The Risk Revisionist – Challenge the orthodox. Reinterpret the rules

Featured

The Serial Failure of Item 1A Risk Factor Reporting

Its time to replace Risk Factor reporting with comprehensive reporting on governance, risk and compliance (GRC).

Call it ERM or whatever you please.

Beginning in 2005, the SEC required filers to include qualitative disclosures of risk factors in item 1A of their annual 10-K forms. Item 1A Risk Status disclosures have consistently failed to predict critical risks.

Over the years, here is a short list of risks that have been missed.

Fraudulent financial reporting, cyber risks, supply chain failures, climate change, earthquakes, hurricanes, technological obsolescence, shifting consumer tastes not to mention pandemics.

For that matter most lesser operational risks have been “surprises”. Yet they were either known or knowable.

We need to understand not just what bad things can happen. We need to understand our ability to predict and manage them and to make personal and business that allow us to achieve objectives.

Here is a headline from one company’s recent Item 1A Risk Factor filing.

“Future operating results depend upon the Company’s ability to obtain components in sufficient quantities on commercially reasonable terms”.

Profound? Hardly. Is this useful information? Can you make a buy/sell decision based on this disclosure? You be the judge.

If your company is listed on an exchange other than the SEC, you probably have another, but similar risk reporting requirement. Its probably not much better.

Today corporate lawyers and others condense information about business risks into dense, boilerplate, impenetrable prose, based largely on what was reported last year and what competitors are reporting. It is essentially a legal document designed to protect the corporation from liability. It is not intended to provide insights for to help investors price the business risks. Its purpose is to say “I told you so”.

Isn’t bad risk information is worse than none at all.

The Opportunity

The concept of integrated GRC exists. But its largely an unfulfilled fantasy. Few of the various professions and practitioners share the vision of an integrated report. Professional standards requiring, let alone guiding integration don’t exist. OCEG alone provides comprehensive criteria for principled performance.

All GRC professions and practitioners profess they value. Value doesn’t just mean feeling good about what you do. There is no better way to demonstrate value than to guide the decisions made by executives and investors and demonstrate the impact on performance and economic value of the enterprise.

The chief arguments against expanding Item 1A reporting is that it would expose companies to liability and advantage competitors. That argument can be made for any mandated disclosures today, including financial statements.

Its not enough for an accounting department to produce journal entries. They must produce financial statements.

Its not enough for GRC professionals to produce “findings”. They must produce knowledge that explains, predicts performance and informs decisions.

There is no chance that integrated GRC reporting will evolve spontaneously. It must be driven from above. Mandated public reporting of GRC status and business objectives will drive integration.

What Would Consolidated GRC Reporting Look Like?

Instances of consolidated GRC reporting are rare, but they do exist. One of my favorites was developed by Saret Van Loggerenberg, now Group Company Secretary and Legal at Exxaro Resources. She demonstrated that the 1^st line of defense is willing, if not eager and able to engage in risk management activities if they helped achieve objectives and enhanced performance. Her initiative was begun around 2012 and the results of that initiative are reported in a recent annual report.

During my time at SAP, my colleague Thomas Frenehard demonstrated the power of technology to pull GRC data into a digital board room environment. As powerful as it was for me, it tapped into no more than 25% of the potential it holds for business. The potential is huge.

My colleague Tim Leech has worked for years to challenge conventional thinking and develop technology, tools and capabilities to advance and transform professional practices. Here is an example of a simple dashboard which has potential for use in reporting. Corporate objectives can be listed along with the certainty of achieving them. Underlying the certainty rating is extensive documentation of GRC information.

Never in history have so many resources, people, technology and tools been dedicated to. the examination of GRC. Never has so much activity produced so little knowledge.

What innovation exists has come from will come from the edges of the profession, not the center. Transformation has never been more necessary.

Should we consider our failure to offer integrated GRC reporting as the leading Risk Factor in Item 1A Risk Factor Reporting?

Maybe we should look forward to the future and hope that the concept of fraudulent GRC reporting emerges. That would be a sign of progress. In order for fraudulent GRC reporting to exist there must be a correct way. Today there is none.

What do you think? Are you ready to begin this journey?

Featured

Have We Reached the Tipping Point in Risk and Compliance? Is It Time Now to Connect the Dots?

Thanks to the perseverance of risk and compliance professionals and automation we have built silos where domain specific risks are managed in very granular detail. This data has unexploited strategic value.

The silos exist within all risk domains. We need to begin to connect the dots across the silos. There is no other way to grow as a profession.

Strong silos are a sign of a maturing profession. But professional growth requires the development of an overarching framework that creates actionable knowledge from siloed risk and compliance information.

Think of the development of financial statements driven by double entry accounting that forced the linkage of financial accounting silos to create financial statements. Reporting Accounts Payable balances alone is not useful. Its necessary to connect those balances to Inventory, Operating Expenses and Cash accounts to create knowledge and make decisions.

Unconnected risk and compliance reporting using risk registers, heat maps, lists of effective and ineffective controls, stacks of single-issue audit reports suggests we have not linked the silos.

