last sentence:

  1. The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
  2. While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.

My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)

Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?

Risk Officers on the Front Lines of the Big Data Analytics Revolution

March 8, 2014 4 comments

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

McKinsey talks about a forward-looking board of directors

March 1, 2014 4 comments

The latest edition of McKinsey Quarterly is on the topic of “Building a forward-looking board”.

I like the general theme, that “directors should spend a greater share of their time shaping an agenda for the future”. This is consistent with board surveys that indicate board members would prefer to spend more time on strategy and less on routine compliance and other matters.

The author, a director emeritus of the Zurich office and member of several European company boards, makes a number of good points but leaves me less than completely satisfied.

The good quotes first:

Governance arguably suffers most, though, when boards spend too much time looking in the rear-view mirror and not enough scanning the road ahead.

Today’s board agendas, indeed, are surprisingly similar to those of a century ago, when the second Industrial Revolution was at its peak. Directors still spend the bulk of their time on quarterly reports, audit reviews, budgets, and compliance—70 percent is not atypical—instead of on matters crucial to the future prosperity and direction of the business

“Boards need to look further out than anyone else in the company,” commented the chairman of a leading energy company. “There are times when CEOs are the last ones to see changes coming.”

Many rational management groups will be tempted to adopt a short-term view; in a lot of cases, only the board can consistently take the longer-term perspective.

Distracted by the details of compliance and new regulations, however, many directors we meet simply don’t know enough about the fundamentals and long-term strategies of their companies to add value and avoid trouble.

Rather than seeing the job as supporting the CEO at all times, the directors of these companies [with prudent, farsighted, and independent-minded boards] engage in strategic discussions, form independent opinions, and work closely with the executive team to make sure long-term goals are well formulated and subsequently met.

Boards seeking to play a constructive, forward-looking role must have real knowledge of their companies’ operations, markets, and competitors.

The best boards act as effective coaches and sparring partners for the top team.

The central role of the board is to cocreate and ultimately agree on the company’s strategy. In many corporations, however, CEOs present their strategic vision once a year, the directors discuss and tweak it at a single meeting, and the plan is then adopted. The board’s input is minimal, and there’s not enough time for debate or enough in-depth information to underpin proper consideration of the alternatives.

While I agree with the forward-looking theme and some of the ideas around such issues as getting the most from the talent within the organization, I am troubled in a few areas:

  1. The detailed discussion on strategy still has a shorter horizon, one year, than I believe optimal. While it is difficult if not impossible to plan further ahead, the organization should have a shared understanding between the board and top executives about how it will create value for its stakeholders over the longer period. There should be more discussions around strategic and other developments (risks and opportunities) that should shape not only long-term but short-term actions.
  2. There is insufficient discussion of the fact that you cannot have a fruitful discussion about strategy without understanding the risks (adverse and potentially positive) in the business environment. What are they today and how will they change tomorrow? How able (agile) is the organization and able not only to withstand potentially negative effects (the focus of McKinsey in this piece) but to take advantage of market opportunities? Is it now and will it in the future be able to change or adapt strategies established in different conditions?
  3. Many companies are less than agile because they have stuck-in-the-mud executives, unable to pull themselves out due to a lack of vision, legacy systems, and poor information. The boards need to understand this and question management on how they plan to address it – with urgency!
  4. Finally, while the piece discusses the need for effective board and director evaluations, surveys show that it is hard to fire under-performing directors. How can a board succeed in that environment? I think this needs to be on the board agenda if it is to remain forward-looking.

Do you agree? I welcome your comments.

Interesting new paper on risk culture

February 22, 2014 18 comments

The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.

Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!

One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:

“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance.  The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”

And….

“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.

While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”

I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”

In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).

Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.

I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.

I particularly enjoyed some of the quotes the authors included, such as:

“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”

“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”

“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”

“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”

“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”

“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”

“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”

Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.

“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”

This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.

KEY POINTS

In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.

  • Are the positive influencers, like policies and related training, effective?
  • Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?

This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.

Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!

By the way, the Bibliography is excellent and the publication is worth downloading just to get it!

I welcome your views and comments.

Understanding the COSO Frameworks

February 11, 2014 6 comments

Whether you are a fan of the COSO ERM and Internal Control frameworks or not, a paper just released by COSO is worth reading and thinking about.

