Posts Tagged ‘SOX’

Reflections on Strategic Risk

November 24, 2013 31 comments

Surveys say people are paying more attention to so-called “strategic risk”. The latest from Deloitte, called Risk Angles, says:

“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”

There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.

This sounds right, but it is worth exploring further.

For a start, just what is “strategic risk”?

RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.

A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.

The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”

In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”

Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:

If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?

In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?

Aren’t all risks that matter therefore “strategic risks”?

A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.

An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.

We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.

In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:

“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.

You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.

I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.

At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.

In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.

If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.

Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.

What do you think?

The Optimal Role for the CIO

November 16, 2013 2 comments

Deloitte has given us food for thought in an article “The Four Faces of the CIO”.

Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.

The roles are:

  • Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
  • Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
  • Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
  • Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”

In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.

This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:

  • 36% as an operator, compared to a desired level of 14%
  • 43% as either strategist of catalyst, compared to a desired level of 71%

I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.

Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.

I welcome your views.

If I was Chair of the Audit Committee

November 11, 2013 8 comments

If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.

After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:

  • Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
  • Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
  • How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
  • Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
  • What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
  • What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
  • How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
  • How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
  • Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
  • Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
  • How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
  • How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
  • What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?

I have probably missed a few items. What would you add?

Please share your comments and views.

Is it time to call the term “GRC” dead?

November 8, 2013 10 comments

While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.

This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.

Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.

In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.

So let’s turn to the more common usage of GRC – governance, risk management, and compliance.

Earlier this year, in April, I wrote companion pieces on GRC:

Seven months on, I am starting to think that the term is becoming even more meaningless in practice.

Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.

The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).

But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:

“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”

I love and agree with this sentiment.

To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:

“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”

We could leave it there, in a confused and confusing world.

But enough is not enough.

Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):

  • Identity and Access GRC
  • Legal GRC
  • 3rd Party GRC
  • Enterprise GRC
  • GRC gamification

Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.

Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?

I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:

“The reliable achievement of objectives while addressing uncertainty and acting with integrity”

Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).

What do you think?

Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?

I welcome your views.

The Risk of Average People

November 3, 2013 10 comments

How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?

None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?

Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?

Do you really expect to hire exceptional people with just-above-average compensation?

Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?

At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.

I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.

The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.

I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.

Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.

I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.

I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.

Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?

How many of your sales team are “average”?

How many of your engineers are “average”?

What are you doing about it?

I welcome your comments and stories.

Use the language of your audience

October 29, 2013 5 comments

The other day, I was on a call with other members of an oversight committee. We were talking about the high level project plan for our new products and I asked to see a version that showed key deliverable dates. The chair of our small committee agreed, suggesting that the project manager add a diamond to the dates or otherwise indicate when the various deliverables would be completed.

But the project manager replied that the deliverable dates were in the detail of each “sprint” (the project was being managed using agile management techniques). We were looking at a higher level and he would be happy to show us the plans for each individual sprint.

I told him that I understood that the deliverables were in the sprint-level detail, but needed to see the deliverable dates on the higher-level project plan. Without that, I would not be able to see whether the plan was acceptable  and the products would hit the market at the right time. For example, I could not see whether the timing of it made sense to work on deliverables serially or in parallel, or when oversight activities needed to occur.

His response was that he couldn’t run the project using two different project management techniques. Implying that my requirement was old-fashioned (I admit here that I have been managing or overseeing major projects since he was in grade school), he reiterated that he was using agile project management.

I tried to tell him that agile is how you run the project day-to-day, but for oversight purposes I needed to see the big picture – especially when the deliverables were to be completed.

Noting my rising tone, the chairman intervened and suggested that the project manager take the chart he was showing us and simply overlay the deliverable dates. He needed them as well.

The lesson here is that I, as an oversight and big picture person (at least in this role on this project), was talking a different language than the project manager.

I respect the project manager for his expertise and experience in running projects to successful completion. But, he was unable to put himself in my shoes, understand my needs, and then express himself in a way that communicated what I needed to know.

The same issue applies when technical experts, whether in finance, information security, risk management, internal audit, or other area, need to communicate with people in a more senior management or board position. They tend to think and talk in technical detail, while senior management and board members think and talk in terms of the bigger picture.

My advice:

  1. Understand the questions that senior management and the board need answers to.
  2. Answer those questions directly.
  3. Only provide additional detail when necessary to answer the questions – to their satisfaction, not yours – or when asked for more detail.
  4. Get to the point quickly.
  5. Stop.

For example, when a risk, security, or audit practitioner is talking to an executive officer, recognize that they want to know (a) is  there anything I need to worry about, (b) is there anything I need to do, and (c) is there a need for me to continue to monitor the situation. They don’t need to know details when there is nothing for them to spend time on.

I welcome your views. If you can share experiences and stories, that would be appreciated.

Are you considering GRC software?

September 30, 2013 20 comments

If you are, I am worried that you might be relying on so-called research by the analyst firm, Gartner. Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).

The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.

It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.

Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.

But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?

I have so many criticisms, it is difficult to know where to start:

  1. Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?
  2. They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.
  3. Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.
  4. Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!
  5. They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.
  6. Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?

I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.

I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.