We have great data in the risk and compliance silos. We need to get it linked to what the business cares about. Data in the risk and compliance silos must be categorized and linked to explain and anticipate business performance and how objectives will be achieved.

The Art of the Possible

Several years ago, a colleague of mine at SAP demonstrated how technology (SAP technology in this case) can be used to connect the dots across several silos of risk and compliance information and link the siloed results to business objectives.

Thanks to SAP this demo is publicly available on YouTube. Its about 8 minutes in length but well worth the time.

As you watch the demo, imagine the addition of key risk indicators, risk drivers, performance data, audit data providing assurance and root cause analysis.

Imagine also that the data would be updated instantly every time events such as loss incidents, control test failures, audit findings or any one of dozens of potentially triggering events occurred. Finally, imagine instant drill down capability to a very granular level.

Among other things business executives would then be able to instantly:

Anticipate how external and internal risk drivers will impact objectives.
Compare risk and compliance practices between different organizations and over time.
Understand the root causes of failure and ineffective controls
Drive down the cost of control by balancing risk appetite with control cost.
Determine the most cost-effective control portfolios and risk responses for given objectives and risks. (See also my blog offering a Strategic Perspective on Risk and Compliance
Allocate risk and compliance resources, including audit, to where they are most needed.
Assess the performance of risk and compliance professionals. And their contribution to business performance.

What’s Blocking Progress?

Technology for connecting the dots exists today. The data that needs connecting is available. Risk and compliance professionals are competent and motivated. In my view the next step is getting the silos aligned to a common goal, but silos must remain independent and strong. In my experience, although risk and compliance professionals talk about adding value and contributing to performance, they are primarily aligned with their professional standard setters who give them accreditation. To meet their professional standards auditors are required to audit. risk professionals are required to identify and assess risks, control professionals are required to test controls, compliance people are focused on compliance, or obedience. None of the silos are judged by their contribution to business performance. The sum of all their work is unconnected data. That data only has value when its connected.

I have seen very little evidence of cross silo collaboration in my career. And that may be an overstatement. Alignment must come from the top. Its unlikely to appear spontaneously from the silos.

Customer reactions to the demo above were polarized. Executives and boards were extremely interested. Most risk and compliance professionals were often indifferent at best.

For those of you who want to connect the dots, my suggestion is to start at the top of the organization and create demand with a vision. Use the vision to align and mobilize.

A Recipe for Connecting the Dots

Consistent methodology is critical to connecting risk and compliance data. Here is an example that illustrates the need for consistency and structure.

My pharmacist usually recommends generic versions of my prescription medication. She claims the ingredients of the generic drugs are the same as the ingredients in the branded versions so why pay more? I pointed out the key ingredients in a fine souffle and the ingredients in burnt scrambled eggs are also very similar. The ingredients are important, but the recipe used, the skills and training of the chef, the cooking process and the equipment used are equally important. To consistently produce the same result and to scale it the process, a standard methodology must be used.

Tim Leech, a former partner and colleague and now the owner of Risk Oversight Solutions has used a version of this model for many years.

Every risk and compliance silo creates information that fits somewhere in this flow line. All the dots are here and the logical connections between them is apparent. In this case, all the information gathered is linked in some way to a business objective. Variations of this approach are possible and other approaches may work as well.

But by using a standard methodology, everyone understands what information is created who created it, and what it means. In order to integrate risk and compliance practitioners, like chefs, must all follow the same recipe.

A standard methodology provides a recipe for determining and linking all the different data produced by risk and compliance practitioners. Standardizing the data means it can come from any practitioner or “silo” and understood as part of the whole.

Adding the Ingredients

Most of the aggregation failures I have seen have been at the silo level. Invariably they have been cause by too much uncategorized granular data. We need to see the forests. Silos give us the trees. What data to link, and how much of it to gather is a stopic on its own. I’ll share my thoughts on the ingredients in a separate blog. But as with any recipe, you’ll need to be selective in the number and quantity of ingredients and you must adjust the flavor for the audience. Its an art in itelf.

In the words of Russell Ackoff

“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.“

Featured

Risk management won’t add value unless it starts with value drivers

Risk and compliance professionals want be “trusted advisors”. To do this they need to help add value to the business. They usually fail because they don’t know where to start. My simple premise is you can’t add value if you don’t understand where value lies. Here are some clues I found helpful.

Hint 1: Value, in economic terms, is usually not found on the balance sheet or in an org chart.

Hint 2: It changes periodically as the business environment changes.

Hint 3: It tends to be industry specific. Your competitors are managing the same risks. You need to do it better.

Hint 4: Equity analysts will tell you. so will credit rating agencies.

Hint 5: Traditional financial metrics may be useless, but the outcome will have financial implications

Mismatches in Risk and Compliance Management

Example 1: Years ago I was general auditor of an oil and gas company. My staff consisted of financial and EDP auditors focused primarily on verifying the existence and value of product inventory at refineries, in pipelines in terminals and bulk storage facilities across the country.

Equity analysts on the other hand made buy/sell recommendations based entirely (at that time) on our ability to add and produce oil and gas reserves cost effectively. The value of proved reserves far exceeded the value of crude and product inventory. Calculating proved reserves involves an understanding of geology, engineering and economics. My audit resources were totally mismatched with the value creation by the business. I needed geologists and engineers as well.