The intent of the two authors (my good friend Jim DeLoach of Protiviti and Jeff Thomson of the Institute of Management Accountants) is to explain how the COSO frameworks fit within and enhance the operation’s processes for directing and managing the organization. In their words:

“Our purpose in writing this paper is to relate the COSO frameworks to an overall business model and describe how the key elements of each framework contribute to an organization’s long-term success.”

My intent in this post is not to quibble with some of the concepts and language with which I disagree (such as their portrayal of risk appetite), but to highlight some of the sections I really like (with occasional comments) and encourage you to read the entire paper.

For those of you who prefer the ISO 31000:2009 global risk management standard (and I am among their number), the paper is worth reading because it stimulates thinking about the role of risk management in setting strategy and thereafter optimizing performance. It has some useful language and insight that can help people understand risk management, whatever standard you adopt. That language can be used by ISO advocates, for example when explaining risk management to executives and the board.

In addition, even if you like the ISO risk management standard, it does not provide the insight into internal control provided by the COSO framework. It is perfectly acceptable, in my opinion, to adopt ISO for risk management and COSO for internal control.

I have one quibble that I think is worth mentioning: the authors at one point say that internal control “deals primarily with risk reduction”. I disagree. It should serve to provide assurance that the right level of risk is taken. On occasion, that may mean taking more risk. For example, one objective that is too often overlooked is to be efficient. More risk in reviewing expense reports might be appropriate when the cost of intense reviews exceeds the potential for expense-related fraud or error. Another example is when a decision has to be made on the quantity of key raw materials to re-order as quantities on hand fall. Current practice may be to place an order that will bring inventory to 20% more than is expected to be consumed in the next period, as a precaution in case of quality issues or should incoming orders exceed the anticipated level. But, having excess materials can result in a different risk. Risk management thinking can help us decide how much risk to take when it comes to running out of raw materials compared to how much risk to take that the materials may degrade due to extended time sitting on the shelf.

But back to talking about the “good bits”, with the first from the Executive Summary:

“Within the context of its mission, an organization is designed to accomplish objectives. It is presumed that the organization’s leaders can articulate its objectives, develop strategies to achieve those objectives, identify the risks to achieving those objectives and then mitigate those risks in delivering the strategy. The ERM framework is based on objective setting and the identification and mitigation or acceptance of risks to the achievement of objectives. The internal control framework is designed to control risks to the achievement of objectives by reducing them to acceptable levels. Thus, each of the frameworks is inextricably tied into the operation of a business through the achievement of objectives. ERM is applied in the strategy-setting process while internal control is applied to address many of the risks identified in strategy setting.”

Comment: While COSO Internal Control Framework assumes (or presumes) that the appropriate objectives are set, as we all know controls within the objective-setting process are essential to address such matters as engaging the right people in the decisions and providing them with reliable information.

“The ERM framework asserts that well-designed and effectively operating enterprise risk management can provide reasonable assurance to management and the board of directors regarding achievement of an entity’s objectives. Likewise, the internal control framework asserts that internal control provides reasonable assurance to entities that they can achieve important objectives and sustain and improve performance. The “reasonable assurance” concept embodied in both frameworks reflects two notions. First, uncertainty and risk relate to the future, which cannot be precisely predicted. Second, risks to the achievement of objectives have been reduced to an acceptable level.”

“In general, ERM involves those elements of the governance and management process that enable management to make informed risk-based decisions. Informed risk responses, including the internal controls that accompany them, are designed to reduce the risk associated with achieving organizational objectives to be within the organization’s risk appetite. Therefore, ERM/internal control and the objective of achieving the organization’s strategic goals are mutually dependent.”

“Robust enough to be applied independently on their own, the two COSO frameworks have a common purpose — to help the enterprise achieve its objectives and to optimize the inevitable tension between the enterprise’s value creation and value protection activities. Therefore, both facilitate and support the governance process when implemented effectively.”

“ERM instills within the organization a discipline around managing risk in the context of managing the business such that discussions of opportunities and risks and how they are managed are virtually inseparable from each other. An organization’s strategic direction and its ability to execute on that direction are both fundamental to the risks it undertakes. Risks are implicit in any organization’s strategy. Accordingly, risk assessment should be an integral part of the strategy-setting process. Strategic and other risks should be supported or rationalized by management’s determination that the upside potential from assuming those risks is sufficient and/or the organization can manage the risks effectively.”