But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.

I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.

What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.

If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?

As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).

I welcome your views.

What is your risk appetite?

September 23, 2013 17 comments

The regulators and others around the world are asking organizations, especially those in financial services, to establish a risk appetite. This is typically in the form of a risk appetite statement or framework.

Let’s look at a couple of definitions of risk appetite.

COSO says:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value” (Understanding and Communicating Risk Appetite)

They continue:

“To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.)”

[You may have seen my review of the COSO publication, which includes links to other thoughts on risk appetite.]

A similar view is expressed by a global financial services authority:

“Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives” – Institute of International Finance (

But, there are a number of people who believe that risk appetite is a flawed concept. I recommend a read of a paper by Grant Purdy, Demystifying Risk Appetite. When risk practitioners from around the world convened to develop a global risk management standard, ISO 31000:2009, they preferred to discuss risk criteria – a preference I share.

Is risk appetite a useful concept?

Let’s approach this by asking, as individuals, “What is your risk appetite?”

Perhaps you are saying that you are not a business, agency, or enterprise. But you still have objectives you want to achieve and you are more likely to succeed in achieving or surpassing them if you understand and treat/manage/address the risks and opportunities in your path towards those objectives.

Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.

You will take risks in accomplishing these objectives. There is no “may” about it; you will take risks. With respect to your drive to work, your arrival time might be affected by weather (both good and bad), the volume of traffic (less traffic meaning you will surpass your objective), dangerous drivers, the possibility that you will fail to see another car when you change lanes, a request from your spouse to take the kids to school on your way, and so on. As you decide to leave, these are all uncertain events or situations that might or might not happen.

What is your risk appetite when you are deciding whether to change lanes because the traffic in front of you is too slow?

What is your risk appetite when you are deciding whether to agree to take the kids to school or ask your spouse to do it?

You have to decide whether to take these risks. You will certainly have a number of criteria that will help you decide, such as the potential for reward (arriving earlier or avoiding a delay in arrival) and the potential for loss (an angry spouse or manager, or physical injury in a car hits you). You will consider the magnitude or the potential loss or reward, the likelihood of each happening, and your ability or capacity to sustain any loss.

Can you put a number, a monetary value, on it? Is it a percentage of your net wealth?


When you decide whether to take a risk, you will be influenced by the likelihood and size of reward against the likelihood and size of loss. Will you decide to change lanes when there is an 80% chance of arriving on time if you do vs. 15 minutes late if you don’t, when you assess the risk of a car hitting you at less than 1%? How about if the chances of a crash are 5%, because there’s a lot of traffic, or 15% because visibility is low?

You will try to make an informed, management decision. You will use your judgment, and you will not even think about anything like risk appetite. “Criteria” is a concept that makes sense, but not “appetite”.

Isn’t running a business similar to driving a car, in that you want to make informed management decisions using your best judgment?

Will you decide whether to expand operations into a new country using your judgment about the likelihood of success (at various levels) and the likelihood of failure (also at various levels)? Failure could mean loss of funds as you abandon new offices, lay off newly-hired staff, and write off assets; it could also mean loss of customer confidence, reputation damage, and even loss of life (depending on where you expand).

Can you put a risk appetite value on this and say, as COSO says “how much risk is acceptable”?

I can understand that it may be important to know that management is not putting the survival of the company at risk, or that the company has not put on the casino table of business more than it can afford to lose.

But is that how you make decisions? Is that how you decide whether or not to take a risk?

What is most important is that:

  • Managers and executives recognize that when they make decisions they have to consider what might happen, and the effect of that is what we call risk
  • If a manager is to be successful, he has to recognize risk, assess it (upside and downside), and if it is at an unacceptable level act to modify it – because that increases his chances of being successful and the level of success he will achieve
  • Decisions-makers should use their best and informed judgment to take risks. When the potential effect is outside their authority level, they should escalate the decision to more senior management – in the same way they make purchasing decisions
  • The consideration of risk is an integral and essential element of decision-making and management in general. It is not a separate discipline

What is your appetite for risk appetite? Should we limit the concept to situations where it makes sense, like how much money to put at risk in the financial market? Mind you, we used to call those trading or position limits rather than risk appetite.

I welcome your comments.

Information Security Disconnected from Management?

September 12, 2013 11 comments

The information security software firm, Tripwire, released the interesting results of a “state of risk-based security management” study performed in conjunction with the Ponemon Institute. (The link above is to the press release and summary. The complete study is downloadable in parts – not a good idea, Tripwire – from this location.)

The study has some disturbing comments:

  1. According to the study, not only do two thirds of IT professionals fail to communicate security risks, but 59% filter negative facts before they are disclosed!
  2. About half said that communication between security risk management and business personnel is “poor, nonexistent, or adversarial”.

Tripwire’s CTO is quoted as saying:

“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives. However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”

In my opinion, Dwayne (the CTO) has this backwards.

These IT professionals need to communicate business risks – the potential effect on the business and its objectives from a potential information security exposure.

Talking about security risks is using a language that the business executives don’t speak naturally, one that does not communicate how their and the organization’s success might be affected.