Example 2: In the late 1990’s a French equity analyst firm decided to study the worlds airlines to make recommendations for their clients. (I’d love to find the report again. Its in an old file I cannot locate.) What did they look at? Not airline capacity, not routes, not operating costs, not aircraft. They decided to base their recommendations entirely on their assessment of each airlines customer experience, from reservations, through check-in and inflight service through to baggage handling . (Remember, I did say that value adding activities change over time.)

The list of todays major surviving global airlines matches the analysts conclusions almost perfectly. The airlines they considered weak in terms of customer experience have been merged or are gone. But customer experience is no longer the value determinant on the airlines I fly.

Example 3: Its been a long time since I have been in an audit role. I’m not sure what auditors in ERP vendors spend their time on these days. But I do know what drives share value. I believe its its the rate of growth in Cloud revenue.

Value Lessons to Learn

Here is what I know for sure. To add value today, risk and compliance professionals need to focus on three things.

1. Understand what drives your business value.

Lesson 1: Look at the Section 1A Risk Factors in your annual filings and in those of your competitors . The Risk Factors describing your value adding activities can be interpreted as inverted objectives each of which can have a performance metric

Lesson 2: Understand the business activities, processes or objectives, including the business risks and risk responses that add that value. Example: in oil and gas at the time it would have started with the acquisition of land and continue, seismic evaluation, exploration and development activities and processes. Given todays prices and reserve levels, I suspect refinery efficiency, capacity and distribution systems drive value now.

Lesson 3. Scan the horizon for changes in the environment. The value drivers will change according to competitive, economic, technological and other factors. The first to figure out the new value drivers will win.

Conclusion: My experience tells me that most risk and compliance professionals are still wandering around looking for but not adding value. My experience tells me that value adding activities may account for only 20% or less of the business, with the balance consisting of critical and non critical core activities that support the value adding and compliance.

I’d love to hear your views. Reach out to me directly or leave a comment.

“… almost every problem confronting our society is a result of the fact that our public policy makers are doing the wrong things and are trying to do them righter. The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.”

– Russell Ackoff –

— Oscar Wilde.

Pandemic! Who Knew? What Now?

We need far better public reporting of risk factors. The tools and technology are available. Practices must improve.

Pandemic

Like many of the posts on GRC and COVID 19 these days, this one is another case of closing the barn door after the horse has escaped. But its sometimes worth looking back, not to assign blame but to learn for the future.

For years I have worked with internal auditors and risk managers. In the case of internal auditors building a risk rated audit universe is critical. Internal auditors need to prioritize their resources to the most critical risks. For risk managers identifying and managing the right enterprise risks was usually the topic. In either case assigning resources to the right risks seemed worthwhile.

Who Knew?

One rich source of information, usually regarded with indifference, if not contempt by GRC professionals, is Section 1A Risk Factor reporting in corporate 10k filings and in similar filings in other jurisdictions. I can’t think of a single audit or risk management client who regarded this as useful information that could inform their work. Indeed, risk factor reporting is very broad and general. There is no formal risk assessment and no ranking of risks and little if any graphical information is provided.

But risk factor reporting is usually quite comprehensive in terms of categories of risks and their impacts even if lacks an analytical perspective or an objective focus. I think of it as raw data that could drive knowledge and action.

With this thought in mind I thought I’d download and search a few annual reports and filings from several global pharmaceutical companies, global insurance companies and global manufacturers. It seemed to me the first two of these industry groups at least would be very susceptible to losses as well as opportunities from pandemics. Other global companies would potentially suffer business interruption as a minimum. All would have some stake in managing the risk.

So far, I’ve looked at only a handful of company annual reports. Pandemic was disclosed as a risk factor in about 40% of cases in my small sample. Interestingly companies in the same industry failed to disclose it consistently. (One would think if pandemic was a risk for one financial institution, others would see it too. They didn’t.) But where pandemic was listed as a risk factor, the description of impacts was as grim as we are experiencing.

What Now?

Where should internal auditors and risk managers spend their time if not on critical risks with catastrophic consequences or opportunities?

Research, corroborated by my many years of experience shows they spend most of their time, some studies suggests in excess of 90%, on tactical operational risks in mature business processes. That is managing known risks and known responses to known risks. Who needs that?

I suggest GRC professionals review and assess their corporate Risk Factor reporting.

– Is your business affected by the current pandemic?

– Was it disclosed in your filings?

-What other risks are described and how are you taking them into account in your professional activities?

-How is your organization responding to risk factors?

-How are your GRC resources responding to risk factor reporting?

How can stakeholders benefit from the information?

How can risk factors be incorporated into business objectives and how can they drive business performance?

In short, how can we make public risk reporting better? We may not be able to prevent pandemics. But we can do a far better job of rating, prioritizing, assessing and reporting risks. Pandemics are not a Black Swan event. They occur regularly.

The methodology, technology and skills necessary to dramatically tranform risk management and tie risk management to objectives and performance exist today. Implementation must reach a far higher standard.