“The risk assessment process considers inherent and residual risk and applies such factors as likelihood of occurrence, severity of impact, velocity of impact, persistence of impact and response readiness to analyze and prioritize risks. Risk assessment techniques include contrarian analysis, value chain analysis, scenario analysis, at-risk frameworks (e.g., value, earnings, cash flow or capital) and other quantitative and qualitative approaches to evaluating risk. Furthermore, risk assessment considers relationships between seemingly unrelated events to develop thematic insights on potential long-term trends, strategic possibilities and operational exposures.”

Comment: Although many leading experts have moved away from the concepts of inherent and residual risk, I still like them. What I like most in this paragraph is the discussion of other important attributes of risk. Impact and likelihood are not the only factors to consider when assessing whether the level of risk is acceptable.

“…..organizations must “plan” for disruption and build and refine their radar systems to measure and be on the alert for changes in key risk indicators (leading indicators) versus rely solely on key performance indicators (which are often lagging and retrospective in nature). Looking forward will enable an organization’s culture to support an experimental and adaptable mindset. Adapting is all about positioning companies to quickly recognize a unique opportunity or risk and use that knowledge to evaluate their options and seize the initiative either before anyone else or along with other organizations that likewise recognize the significance of what’s developing in the marketplace. Early movers have the advantage of time, with more decision-making options before market shifts invalidate critical assumptions underlying the strategy. Failing to adapt can be fatal in today’s complex and dynamic business environment.”

“Organizational resiliency is the ability and discipline to act decisively on revisions to strategic and business plans in response to changing market realities. This capability begins to emerge as organizations integrate strategic plans, risk management and performance management and create improved transparency into the enterprise’s operations to measure current performance and anticipate future trends.”

I welcome your comments on this paper and my analysis.

Internal Auditors should be Brave

February 9, 2014 9 comments

It can be hard for internal auditors to tell their stakeholders, whether at board level or in top management, what is putting the organization at greatest risk.

It can be hard to say that the root cause for control failures is that there aren’t enough people, or that the company does not pay enough to attract the best people.

It can be hard to tell the CEO or the audit committee that the executive team does not share information, its members compete with each other for the CEO’s attention, and as a group it fails to meet any person’s definition of a team.

It can be hard to say that the CFO or General Counsel is not considered effective by the rest of management, who tend to ignore and exclude them.

It can be hard to say that the organization’s structure, process, people, and methods are insufficiently agile to succeed in today’s dynamic world.

But these are all truths that need to be told.

If the emperor is not told he has no clothes, he will carry on without them.

Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out:

  • They may believe, with justification, that their job is at risk
  • They may believe, with justification, that their compensation will be directly affected if they alienate top management
  • They may believe that their career within the organization will go no further without the support of top management, even if they receive the support of the board
  • The level of resources provided to internal audit will probably be limited, even cut
  • The CEO and other top executives have personal power that is hard to oppose
  • They are focused on “adding value” and do not want to be seen as obstacles
  • They fear they will never get anything done, will not be able to influence change, and will be shut out of meetings and denied essential information if they are seen as the enemy

Yet, if internal auditors are to be effective, they need to be able to speak out – even at great personal risk.

It would be great if internal auditors were protected from the inevitable backlash. I know of at least one CAE that has a contract that provides a measure of protection, but most are only protected by their personal ethics and moral values.

It would be great if the audit committee of the board ensured that the CAE is enabled to be brave. But few will oppose an angry CEO or CFO.

We need to be brave, but not reckless. There are ways to tell the emperor about his attire without losing your neck. They include talking and listening to allies and others who can help you. They include talking to the executives in one-on-one meetings where they are not threatened by the presence of others. Above all, it is about not surprising the emperor when he is surrounded by the rest of the imperial court.

It is about treating the communication of bad news as a journey, planning each step carefully and preparing the ground for every discussion.

It is also about being prepared to listen and if you are truly wrong being prepared to modify the message.

But, the internal auditor must be determined to tell the truth and do so in a way that clearly explains the facts and what needs to be done.

I close with a tongue-in-cheek suggestion that the song Brave by Sara Bareilles (well worth watching) become our anthem.