As my good friend Jay Taylor says, and ISACA in its guidance reiterates, there is no such thing as IT risk – only the business risk created from an IT-related issue. For example, the loss of a server farm is not the risk; the risk is the effect of that loss on the business, such as the inability to support normal business operations such as accounting, sales, etc. which leads to loss of revenue.

Yes, IT professionals need to (as Dwayne says) “develop new communication skills”. They need to learn how to communicate in the language of the business. They need to talk about IT-related business risk, and cut out the techno-babble of “information security risk”.

Let’s not put all the blame for poor communications on IT. The business and especially any risk management personnel need to translate any techno-babble into business risk. They must not accept talk of “IT risk”. In the process, they can help the IT staff learn to speak the language of the business.

Just my opinion. What is yours?

Just what is “reasonable assurance”?

August 13, 2013 8 comments

Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.

Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.

There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.

Auditing Standard Number 5 (AS5) says:

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…….. The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment……………….. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”

AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:

“While exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”

The guidance continues:

“The independent auditor’s objective is to obtain sufficient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of field work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”

OK, what does this all mean? There are some key phrases:

  • “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
  • “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”

It all comes down to the judgment of a prudent person or official.

AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.

What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.

“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”

So, let’s see if we can come up with something that makes practical sense.

Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.

How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.

If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.

But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.

Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.

OK, so what does this all mean?

As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.

Where am I going with this?

I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.

I welcome your comments and perspectives.

PS. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.

Little compliance issues that can trip you in a big way

August 6, 2013 3 comments

Another compliance issue hit the news on Monday. According to USA Today, “Chevron agreed to pay $2m in fines and restitution and pleaded no contest to six charges in a fire last summer at its refinery in the San Francisco Bay Area city of Richmond that sent thousands of residents to hospitals, many complaining of respiratory problems”. The fine was in addition to $10m already paid in restitution to affected citizens, health services and others; a likely $1m fine by state safety officials; and, potential litigation by the city of Richmond.

For a company as large as Chevron (revenue of $231 billion, net income of $26 billion, and return on capital employed of 18.7%), these costs are trivial. The reputation cost is likely to be larger, as is the business disruption caused by investigations by the various federal, state and local agencies – not only as a result of the fire but at a higher continuing frequency and intensity because of the compliance failure. In fact, the failure in Richmond is likely to result in all of Chevron’s US-based operations coming under increased scrutiny for some years to come.

The charges filed by the state and local governments included failing to correct deficiencies identified by the company’s own inspectors.

As I reflect on other news stories of fires, pipeline explosions, and other man-made disasters, they always seem to include reports of prior irregularities in inspections, examinations, etc. These reports make the company look reckless, negligent, and less than diligent when it comes to compliance. Clearly, a history of compliance failures, especially failures to correct known deficiencies, only exacerbates fines and reputation damage.

So what does this mean for boards, executives, auditors, risk practitioners, and compliance professionals?

If we look at the COSO Internal Control – Integrated Framework (2013), it has a useful principle: “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” The related points of focus are:

  • Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
  • Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
  • Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.

While this points us in the right direction, asking to whom compliance issues are reported, who assesses them in terms of risk, and who monitors corrective action, the COSO guidance doesn’t include much in the way of detail.

The U.S. Federal Sentencing Guidelines provide guidance that is essential knowledge, not only to compliance professionals but also to boards, executives, risk and audit practitioners of organizations operating within the United States. In its section on “Sentencing of Organizations”, it states: The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility”.

Every board member, senior executive, compliance, risk, and audit professional should become familiar with the requirements for an effective compliance program, outlined in “§8B2.1. Effective Compliance and Ethics Program”. Key points include:

  • The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
  • High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
  • Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
  • The organization shall take reasonable steps—
    1. to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
    2. to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
    3. to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

We need to combine the guidance from COSO and the Federal Sentencing Guidelines, add risk management techniques for understanding the related risks – especially when there potentially multiple failures, even if they are in different locations and are of quite different rules and regulations – and we can start to see what is needed:

  1. An effective compliance program that meets at least the minimum requirements of the Federal Sentencing Guidelines (which are not limited to the points above)
  2. A risk management program that works collaboratively with those responsible for compliance to ensure that compliance-related risks (including possible reputation risk, potential loss of customer confidence, and business disruption risk) are understood, assessed, and addressed
  3. Evaluations and responses to compliance issues that address the root cause. Too many organizations put a Band-Aid on the obvious wound without making the investment necessary to fix the underlying problem
  4. Processes that ensure all deficiencies, whether identified internally, as a result of internal audits or inspections, or by third parties including regulators, are reported to the appropriate managers, assessed, addressed by appropriate corrective actions, and then remediated within an appropriate timeframe. Those assessments should be updated on a regular basis as risk levels may change (for example, if there is a second compliance failure)
  5. Processes that ensure senior management and, as appropriate the board, are informed of all significant or potentially significant compliance failures and risks, whether the risk is being managed as desired, and whether appropriate corrective actions are being completed

How effective is your organization when it comes to ensuring it won’t be bitten by prior year compliance failures, especially failures that have not been resolved by addressing and fixing the root cause?

I welcome your views and commentary.