Can Internal Audit Be Agile?

Should It Be?

I’ve always been uncomfortable with the term “agile” when applied to GRC generally or Audit specifically. I guess I still have some internal auditor left in my DNA, but it sounded like the flavor of the month. “Agile” seemed a little too furtive and vague to be an attribute to aspire to. Its serious stuff and success require consistent practices and methodology. Agility didn’t seem to fit.

I was reminded of my aversion recently in a recent blog by Norman Marks. (Why does internal audit need to be agile?). While he questioned the use of the term “agile” he did propose some alternative terminology and audit practices that I totally support.

My thoughts on what we now consider agile are in a paper called “Its time for Auditors to Get Out of Control” published in the on-line edition of Internal Auditor.

I am also convinced that the perception of internal auditors is not aligned with the characteristics of agile behavior or practices as illustrated below.

Agile Synonyms	Agile Antonyms
athleticbuoyantenergeticlive,limbergraceful	apathetic depressed dispirited down dull ignorant

The underlying belief driving Agile project management is that “best business value emerges when projects are aligned to clear business goals, delivered frequently and involve the collaboration of motivated and empowered people.

If that is what agile means in a business sense, I am on board. But what does it mean to internal auditors? Let me suggest a few areas where agility is needed from internal auditors.

Adding Business Value: The first premise is that internal auditors must add value. As things stand today, I do not believe most internal audit resources and practices are focused on value adding activities. Business adds value by managing strategic risks. Studies show that audit resources are focused instead on critical but non-value adding activities. Strategic risks can be derived from the Risk Factors reported in regulatory filings. My personal experience is that the reported Risk Factors are not a major input in creating an audit universe and defining auditable entities.
Clear Business Goals: My experience is that most value is derived from achieving relatively few business objectives. In my experience with a global oil and gas company early in my career, most of the value of the business was derived from finding oil and gas reserves. The company had to achieve dozens of other objectives to stay in business. But finding and producing oil and gas reserves drove the share price. Failure in other areas could drive value down. But preserving value in my view is managements role. Internal audit can only add value if it focuses on where the value is.
Deliver Frequently: This is where Norman Marks hit the nail on the head. Every audit project needs to be as short as possible. Documentation must be minimized. Long audit projects suggest a lack of focus. Excessive documentation does not add value. I was a CAE before work paper automation took hold. Our files were paper files. We used our audit file room as a conference room. Meetings were seldom disturbed by someone looking for an audit file. And when we were, the old file was used to plan the new audit, making the same mistakes as the first and producing another file no one wanted. Creating unnecessary documentation does not add value. Automating unnecessary documentation is not progress.
Collaboration of Motivated and Empowered People: The internal audit profession values independence and rightly so. But independence does not mean isolation. Independence is required to exercise judgement. It should not be used as a barrier to collaboration. Risk and control self assessment practices are a measure of collaboration and they have not flourished and have not evolved. Unreliable self-assessments are a measure of the organizations ability to be agile, and a measure of the skill of the auditor. Business and internal audit resistance to proven self assessment practices can be a sign that internal audit is not aligned with business goals.
Achieving Agility in the Business: The single biggest contribution internal audit can make to create or increase agility in the business is to streamline internal controls and allow the business to take more risk. In my experience the ratio of internal audit recommendations that increase “controls” (I am referring to the number of controls primarily, not the level of control) to those that reduce controls is about 50:1. I believe careful design of control portfolios at the portfolio level could reduce the number of controls by 30-40% without having an adverse impact on overall control effectiveness. Specifically, I am calling for the assessment of internal controls at a portfolio level for a given objective or process. That is only possible if the focus is shifted to business objectives.

The bigger issue is not whether internal auditors can embrace agile behaviors and practices. No doubt some of the requirements of the IPPF may present some obstacles, but none should be major. The bigger issue is whether internal audit can help make the business agile.

The words of Russell Ackoff provide some guidance on how to be agile

Please visit me at www.riskrevisionist.com

Bruce McCuaig

Quick Reaction to” OnRisk 2020: A Guide to Understanding, Aligning and Optimizing Risk”

Refreshing and powerful new insights from the IIA

This report, available here, is a must read for anyone interested in scaling and sustaining risk management to drive business value. Its not necessary to agree with the reports approach or conclusions. The question is can we build on and refine practices from this starting point? The answer to that is yes. Even its flaws have virtue.

Top 3 Things to Like

1. A Fresh Perspective

According to the report “Managing risk is the art of building value while understanding what can be gained or lost from action or inaction, the foreseen or the unforeseen, the planned or the unplanned”.

With that kind of statement, I was hooked. Recognizing the dual nature of risks is essential but, in my experience, this has not been a belief widely associated with internal auditors. It opens all kinds of possibilities and directions.

2. No Risk Heat Maps

The standard medium for risk conversations has for years been risk heat maps. They are refreshingly absent. You will find very little dogma here. In its place is much needed intelligence and fresh perspective.

3. Innovative Methodology

The report was based on quantitative and qualitative surveys and provides interesting, original and innovative graphics to present its conclusions. The “alignment triangles” should prompt discussion and progress.