You can be amazing
You can turn a phrase into a weapon or a drug
You can be the outcast
Or be the backlash of somebody’s lack of love
Or you can start speaking up

Everybody’s been there,
Everybody’s been stared down by the enemy
Fallen for the fear
And done some disappearing,
Bow down to the mighty
Don’t run, just stop holding your tongue

And since your history of silence
Won’t do you any good,
Did you think it would?
Let your words be anything but empty
Why don’t you tell them the truth?

Say what you wanna say
And let the words fall out
Honestly I wanna see you be brave
With what you want to say
And let the words fall out
Honestly I wanna see you be brave

What they don’t know will probably hurt them

January 18, 2014 8 comments

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.

Digital Transformation

December 14, 2013 10 comments

I thoroughly enjoyed listening to an MIT Sloan video, “What Digital Transformation Means for Business”. It features executives from Intel, Avis (the president of Zipcar), a researcher into the topic from MIT, and a Capgemini consultant.

It’s about 45 minutes long, so allow yourself some quiet time and have a pad and pencil (or tablet) handy so you can take notes.

I found it inspiring to hear these influential leaders talk about the need for organizations to embrace disruptive technology (they mentioned cloud computing, ultramobile, advanced big data analytics, and social media).

They also emphasized that the risk of NOT embracing the technology of tomorrow, even when they are in the process of implementing the technology of today, is too great. It is critical to continue to watch and consider how the technology that appears on the horizon may affect the ability of the organization to excel.

I loved the story told by the Intel CIO of how she assigns her staff to work within the business to learn it, and then takes them back into IT so they can work on enhancing that business.

You should also listen to how Intel uses gamification to have a better handle on earnings forecasts. It was a great example of how gamification can be used as a technique for understanding and assessing risk. I have written separately about how an organization assessed risks to the success of a major software implementation by creating a stock market game around it. Individuals on the project team from IT and user departments, the consultants they engaged, and others with a stake in its success bought and sold fictional stock in the project. The stock price varied based on demand: when there was optimism, people bought stock and the price rose; when there was pessimism, people sold and the price dropped. The risk assessment considered the stock price and tried to understand why it moved.

Intel and Avis, together with Capgemini, talked about how much time executives were spending on digital transformation. Clearly, these companies (and I join them) expect leaders from the CEO on down to be spending a good amount of time looking at and considering the technology of today and tomorrow and how it can transform their business.

What do you think?

You might also consider this discussion on the battle between IT and the business for control over technology resources.

I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.

Two new reports show improvement in and value from risk management

December 10, 2013 2 comments

Accenture (Risk management for an era of greater uncertainty) and Aon (Risk maturity insight report) have published new and interesting reports on the practice of risk management.

The Aon report is based on a maturity model (see table below) that I think is interesting. It differs a little from the one I developed. It includes these key requirements for the top level: “process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions”. I prefer the language of the top level requirements in my model: “Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds”.

Aon assesses maturity based on ten characteristics, broken down into 40 specific components. I think it would be useful for any organization to participate in the Aon study and assess where their risk management standards, especially compared to where they want it to be.

This is useful information for risk officers, senior executives, and the board. I think using a maturity model to assess and report on risk management is an excellent approach for internal auditors. It provides useful information without punishing risk officers who are still working to implement and upgrade the maturity of their program.

Maturity Level Initial/Lacking

 

Basic

 

Defined

 

Operational

 

Advanced

 

Description Component and associated activities are very limited in scope and may be implemented on an ad-hoc basis to address specific risks

 

Limited capabilities to identify, assess, manage and monitor risks

 

Sufficient capabilities to identify, measure, manage, report and monitor major risks; policies and techniques are defined and utilized (perhaps inconsistently) across the organization

 

Consistent ability to identify, measure, manage, report and monitor risks; consistent application of policies and techniques across the organization

 

Well-developed ability to identify, measure, manage and monitor risks across the organization; process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions

 

In their study of 361 publicly traded companies, Aon found that 3.3% were in Initial/Lacking, just 0.7% were in Advanced, and the majority (56%) were at or around Defined. 30.6% were above Defined and 50.6% were below.

Aon found a correlation between the maturity of risk management and the performance of their stock, based on an analysis of market data between March 2012 and March 2013. Comparing organizations with the highest (Advanced) maturity rating to those with the lowest (Initial/Lacking):

  • Share price grew 18% vs. a drop of 10%
  • Share price volatility was 38% lower
  • Return on equity was 37% compared to negative 11%

They also reported that “Our initial findings indicate a direct relationship between higher levels of Risk Maturity and the relative resilience of an organization’s stock price in response to significant risk events to the financial markets.”