IIA Research Foundation report only adds to confusion about GRC

July 31, 2013 4 comments

A new report published by the IIA Research Foundation, Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors, is not to blame for the confusion about GRC that it reports. The confusion existed before this report highlighted (and to some extent added to it).

It raises the question of why we should continue to talk about GRC as if we all share the same understanding of what it means, when we clearly don’t.

For a start, the document (influenced by an academic advisor whom I normally respect but on this topic is way off base) can’t seem to decide whether the “C” in GRC stands for compliance or control. While many of us think it should stand for control, it doesn’t. That debate ended a long time ago. It stands for compliance and, given the roots of the term, that is appropriate.

To see how bad the confusion is, just look at any GRC thought leadership paper (from other than OCEG, Michael Rasmussen, or me) and replace the term GRC with risk management. I would bet that the paper would make more sense that way.

In fact, most of the published work on GRC has either been about risk management or the combination of risk and compliance. Governance is rarely in the picture except for the oversight by the board of risk and compliance.

The IIA Research Foundation is free to IIA members, so download it for yourself and see whether it helps understand GRC or simply confirms that the world remains confused by the term.

I still think there is some value in thinking about GRC (see my explanation here), but in practice we should stop focusing on GRC as it is getting in the way of fixing risk management, organizational governance, and compliance. See this discussion for details.

Do you agree? If so, are we tilting at windmills?

How did a term whose meaning we don’t agree on become so firmly established?

I welcome your views and commentary.

Let’s get practical with COSO 2013

July 25, 2013 2 comments

The highly respected periodical Compliance Week just published an article that appears to reflect misunderstanding if not panic in some quarters over the updated COSO Internal Control – Integrated Framework.

Written by Tammy Whitehouse with a title of COSO Framework Update Introduces New Measure of Deficiency , the piece includes quotes from interviews with a number of consultants and other experts, including the new chairman of COSO and me.

I was struck by a number of apparent inferences:
1. There is confusion over the use by COSO of the term “major deficiency” when for SOX purposes we have been using the terms deficiency, significant deficiency, and material weakness.
2. People are worried because they are unsure how the updated framework will affect their SOX program.
3. Some seem to believe that if they have a deficiency related to one risk area that will affect their assessment for SOX.

Let’s take each of these in turn. By the way, Tammy was unable to include in the article my comments on these points, presumably for lack of space.

1. When it comes to SOX, we continue to use the same terms as before. As Bob Hirth pointed out, COSO recognizes that when there are regulations in an area, as there are for SOX with SEC and PCAOB guidance, that takes precedence.

We should also recognize that the term in COSO is not new. Organizations and their internal auditors have been using it for decades.

2. If an organization was truly basing their SOX assessment on the prior version of the COSO framework, they are already “compliant” with the updated version. The only issue is that they have to be able to show how they achieve the principles. This can be done with minimal effort through a management self-assessment. Where the level of risk justifies, consistent with current practice, related key controls are identified and tested. (I expect the IIA will publish an update to my SOX book in a few months that guides this process.)

3. If you have a deficiency in a different risk area, such as in compliance with safety regulations or the delivery of revenue growth, that will not prevent you from assessing your internal control over financial reporting as effective.

I believe the only implementation issue will be on how much evidence you need to support management’s assertion that all the principles are present and functioning. I believe, and have many experts supporting me on this, that you need to consider the risk to the financial statements if there is a defect in a principle. That risk is indirect; please refer to the discussion in AS5 on entity-level controls that have an indirect effect. The greater the risk, the greater the need for key controls to support and augment management’s self-assessment.

As for those who are concerned because they haven’t read this long document. Let me reassure you. If you read and understood COSO 1992 you will not find anything different in 2013, at least anything substantial. The 17 principles were there before; they now have been emphasized. Some discussions, such as on monitoring, are improved.

This is NOT a radical new document that should cause concern.

But that doesn’t mean you should leave implementation for SOX to 2014! Do your self-assessment now and start any remediation now, because it will take time to upgrade issues like the composition and practices of the audit committee, or the training of staff.

I welcome your comments.

EY joins call for internal audit to improve

July 20, 2013 9 comments

The Big Four firm of EY has completed their Global Internal Audit Survey for 2013. I suggest looking past their understandable focus on financial reporting and selling their services and the authors’ poor understanding of internal auditing – because there are some important nuggets that can be mined from their document.

Why do I say they have a poor understanding of internal auditing? Just look at the summary on their web site. They cite the #1 driver for change as “External auditors are increasingly relying on the work of Internal Audit”. That should be an incidental rather than primary driver for CAEs. Throughout the report, EY use their perspective of what ‘assurance’ means, and compare ‘assurance’ to ‘advisory’ – a term used by external and not internal auditors. For example, they refer to risk management and operational audit skills as compliance skills! Pure nonsense!

By the way, EY has some excellent individuals who understand internal auditing well. They have been an excellent co-sourcing partner over the years. Unfortunately, those responsible for writing and reviewing this document are not from among their numbers.

So let’s focus on what the information in the report tells us. There are a number of revealing and interesting bits and pieces, including quotes from internal audit leaders.

