Its time to replace Risk Factor reporting with comprehensive reporting on governance, risk and compliance (GRC).
Call it ERM or whatever you please.
Beginning in 2005, the SEC required filers to include qualitative disclosures of risk factors in item 1A of their annual 10-K forms. Item 1A Risk Status disclosures have consistently failed to predict critical risks.
Over the years, here is a short list of risks that have been missed.
For that matter most lesser operational risks have been “surprises”. Yet they were either known or knowable.
We need to understand not just what bad things can happen. We need to understand our ability to predict and manage them and to make personal and business that allow us to achieve objectives.
Here is a headline from one company’s recent Item 1A Risk Factor filing.
“Future operating results depend upon the Company’s ability to obtain components in sufficient quantities on commercially reasonable terms”.
Profound? Hardly. Is this useful information? Can you make a buy/sell decision based on this disclosure? You be the judge.
If your company is listed on an exchange other than the SEC, you probably have another, but similar risk reporting requirement. Its probably not much better.
Today corporate lawyers and others condense information about business risks into dense, boilerplate, impenetrable prose, based largely on what was reported last year and what competitors are reporting. It is essentially a legal document designed to protect the corporation from liability. It is not intended to provide insights for to help investors price the business risks. Its purpose is to say “I told you so”.
Isn’t bad risk information is worse than none at all.
The Opportunity
The concept of integrated GRC exists. But its largely an unfulfilled fantasy. Few of the various professions and practitioners share the vision of an integrated report. Professional standards requiring, let alone guiding integration don’t exist. OCEG alone provides comprehensive criteria for principled performance.
All GRC professions and practitioners profess they value. Value doesn’t just mean feeling good about what you do. There is no better way to demonstrate value than to guide the decisions made by executives and investors and demonstrate the impact on performance and economic value of the enterprise.
The chief arguments against expanding Item 1A reporting is that it would expose companies to liability and advantage competitors. That argument can be made for any mandated disclosures today, including financial statements.
Its not enough for an accounting department to produce journal entries. They must produce financial statements.
Its not enough for GRC professionals to produce “findings”. They must produce knowledge that explains, predicts performance and informs decisions.
There is no chance that integrated GRC reporting will evolve spontaneously. It must be driven from above. Mandated public reporting of GRC status and business objectives will drive integration.
What Would Consolidated GRC Reporting Look Like?
Instances of consolidated GRC reporting are rare, but they do exist. One of my favorites was developed by Saret Van Loggerenberg, now Group Company Secretary and Legal at Exxaro Resources. She demonstrated that the 1st line of defense is willing, if not eager and able to engage in risk management activities if they helped achieve objectives and enhanced performance. Her initiative was begun around 2012 and the results of that initiative are reported in a recent annual report.
During my time at SAP, my colleague Thomas Frenehard demonstrated the power of technology to pull GRC data into a digital board room environment. As powerful as it was for me, it tapped into no more than 25% of the potential it holds for business. The potential is huge.
My colleague Tim Leech has worked for years to challenge conventional thinking and develop technology, tools and capabilities to advance and transform professional practices. Here is an example of a simple dashboard which has potential for use in reporting. Corporate objectives can be listed along with the certainty of achieving them. Underlying the certainty rating is extensive documentation of GRC information.
Never in history have so many resources, people, technology and tools been dedicated to. the examination of GRC. Never has so much activity produced so little knowledge.
What innovation exists has come from will come from the edges of the profession, not the center. Transformation has never been more necessary.
Should we consider our failure to offer integrated GRC reporting as the leading Risk Factor in Item 1A Risk Factor Reporting?
Maybe we should look forward to the future and hope that the concept of fraudulent GRC reporting emerges. That would be a sign of progress. In order for fraudulent GRC reporting to exist there must be a correct way. Today there is none.
What do you think? Are you ready to begin this journey?
Thanks to the perseverance of risk and compliance professionals and automation we have built silos where domain specific risks are managed in very granular detail. This data has unexploited strategic value.
The silos exist within all risk domains. We need to begin to connect the dots across the silos. There is no other way to grow as a profession.