Top 3 Areas to Explore Further

1. Better Categorization of Top Risks

There are many ways to define top risk categories. The report lists 11 risks from among the vast assortment likely to be experienced in organizations. I’m a bit of a stickler for taxonomy. Some categories seem to describe the nature of the risk (Cybersecurity), some seem to describe the area of impact (Data Protection), some seem to reflect where the risk occurs (Third Party) and some seem to describe “controls” (Talent Management). In my experience it helps to have a common standard for defining risk categories. Its important to keep the list short while making it inclusive.

One way to do that is to define categories of risk drivers or risk sources. For example, Digital Innovation is a category of risk drivers that causes a wide variety of risks. Other broad categories might be competition, consumer behavior, employee engagement etc. The number of risks that can occur is almost infinite. The factors that drive those risks are far more finite and possible more useful to start with and study.

2. More Risk Views

The report captures the views of the Board, the C suite and the CAE. I think it would be extremely useful and informative to add the views of the CRO, the CCO and the 1^st line of defense to gain a richer understanding.

3. Tools for Managing Risk Stages

Auditors are typically charged with assessing the effectiveness of internal control. The report identifies and defines 4 constantly evolving stages of risks and describes the characteristics of each. Let’s think through some guidance for all GRC professionals in approaching each stage. Is it the role of GRC professionals to guide the business through these stages? Are there existing tools and technology capabilities that could assist?

Congratulations to the IIA. In his introduction Richard Chambers President and CEO describes this as the inaugural edition of an exciting new report from the IIA. I am looking forward to seeing more of this kind of research. Kudos to the IIA.

In the words of Russell Ackoff

Visit my website at http://www.riskrevisionist.com

Bruce McCuaig

Internal Controls: Designed to Fail or Designed for Failure?

All controls will fail. They will fail at a predictable rate. Internal controls not designed for failure are designed to fail.

The week of Oct 14 was “Risk Awareness Week” (RAW), a series of interactive workshop that began on Oct.14. The workshops were designed to raise awareness about risk management applications in planning, forecasting, budgeting, construction, investments and performance management and are intended to significantly enhance decision making.

The tools and techniques discussed provide an objective basis for understanding risks and making sound decisions. I was inspired by what I heard and saw in these presentations.

But what does this have to do with designing, implementing and assessing control effectiveness? The answer today, unfortunately, is almost nothing.

The standards for internal control design, implementation and assessment are largely devoid of any rigorous quantitative analysis, any simulation, any modeling or any recognition whatsoever of human behavioral response. They are designed to fail.

Risk treatment strategies in other fields are designed to treat predicted failure rates and offset known negative impacts. In other words, “controls” as we call them are designed based on predictable failure rates. They are designed to achieve outcomes despite control failure.

There is plenty for auditors and other control practitioners to learn from these RAW workshops.

Measuring “Effectiveness” Requires Measuring Failure

Any assumption that a given control can ever be 100% effective is fundamentally flawed. Controls will always fail. But the rate of failure is predictable, and the nature of failures can be determined and offset.

	Designing Controls for Failure	Designing Controls to Fail
Goal	Achieve a defined desired outcome	Achieve a Control Objective vs. a defined business outcome
Success criteria	Evidence that the treatment contributes incrementally to the outcome	Evidence that the treatment (e.g. Control) is performed as intended
Strategy	Anticipate and manage failure. Effectiveness is defined as achieving targeted failure rates with acceptable negative impacts	Anticipate 100% compliance. Detect and correct failures. Effectiveness is zero failures. Negative impacts are not considered.
Failure criteria	Adverse impacts or side effects outweigh benefits.	Failure to perform the treatment (e.g. Control)
Remediation measures	The objective is achieved through a variety of complementary treatments to offset the expected failure rate. The “treatment” is designed to recognize failure.	Forced compliance with treatment (e.g. Control). The treatment becomes the objective. Failures are considered “deficiencies”.

Example 1 – Designed for Failure

When seeking regulatory approval for a new drug, manufacturers must conduct extensive fact-based research. One pharmaceutical product with which I am familiar has been proven scientifically to achieve specific beneficial clinical outcomes. However, the research behind its “effectiveness” shows that despite its proven ability to achieve results in most patients:

20% of those taking the medication unintentionally skip 30% of their doses,
15% stop taking the medication because of its side effects, and
in a small number of cases potentially fatal reactions occur.

This drug was considered “effective” and approved for use. Measurement of effectiveness is based on the outcome. The rate of and reasons for failures are known and predictable. They are not deficiencies. They are reality.

Physicians try to offset the known failure rates and negative side effects with other complementary measures. They recognize that humans will exhibit a behavioral response to the medication. They constantly measure success against the outcome desired. The goal is cure, not treatment.

Example 2 – Designed to Fail

A business decides to reduce the incidence of fraud and error though the introduction and automation of a “treatment” such as Segregation of Duties (SoD).

In my experience, here is how I would assess the “effectiveness” of SoD using the logic of the FDA. (These examples are based on my experience. Yours may differ).