  • “The Internal Audit industry is continuously being challenged to be relevant,” Wong Swee Chin, VP of Group Internal Audit at Cerebos Pacific, Ltd.
  • “The profession continues to focus on adding insight to the business owners and executives around how to improve operations to achieve the strategic objectives of the organization. To do that, audit groups have to understand the strategy and the enterprise risk management around that strategy,” James A. Rose, Chief Audit Officer, Humana
  • “Only 26% of respondents say they are heavily involved in addressing IT risks. This low response to being involved in addressing IT risks should make Internal Audit pause for thought. The rapid evolution of technology is creating a number of risks as it raises the potential to completely change the business landscape across entire industries. These changes are creating both internal and external challenges: organizations must be prepared to aggressively leverage new technology to remain competitive, while at the same time effectively manage the related risks.”
  • The 500 respondents (CAEs and audit committee members) put financial audit and accounting as the most important skill for internal auditors (52.63%), ahead of internal control (39.57%), risk management (32.75%), and an in-depth knowledge of the company’s business and operations (25.93%). This is awful! The priorities are entirely upside down.
  • Contrast that with this quote: ““If I look in my previous life, I had people who were largely accounting majors working for me. But the people I have now have no accounting background,” Barb Riker, Chief Audit Officer at Teucrium Trading
  • While 23.20% recognized the need to improve knowledge of the company’s business and operations, just 21.64% saw the need to improve risk management skills, 18.13% to address technology, and few identified soft skills as important (although I agree with Richard Chambers and Paul McDonald when they argue in the June edition of the Internal Auditor that soft skills need improvement). EY gets this right when they say “Soft skills are fast becoming as important as purely technical auditing skills. To be a strategic advisor to the business, auditors need to be able to think critically, apply business knowledge and clearly articulate insights to management. Auditors need to adjust training and think outside the box to ensure that it has the right people with the right skills and competencies in its Internal Audit function.”
  • “The days when a business auditor wouldn’t need to understand the impact of technology and how to use technology, those are gone. If you are a business auditor, you have to learn IT. If you are an IT auditor, you’ve got to learn to understand the business,” Carolyn D. Saint, Vice President of Internal Audit, 7-Eleven, Inc.
  • “I’m constantly encouraging everyone on my staff to think like an executive. … When they raise an audit issue, I ask them to say, so what is the impact of that to the business?” Stephen Arietta, Vice President, Internal Audit, United Online
  • EY refers to important sources for CAEs when they need additional resources. In addition to co-sourcing, EY points to hiring interns and the use of guest auditors. I personally like the latter a great deal, as it adds business knowledge and expert insights to the audit team, as well as contributing to the development of rising management stars.
  • In their conclusion, EY correctly states “There are several megatrends that are altering the landscape of businesses globally. These trends will drive significant change forcing businesses to constantly transform. Internal Audit must transform in order to stay ahead of these changes and to maximize its impact. In today’s dynamic business environment, Internal Audit functions must satisfy many different stakeholders: audit committee members, senior leadership, operational leaders, external auditors, regulators, etc.

What am I learning from the EY report?

  1. The study supports the view expressed in PwC’s annual state of the internal audit profession, that internal audit departments are not meeting the needs and expectations of audit committees and top executives
  2. More needs to be done, not only to improve understanding of the business, risk management, and technology, but to get CAEs to recognize that these are essential skills – and far more important than traditional financial audit and accounting skills
  3. We have a number of leaders in the profession of internal auditing who ‘get it’. I have quoted some in this review, and others include Paul Sobel, Steve Goepfert, Richard Chambers, Larry Harrington, and more. I think we should be paying a lot of attention to what they have to say – and challenge so-called thought leaders such as the authors of this study
  4. For example, we should focus more on assurance than suggested – and our assurance should be on whether the organization is able to ensure that the risks that matter to the achievement of objectives and creation of value are at desired levels. Assurance is not limited to compliance (as suggested by EY), but to the ability of the management team and the board to drive and achieve results

I have been very hard on EY, but hope I have brought out points that are important if the internal audit profession is to remain relevant and increase its services to its stakeholders.

Do you share my views and points of learning?

Are risk registers a useful tool or a trap?

July 14, 2013 17 comments

One of the thought leaders with whom I frequently debate/argue is Tim Leech. Tim has a passion that is usually divergent from mine, so it is always refreshing to see situations where we agree.

This is how Tim replied to a recent post by me on a study by KPMG on risk management (reproduced in full with his approval).

Norman: Thanks for drawing attention to the KPMG survey results. My primary concern with the survey is that it has not recognized that the “risk centric” approach to ERM, an approach [with] a heavy focus on creating and maintaining a “risk register” and assigning “risk owners” used by a large percentage of organizations in the world today who claim they are practising ERM is in fact “risky”. This approach has diverted people’s attention and focus from the real purpose of risk management – increasing certainty [that] important value creation (e.g. Increase market share by X%) and potentially value eroding objectives (e.g. publish reliable financial statements) will be achieved operating with a tolerable level of retained risk.