This, I suggest, is useful information to share with executives and the board on the value of mature risk management.

You might reference an older report by Ernst & Young that had similar results, Managing Risk for Better Performance.

The Accenture report was based on a survey of 450 individuals, described in one place as “global risk professionals, and in another as “C-level executives involved in risk management decisions.” The breakdown shows that 25% are CROs, 20% CEOs, 25% CFOs, and 22% are Chief Compliance Officers.

Here are some excerpts:

“The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was “Action is not optional”. That is seen as true both for the broader organization and for the risk management function.”

“At one time, risk management in many organizations could be described by some as “the department that says no”. Today we would characterize risk management more as “the department that enables execution”.”

“The proportion of surveyed organizations having a CRO, either with or without the formal title, has risen from 78% in 2011 to a near-universal 96% in 2013.”

“We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy.”

“Survey respondents see risk management as enabling growth and innovation. In order to survive—and certainly to grow—every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce – both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”

However, Accenture warns that risk management in practice is still falling short:

“There appear to be large gaps between expectations of the risk management function’s role in meeting broader goals and it’s perceived performance— for every organizational goal we surveyed.”

The authors include four recommendations and a detailed analysis to support their findings.

One interesting section is where they describe “Risk Masters” (they have a “Risk Mastery capability scale, like a maturity model) and what sets them apart.

“Risk Masters include risk considerations in the decision-making process across strategy, capital planning, and performance management. Masters also better integrate their risk organization into operations, establishing risk policies based on their organization’s appetite for risk. And they delineate processes for managing risks that are communicated across the enterprise. These activities are supported by robust analytic capabilities that reinforce efficient compliance processes and provide strategic insight.”

I encourage the reading and consideration of both reports, together with a discussion of where your risk management program falls.

Are you at the maturity level you want to be? Are you taking the steps to become more mature?

Can you achieve the benefits these studies report?

I welcome your views.

Reflections on Strategic Risk

November 24, 2013 31 comments

Surveys say people are paying more attention to so-called “strategic risk”. The latest from Deloitte, called Risk Angles, says:

“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”

There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.

This sounds right, but it is worth exploring further.

For a start, just what is “strategic risk”?

RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.

A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.

The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”

In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”

Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:

If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?

In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?

Aren’t all risks that matter therefore “strategic risks”?

A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.

An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.

We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.

In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:

“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.

You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.

I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.

At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.

In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.

If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.

Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.

What do you think?

The Optimal Role for the CIO

November 16, 2013 2 comments

Deloitte has given us food for thought in an article “The Four Faces of the CIO”.

Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.

The roles are:

  • Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
  • Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
  • Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
  • Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”

In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.

This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:

  • 36% as an operator, compared to a desired level of 14%
  • 43% as either strategist of catalyst, compared to a desired level of 71%

I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.

Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.

I welcome your views.

If I was Chair of the Audit Committee

November 11, 2013 8 comments

If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.

After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:

  • Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
  • Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
  • How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
  • Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
  • What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
  • What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
  • How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
  • How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
  • Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
  • Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
  • How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
  • How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
  • What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?

I have probably missed a few items. What would you add?

Please share your comments and views.

Is it time to call the term “GRC” dead?

November 8, 2013 10 comments

While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.

This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.

Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.

In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.

So let’s turn to the more common usage of GRC – governance, risk management, and compliance.

Earlier this year, in April, I wrote companion pieces on GRC:

Seven months on, I am starting to think that the term is becoming even more meaningless in practice.

Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.

The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).

But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:

“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”

I love and agree with this sentiment.

To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:

“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”

We could leave it there, in a confused and confusing world.

But enough is not enough.

Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):

  • Identity and Access GRC
  • Legal GRC
  • 3rd Party GRC
  • Enterprise GRC
  • GRC gamification

Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.

Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?

I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:

“The reliable achievement of objectives while addressing uncertainty and acting with integrity”

Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).

What do you think?

Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?

I welcome your views.

The Risk of Average People

November 3, 2013 10 comments

How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?

None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?

Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?

Do you really expect to hire exceptional people with just-above-average compensation?

Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?

At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.

I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.

The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.

I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.

Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.

I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.

I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.

Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?

How many of your sales team are “average”?

How many of your engineers are “average”?

What are you doing about it?

I welcome your comments and stories.