Approximately 20% of the time SoD is deliberately breached (through shared passwords or pre signed forms or other means).
- A small portion of these breaches result in fraud or abuse. Estimates of the specific rate of failures resulting in fraud or abuse is knowable and predictable.
- SoD increases elapsed time for procurement for critical processes on average by 10%
- SoD adds about 2-5% to the total economic cost of an average procurement transaction.
- SoD requirements are often a powerful disincentive to incur operating costs or invest in the business and may have a negative impact of 2-3% on profitability.

In the world of GRC, SoD is generally considered “effective” simply if it is implemented. The compliance rate is not predicted or known, and the negative impacts are not recognized.

When treatment, not the outcome, is the criteria for success, failure is inevitable.

No attempt is made to measure or predict the failure rate and negative impacts are not recognized. If breaches of SoD are detected the remedy is more enforced compliance. If a breach of SoD results in fraud, occurs it is considered a failure of SoD. Such reasoning is tautological and leads to endless destructive repetition

It is not a failure of SoD. It is a failure of control design.

When the “effectiveness” of a control is judged by the degree of compliance with the control, and not the outcome sought, then that control is designed to fail.

Designing Controls for Failure: What Needs to Change

Define the intended outcome: The business objective is paramount. Abandon the notion of “control objective”. In my example above if 100% of the patients took 100% of their doses but the desired clinical outcome was not achieved, the treatment can’t be considered effective. The control objective would be met But the goal of medical treatment is to cure. The goal of internal control is to achieve business objectives, not control objectives.

Recognize and Assess Adverse Impacts: The cost of some treatments exceeds the benefits. Assess the importance of the outcome and weigh the adverse impacts of treatment in as part of the design decision.

Define Deficiencies Carefully: A deficiency should be assessed against the target failure rate. Correcting a deficiency must improve performance against the outcome. Tolerate control failures within the target range or change the target range and accept additional adverse impacts.

Recognize Human Behavior: There is a reason COSO created the “Control Environment” category as a root cause of failure. Over 50% of reported deficiencies under SOX are related to Control Environment. Your control portfolio must recognize and enroll the human behavior needed for success.

Design Control Portfolios for Failure: Controls work in combination. Assess the effectiveness of the entire portfolio, not individual controls. My experience suggests that the ratio of controls to risks in clients is about 5:1. That ratio should be reversed.

Add Risk Management Tools to your Toolkit: Learn how to apply the quantitative analytical of risk management professionals. Predict failure. Model control portfolios for effectiveness. Drive efficiencies and effectiveness into internal control.

Check out my web site at https://riskrevisionist.com/

In the words of Russell Ackoff:

The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.

Is Enterprise Risk “Accounting” (ERA) Blocking Enterprise Risk Management (ERM)?

In reflecting on the state of Enterprise Risk Management (ERM) recently, (I will use the term ERM generically for all its current variations) I have come to conclude ERM is far from reaching its potential and may be in a state of decline.

As a profession we have developed what I will call Enterprise Risk Accounting (ERA) capabilities. ERA practices are, sometimes useful and in some cases mandatory. But they differ dramatically from Enterprise Risk Management (ERM) and should not be mistaken for or substituted for ERM.

Much of what we call ERM today is, in fact what I would call ERA. They are far from the same thing. Confusing ERA for ERM may be blocking progress.

Characteristics of Enterprise Risk Accounting (ERA)

Very little real “management” is involved in ERM today. Todays risk “management” practices look much more like “accounting” for risks than managing them. (Fair disclosure: I am a professionally qualified accountant and former auditor and have been an unwitting risk accountant as well as a risk manager).

Many of our risk management initiatives are guided by the risk management standards and guidance we follow but seem to embrace the paradigms of the accounting profession.

Enterprise Risk Management, as often practiced today, is focused on past events, not the future, it is focused on what is known or clearly predictable rather than decision making in uncertainty, and is focused with identifying, classifying and reporting what has happened, not really managing uncertainty and making decisions.

In my assessment most risk responses today are largely limited to COSO Control Activities. But we have fallen into the “I have a hammer; we need to find nails” way of thinking. Only risks susceptible to Control Activities tend to be accounted for. If risks were the same as debits, we try to balance the ledger with Control Activities.

For a risk to be included in the scope of most ERM initiatives, it probably has already happened. If it is likely to happen but hasn’t yet, it might be “accrued” by adding it to the Risk Ledger (aka Risk Register).

Risks that have already happened or are clearly predictable exist in mature business processes. Why do we focus on these risks? It is self defeating.

Let me be clear. I am not opposed to” risk accounting”. But risk accounting is not risk management and it may not help the business.

Characteristics of Enterprise Risk Management (ERM)

While ERA is focused on identifying events, ERM should be focused on predicting them. That’s often not the case today. COSO ERM guidance for example classifies risks into one of four types; Financial, Compliance, Strategic and Operational. I agree that these are useful ways to classify business activities. And when risk events occur, maybe we can use these categories to assign them to. But risk management needs to predict risks, not account for them after they occur, and to anticipate risks we require an understanding of the events and conditions preceding the risk event. These COSO risk categories tell us where we can “book” the risks in the Risk Ledger but nothing about their cause. That’s risk accounting not risk management.