The “risk register” approach has been promoted and implemented in tens of thousands of organizations by consultancy and software firms and the IIA has promoted it in a number of its guidance publications. I believe that many of the points noted above from the survey are linked to the dysfunctional consequences of using “risk centric/risk register” type approaches to risk management. It’s ironic that risk consultants and software vendors are now part of the world’s risk problems.

Regulators in each country who are increasing their focus and requirements in this area also need to ensure they are not part of the global regulatory wave forcing companies to implement risk centric approaches to risk management diverting attention to the true power of formal risk assessment as a business tool.

We are promoting “board driven/objective centric” approaches to improve the way organizations manage risk. It starts with boards that want reliable information on the state of residual risk linked to key value creation and potentially value eroding objectives. For those interested simply Google “THE HIGH COST OF ERM HERD MENTALITY” and/or our newest presentation on the approach we are recommending to address key failings noted in the KPMG survey results. It can be downloaded at:

If we want senior management to truly embrace risk management they need to see it as another tool in their arsenal to manage their organizations within a level of retained risk acceptable to them, their board, regulators, credit rating agencies, investors and other key stakeholders. This won’t happen using “risk registers” as a primary foundation building block.

Before explaining why I agree on the core points of Tim’s comment, let me address a few minor points of disagreement. First, I don’t use the expression ‘residual risk’ anymore; the adjective ‘residual’ is assumed and is only useful when comparing current state to the level of risk should controls fail (which some refer to as ‘inherent risk’). Then, rather than limit myself to a “tolerable level of retained risk”, I prefer to use the terminology of ISO 31000:2009 and talk about risk criteria. Another point of disagreement is that I believe every risk should have an owner – the person responsible for achieving the affected objective. Finally, while providing the board and executive management with reliable reports on risk is important, I believe the more significant need is enabling managers across the organization to make risk-aware and intelligent business decisions every day.

So, where and why do Tim’s and my opinion converge?

It is that if used without due care and attention, risk registers are a trap.

There is a belief among many that organizations need to manage a defined list of risks. Some have as few as 10 or 25 because that is the limit of their management’s and board’s attention. Others have far more, recognizing that all risks to the achievement of objectives need to be understood and managed where significant.

Some consultants love to provide guidance on the risks that should be included in a risk register, with studies of the top risks of the moment.

But, by creating a risk register, they are creating the impression that risks are static. They are not.

Just as business conditions change all the time and decisions have to be made every day, new risks emerge and old risks change all the time.

Running the business with a static (and it is essentially static if it only changes once each quarter when the business changes much faster) risk register is Enterprise List Management (a phrase coined by my friend, Jim DeLoach of Protiviti).

So I join with Tim, although I don’t use precisely the same words, in urging organizations to ensure they have the capability to manage risks to value creation and the surpassing of objectives every day – in setting and modifying strategy, in monitoring and managing performance, and in daily decision-making across the enterprise.

I also urge internal audit departments to assess and report on whether management has that capability.

I welcome your views and comments.


Australian Government Agency’s Risk Management Guidance – The Good and the Bad

July 2, 2013 11 comments

Whether you are new to risk management or not, you may enjoy a recent set of guidance that has been published by the Treasury Department of the government of New South Wales (in Australia).

In this post, I am going to highlight some of the good and – unfortunately – the bad from the guidance, with reference to their Executive Guide. The good far exceeds the bad, but the bad merits discussion.

The guide is driven by (believe it or not) valuable regulation:  “NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05) requires department heads and governing boards of statutory bodies to establish and maintain a risk management process that is consistent with the current Australian/New Zealand (AS/NZS standard on risk management).  Standards Australia has adopted the international standard (ISO 31000), which it is has titled AS/NZS ISO 31000:  Risk management – Principles and guidelines.”

If you are not familiar with the global risk management standard, ISO 31000:2009 (which I recommend), the NSW guidance will get you started.

The Guide explains that:

“ISO 31000 consists of a set of principles, frameworks and processes aimed at improving decision making about risks and their management by reducing uncertainty and increasing the likelihood that organisational objectives will be achieved.  It is not a compliance standard, but instead provides principles-based guidance on best practice.

“Risk management, like other management systems, should be designed to meet an agency’s specific needs. “

This accurately spells out the value of risk management. It is not in the periodic report and discussion of risk at executive and board meetings! It is in the ability to provide quality information to decision-makers across the enterprise and drive better decisions every day – and through them the achievement of objectives.

The Preface to the Executive Guide makes a statement that I only wish was true:

“Our tolerance for ineffective risk management is diminishing.”

Unfortunately, few organizations seem aware of the limitations of their ability to manage risk. They are satisfied with, at best, periodic reviews of top risks. They do not understand the need to consider risk in the processes of setting strategies, managing performance, and making decisions every day.

The Guide repeats the definition of ‘risk’ in ISO 31000: “Risk, in ISO 31000, is defined as the effect of uncertainty on your agency’s objectives. This can mean both negative and positive effects on your objectives. While risk is inevitable, it can and must be managed.”

It explains a risk framework and says:

“ISO 31000 provides a risk management framework to embed the process for managing risk throughout your agency, including your overall governance, strategy, planning, budgeting, management, and reporting processes and policies.”

“This means, for example, that you should formally consider risks:

    • in your strategic, business and workforce planning processes
    • in your budgeting processes
    • when developing and implementing: – new or revised policies or programs
      • new strategies, projects or activities
      • significant changes to an initiative, project or level of activity
    • in all capital projects
    • in procurement processes.”

The Guide includes a discussion of the features of an effective risk management framework and includes some questions to help you assess it. It continues with a useful discussion of an effective risk management process.

When it comes to its discussion of risk criteria (a term I far prefer to either ‘risk appetite or tolerance’), I believe the Guide makes a very subtle error when it restates the global standard. It starts correctly with “To prioritise your risks, you need to have a scale or terms of reference to evaluate them against; these terms of reference are defined in ISO 31000 as ‘risk criteria’. You must define your risk criteria before conducting a risk assessment.”

However, while ISO 31000 talks about “the nature and types of causes and consequences that can occur and how they will be measured”, the Guide only talks about “the type of consequences that will impact on objectives”.

It omits the word “nature”.

Why is this important?

Almost everybody focuses exclusively on the level of the impact and its likelihood. They don’t consider other aspects of the consequence and whether it is acceptable. These might include:

  • The speed of onset of any potential adverse effect. When bad stuff happens quickly, there is little time to prepare any defense or other response. The faster the impact, the less likely it is to be acceptable
  • The volatility of the risk. When the potential impact can vary significantly, it may be acceptable one minute and unacceptable the next. This should be considered when setting risk criteria
  • The ability or capacity of the organization to address any potential impact. If management takes a long time to make decisions and respond to risk, it may be necessary to set the acceptable level lower
  • The duration and longer-term effects of the risk. How long will any effect endure and how long will it take to recover? The longer the duration, the less likely it is to be acceptable
  • Will this risk, should the impact occur, reduce the organization’s ability to respond to other risks? Not only may a single adverse situation have multiple effects, but it may lower the capacity for other adverse events. For example, on regulatory violation is significant in itself, but lowers the ability to countenance a second violation – even if it is another area

The discussion of risk assessment starts, appropriately, with risk identification and says “Risk management is iterative: your list of risks will not be static and will evolve over time”. This is good. Risk identification and assessment is a continuous task.

However, the discussion of risk assessment seems to assume that this is a periodic exercise and heat maps are an effective tool. I disagree on both counts.  Risk assessment should be continuous, and heat maps (as illustrated in the Guide) fail to tell the correct story. They show the size and likelihood of the potential impact, but not whether it exceeds risk criteria. That is what matters, not the absolute level.

The section on risk reporting ignores the fact that risk is ‘managed’ every day in decision-making. The Guide says “The frequency and content of reports should be tailored to the needs of individual stakeholders. Those stakeholders will include your Head of Authority or governing board, your agency’s executive, and the Audit and Risk Committee.” Why are stakeholders at lower levels ignored? Every manager is a manager of risk and needs quality information if they are to make quality decisions.

I have issues with some of the points made on barriers to effective risk management.

The first barrier they list is “You do not strongly link it to your objectives”. The problem is that you don’t identify risks and then link them to objectives. You consider the objectives and identify what uncertainty lies between you and achieving (or surpassing) your objectives. When you link risks to objectives and do not take the top-down approach of linking objectives to risks, there is a high risk that you will miss something.

The point on identifying the right risks is good until it says “Your agency’s key decision makers need a concise list of risks that accurately reflects the most significant risks your agency faces.” This may lead people to focusing on their ‘top 20’ instead of all the risks that might have a significant impact on the achievement of objectives. It assumes that a small group reviews a list and makes risk decisions, instead of recognizing that every manager makes risk decisions pretty much every day.

What do you think?

Congratulations to Protiviti on 2013 SOX Survey

May 29, 2013 6 comments

After a few years of criticizing Protiviti for the lost opportunities represented by prior years’ surveys, I am happy to say that this year’s publication (available here) is very much better and a useful read for boards, senior financial management, internal auditors, and external audit firm partners and lead managers.

I was pleased to see Protiviti was able to report that:

  • More organizations are refining their scope using a top-down and risk-based approach to identify the combination of key controls to test. Prior reports indicated that management at many organizations had become complacent and accepting of their unrefined scope
  • External auditors were increasing their reliance on the work of internal auditors. I like how Protiviti separated the results of reliance on management testing, first by whether it was performed by internal auditors, and then based on the size of the company

The tables showing the extent of reliance are useful, although they should have asked about reliance on management testing for high-risk key controls rather than assuming it was zero.

However, the extent of reliance is disappointing. Why do so few external auditors place reliance on management testing (especially when performed by internal audit) of at least 75% of both low and moderate-risk controls? I was able to achieve 80% reliance for all key controls at my last two companies!

SOX managers, internal auditors, executives and boards will find other information of use. For example, some will be interested in the analysis of automated key controls.

What do you like/dislike? Are you encouraged, discouraged, or left unmoved?