The first step in ERM should be identifying broad categories of risk drivers. If we want to prevent fires, we need to understand what causes a fire. Fire extinguishers don’t prevent fires. If we rely on fire extinguishers, we are accepting that the risk event will occur. That’s risk accounting. If we want to prevent fires, we need to eliminate flammable materials and sources of ignition. That’s risk management. Underlying every risk is some type of preceding vent or condition. Understand those events and conditions and how they behave is risk management. Classifying the risk event after the fact is risk accounting.

ERM must focus on key value adding activities where the future is uncertain and volatile. Evidence suggests that most of what we call risk management takes place in mature operational processes where most risks are known and predictable. By my definition, 90-95% of risks in operational process are well known. Listing and assessing them is risk accounting.

Risk management for example should tell us how trade barriers and tariffs will impact supply chains, currencies and markets. And it should have told us that two years ago. Evidence of the lack of anticipation of risk drivers is the newly “emerging” field of Digital Risks, and 3^rd Party or Supply Chain Risks? Why could we not anticipate fraudulent financial reporting by examining executive compensation trends years ago? If we were managing risks, we would have seen them coming. These examples are all risk management failures, but we can consider them risk accounting successes.

Every year I see lists of “emerging risks”. Every “emerging” risk I have seen on anyone’s list has already emerged. It wouldn’t be on the list of it hadn’t. We’ve been looking over our shoulder for emerging risks when we should be looking over the horizon.

Risk managers must look at emerging risk driver before they drive the risks. Risk managers today should be evaluating the impact of digitization and other significant technological, social, economic, political or environmental trends.

I attended a presentation recently where a well-known clothing brand was evaluating whether social changes would result in the elimination of gender-based clothing and what they needed to do to survive in that environment. That’s risk management. If they wait for the risk to happens, its too late to manage it. It becomes another risk accounting story. Ask Blackberry or Blockbuster.

Practicing Enterprise Risk Management

I’m not sure how to make the conversion from ERA to ERM. Its probably best to keep them separate. There is room for both but let’s recognize the differences. Here is some advice to get you may wish to consider. Please also take another look at

Focus ERM on value adding activities rather than mature operational processes. Value adding activities probably make up no more than 30-40-% of your overall business activities. Risk management is useful where your business is investing capital and where you want it to grow.
If you are having risk or control issues with the performance of mature operational, financial or compliance processes, you probably need to shuffle or replace management. ERM and ERA will delay the solution.
Consider risk drivers; the social, economic, political, competitive and other external forces that will impact your value adding activities. Learn how to exploit them for gain by managing those risks. Your competitors will be doing the same thing.
Engage the business, especially the 1^st Line of Defense. They are the risk managers. They make things happen. If you cannot engage them, you are probably asking them to be risk accountants. Chances are they are already engaged and motivated to manage risk.
If you produce and distribute Heat Maps or Risk Registers, you are a Risk Accountant. If you provide opinions on “control effectiveness” you are a risk accountant. Try assessing the effectiveness of risk management instead.
If more than 30% of your recommendations are COSO Control Activities, you are a risk accountant. I am not a fan of COSO, but it was intended to be, and is, a valid root cause of failure model. If you rely only on Control Activities, you do not understand COSO and if you do not understand and manage root causes of failure you are accounting for and not managing risks.
Evaluate the risk management technology, if any, that you use today. Is it really risk management technology or is it risk accounting technology?
Exploit the risk management technology that is available today. It may not be called risk management technology. And what is called risk management technology is probably risk accounting technology.

Use key risk indicators to trigger alerts and actions. Use predictive analytics to discern patterns and trends. Use modelling and quantitative techniques to help with decision making. Use surveys and collaborative tools. These are the tools of risk managers.

Focus all your risk and compliance activities on business performance and business objectives. If you report on “internal control effectiveness” you are a risk accountant.

The Bottom Line: Do the Right Wronger and Learn.

Enterprise Risk Accounting is not a bad thing. Some of our standards and regulations require it.

My point is that if we believe ERA is ERM, we are missing an opportunity to serve our companies and clients. We need ERM as much or more than ERA.

Visit me and see more blogs at www.riskrevisionist.com

In the words of Russell Ackoff:

Sizing up Risk and Compliance Practices: A Strategic Perspective

The purpose of this blog is to provide a framework for constructive suggestions and insight into how risk and compliance practices can be improved.

What would improvement look like? For starters, I’d like to see:

Direct link to business performance from risk and compliance practices,
Comprehensive reporting that connects the dots from a common data set
Strengthen the silos with consistent methodology, calibration and taxonomy
Adopt and exploit available digital innovation
Increased in business engagement, particularly Line 1 of the 3 Lines of defense.

Here’s the problem. The diversity and complexity of regulations, standards and professional practices across the risk and compliance spectrum represent multiple, often conflicting, seemingly irreconcilable and deeply held paradigms and beliefs. Some of todays practices simply do not make sense.

We need to find a way to fit all of this into a simple visual model. My starting point is below.

Primary Response Strategy Quadrants.