Reflections on the updated COSO Internal Control Framework

May 17, 2013 13 comments

I am still in the process of my detailed review of the update. However, I have already formed two opinions:

  1. The assertion that “an effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives” is excellent and I am pleased that it comes before any discussion of principles
  2. The assertion that follows, that this (reducing risk to an acceptable level) requires that “each of the five components and relevant principles is present and functioning” creates a serious problem

Let’s examine the problem created by COSO saying that effective internal control requires that all relevant principles are present and functioning. I say ‘principles’ because the Framework asserts that no component can be assessed as present and functioning if there are major issues with any of the related principles.

Rather than taking an approach that requires that risks to the achievement of objectives be identified, and then an assessment made as to whether the combination of controls across all components of the Internal Control Framework reduces the level of risk to acceptable levels (i.e., a top-down, risk-based approach like those recommended in PCAOB, SEC, and IIA guidance), the assessor is directed to assess the principles. This creates a high risk, highlighted by many commentators on the drafts submitted earlier for review, that the assessment will be based on a checklist: a checklist formed by the principles.

Now an argument can be made, requiring some contortions of logic, that the same result as a top-down and risk-based approach is achieved because the principles include the required steps of a risk-based approach (principle 7 refers to the identification of risks, principle 10 identifies control activities that “contribute to the mitigation of risks to the achievement of objectives to acceptable levels”, and principle 11 talks about IT general controls – though they should be included in principle 10). Then, so the logic goes, the assessment is made as to whether there are any major deficiencies (i.e., one that “severely reduces the likelihood that the entity can achieve its objectives”). Does this, in fact, result in the same assessment?

Possible, but unlikely.

  1. As we know from PCAOB and SEC guidance and our experience on SOX assessments, indirect entity-level controls do not necessarily result in a higher risk of failure to achieve objectives (in the case of SOX, the objective is a set of financial statements free from material misstatement). Indirect entity-level controls only create a higher risk that direct controls will fail. Then it is up to the assessor to determine whether, especially considering the quality of monitoring controls,  the risk to objectives is greater than acceptable levels
  2. The determination of a major deficiency (see above) is not whether the risk to achievement of objectives is greater than acceptable levels. That assessment, requiring judgment, still has to be made but is not referred to as far as I can tell in the updated Framework
  3. I believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in (a) assessment of principles that are not relevant to the assessment of risk to achievement of objectives, and (b) a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels

Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?

I suspect that over time we will learn how to use the updated Framework while remaining true to the top-down and risk-based approach. But, in the meantime I fear that many will lose their way.

Until now, the choice has been rules-based or principles-based. I always thought that in the case of internal control, principles-based referred to the principle that internal control is not perfect and only provides reasonable assurance that risks to the achievement of objectives are at acceptable levels. PwC and COSO have blurred, in my opinion, the distinction between rules-based and principles-based. I just wished they had gone for “risk-based”.

I welcome your comments.

SAP’s Secret Recipe for GRC

May 2, 2013 4 comments

It is true that SAP has been selling a number of what it calls GRC solutions. (Now that I have retired from SAP I can tell you that I wish they didn’t call them that – which I will explain later.)

It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:

  • The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
  • In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
  • I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
  • SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

  1. What is GRC?
  2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
  3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

John Fraser talks sense about risk management

April 24, 2013 4 comments

John Fraser is a highly-respected Canadian risk and audit practitioner. He introduced and then for 13 years led the risk management program at Hydro One. John shares his wisdom on effective risk management with both common sense and humor. I like his book on ERM, which you can find on Amazon.

In a new piece, John uses the scenario of a board chairman addressing the board to explain enterprise risk management. It is an easy read, useful for directors, executives, and practitioners.

I particularly like and agree with these comments:

  • [The Chief Risk Officer (CRO)] will report directly to the chief executive officer (CEO) and will champion and coordinate our approach to ERM. Accountabilities for managing risks will remain with line managers as before. The CRO role will provide ways to help us view risks from across our company and to better allocate our resources. The CRO will be a support function helping the management team with reporting to the board, and in coordinating risk activities across the organization
  • [Risk criteria] will help decision makers across the company understand how much risk is tolerable, what is intolerable and where further action is required. These criteria (often referred to as risk appetite, risk attitude or risk tolerance by some) will be updated by management and reviewed by the board at least annually
  • ERM will also involve better and more explicit integration of risk considerations into the strategy development, business planning and execution processes. Everything we do as a company should be done to treat and optimize the risks and uncertainties to achieving our long-term strategic plan
  • We expect that the use of ERM will make everyone’s job easier by leading to greater transparency and foresight into how we manage risks across the organization and this in turn will lead to us achieving our goals with even greater success in the future

John is a big believer in risk workshops, which he used at all levels of the organization including with the board. I agree that they are essential and very valuable, but also believe that some decisions need to be made at speed – when there is little time to convene a workshop. My philosophy is that risk workshops should supplement but not replace a management that is trained and equipped to manage risk as part of everyday decision-making.

One interesting aspect of the risk management program at Hydro One was the edict by the CEO that capital would be allocated based on risk prioritization. Every request for capital had to identify the risk(s) being addressed. This worked well for them in their environment. I am not sure it would work as well in other business environments, but it remains a though-provoking idea well worth careful consideration.

I welcome your consideration of John’s piece and my comments.