Here is how it works:

The 4 quadrants in the middle introduce four basic risk response strategies. The vertical and horizontal axis show risk appetite and risk level. I should be able to assign a primary response strategy for a given risk from any risk driver to one of the quadrants using based on risk level and appetite.

The 4 Quadrant Model shows how risks can be allocated to response strategies based on appetite and level

Left Hand Panel: The Primary Response Strategies Mapped to Risk Domains

I have color coded these risk domains with the primary response strategies I have observed based on my knowledge and experience. It looks to me like the one-eyed monster of “control” has gobbled up most risk domains. The question is, should it?

Right Hand Panel: Primary Response Strategy Mapped to Risk Drivers

Here I display a generalized list of Risk Drivers and suggested appropriate response strategies for each, based on the nature of the risk driver, and again based on my experience and knowledge. It looks to me like the drivers of risks, particularly the external drivers, are more susceptible to the other primary strategies. Again, I could be wrong, but I believe risks resulting from these risk drivers are not being examined and if they are, inappropriate primary response strategies are being used based on the dominate domain strategies.

Primary Response Strategy Quadrants Explained

Primary Response Strategy: Control Activity
Think of COSO and Sox regulations, particularly AS5. These represent the archetypical control response. Resources are spent identifying, assessing, adding, auditing or testing controls for effectiveness. Nothing is wrong with that. But I have a slightly nuanced interpretation. In my experience most of the controls involved are COSO Control Activities. I would argue that by using Control Activities, there is an implicit expectation that the relevant risk event will occur, can be detected quickly and mitigated. In simple real-life terms, if your primary response to the risk of fire is fire extinguishers, then you are accepting the risk of a fire. If you don’t want the risk of a fire, you must deal with the events and conditions that cause them.Broken or missing fire extinguishers become the risk. That’s pretty much how the definition of SOX deficiencies works. Am I oversimplifying? Of course. Is there anything wrong with this strategy? Not at all. Unless of course you are using it as a response to a risk event that you must prevent. Would you be comfortable if you were given a parachute when boarding a flight? It worries me that the control strategy seems to be the dominant response across most risk domains. It also worries me that every control activity has negative inintended consequencesIts not a coincidence that I use the word “design” in all the other quadrants. Conrol activities are not ‘designed”, they are proliferated.

Primary Response Strategy: Risk Performance Decision

Where severe and unacceptable risks occur, the primary response cannot be controls as we know them today. Years ago, I dined at an elegant restaurant in a dangerous neighborhood in Johannesburg. Guards carrying automatic weapons were visible and on patrol in the dining room. Did that make me feel safe? The answer is of course not. It told me the establishment was willing to accept the possibility of armed intruders entering the dining room and willing to have a gun battle across my table. The armed guards, and I assume they were deemed necessary, would have made me feel safer if they were outside. Better yet a good fence and video surveillance would be appropriate. Unacceptable risks must be predicted and prevented and their source.

Primary Response: Employee Performance Design

An example of using human behavior to manage risks undertaken to add value is the aviation industry. Obviously, aviation is inherently dangerous. Yet statistics show that over the last few decades, despite larger aircraft carrying more passengers longer distances more often, the rate of aviation incidents per million miles flown has reduced dramatically. How can this be true? Having travelled frequently and even married an airline employee I had the opportunity to ask this question of flight crew, cabin crew and ground staff. The answer was always the same. Airline employees are intensively

trained and forced to requalify frequently. Fail the training and you may not fly until you requalify. When it came to safety, they know what to do, why it is important, and how to do it and they keep track of incidents.

In virtually every field of human endeavor, about 50-60% of incidents are caused by human error. Its true for reported SOX deficiencies, auto accidents, fires in the home and every other field of human endeavor where records are kept. Its even true in aviation. The difference is that aviation has reduced the number of incidents dramatically. Human errors remain at the same level. But the rate of incidents has declined.

Risk response strategies that do not deal with human error cannt be more than 50% effective.

4.Primary Strategy: Loss Performance Design

Procure to pay processes, and many other processes in business are extremely complex and use Controls as the primary strategy. On the other hand, any consumer can go to a merchant and use a credit card to purchase goods and services. Technology allows fraudulent purchases to be detected and blocked immediately in the vast majority of cases. Anomalous transactions and patterns of behavior are detected amongst millions of legitimate transactions. This loss management strategy substitutes high speed, real time analysis to authenticate transactions. I’m sure it is less than 100% effective. I am also reasonable sure that it would work on mature internal processes far more effectively than the control-based approach. Particularly if it was combined with strong human resource management. Product warrantees and insurance products also fit this strategy.

Where does this leave me? I think I have a useful way to begin to assign primary response strategies to business risks.

My concern today is that the prevailing paradigms and beliefs are narrow and silo specific and do not seem to allow for an integrated approach. The Control strategy seems to dominate risk and compliance thinking and may be used inappropriately. We need to drive higher business engagement, show direct contribution to business value, higher reliabiity and provide a basis for technology adoption. I will provide thoughts on all those fronts. But I’d like some thoughts, feedback, criticism and/or validation.

Comments, reflections, criticisms are welcome. I hope to hear from you.

In the words of Russell Ackoff