Strong silos are a
sign of a maturing profession. But professional growth requires the development
of an overarching framework that creates actionable knowledge from siloed risk
and compliance information.
Think of the development of financial statements driven by
double entry accounting that forced the linkage of financial accounting silos
to create financial statements. Reporting Accounts Payable balances alone is
not useful. Its necessary to connect those balances to Inventory, Operating Expenses
and Cash accounts to create knowledge and make decisions.
Unconnected risk and compliance reporting using risk
registers, heat maps, lists of effective and ineffective controls, stacks of single-issue
audit reports suggests we have not linked the silos.
We have great data in the risk and compliance silos. We need
to get it linked to what the business cares about. Data in the risk and compliance
silos must be categorized and linked to explain and anticipate business
performance and how objectives will be achieved.
The Art of the Possible
Several years ago, a colleague of mine at SAP demonstrated
how technology (SAP technology in this case) can be used to connect the dots across
several silos of risk and compliance information and link the siloed results to
business objectives.
Thanks to SAP this demo is publicly available on YouTube. Its about 8
minutes in length but well worth the time.
As you watch the demo, imagine the addition of key risk
indicators, risk drivers, performance data, audit data providing assurance and root
cause analysis.
Imagine also that the data would be updated instantly every time events such as loss incidents, control test failures, audit findings or any one of dozens of potentially triggering events occurred. Finally, imagine instant drill down capability to a very granular level.
Among other things business executives would then be able to
instantly:
Anticipate how external and internal risk drivers
will impact objectives.
Compare risk and compliance practices between
different organizations and over time.
Understand the root causes of failure and
ineffective controls
Drive down the cost of control by balancing risk
appetite with control cost.
Allocate risk and compliance resources, including
audit, to where they are most needed.
Assess the performance of risk and compliance professionals.
And their contribution to business performance.
What’s Blocking Progress?
Technology for connecting the dots exists today. The data
that needs connecting is available. Risk and compliance professionals are
competent and motivated. In my view the next step is getting the silos aligned
to a common goal, but silos must remain independent and strong. In my
experience, although risk and compliance professionals talk about adding value
and contributing to performance, they are primarily aligned with their
professional standard setters who give them accreditation. To meet their
professional standards auditors are required to audit. risk professionals are
required to identify and assess risks, control professionals are required to test
controls, compliance people are focused on compliance, or obedience. None of
the silos are judged by their contribution to business performance. The sum of
all their work is unconnected data. That data only has value when its
connected.
I have seen very little evidence of cross silo collaboration
in my career. And that may be an overstatement. Alignment must come from the
top. Its unlikely to appear spontaneously from the silos.
Customer reactions to the demo above were polarized. Executives and boards were extremely interested. Most risk and compliance professionals were often indifferent at best.
For those of you who want to connect the dots, my suggestion
is to start at the top of the organization and create demand with a vision. Use
the vision to align and mobilize.
A Recipe for Connecting the Dots
Consistent methodology is critical to connecting risk and compliance data. Here is an example that illustrates the need for consistency and structure.
My pharmacist usually recommends generic versions
of my prescription medication. She claims the ingredients of the generic drugs
are the same as the ingredients in the branded versions so why pay more? I pointed out the key ingredients in a fine
souffle and the ingredients in burnt scrambled eggs are also very similar. The
ingredients are important, but the recipe used, the skills and training of the chef,
the cooking process and the equipment used are equally important. To
consistently produce the same result and to scale it the process, a standard
methodology must be used.
Tim Leech, a former partner and colleague and now the owner of Risk Oversight Solutions has used a version of this model for many years.
Every risk and compliance silo creates information that fits somewhere in this flow line. All the dots are here and the logical connections between them is apparent. In this case, all the information gathered is linked in some way to a business objective. Variations of this approach are possible and other approaches may work as well.
But by using a standard methodology, everyone understands what information is created who created it, and what it means. In order to integrate risk and compliance practitioners, like chefs, must all follow the same recipe.
A standard methodology provides a recipe for determining and
linking all the different data produced by risk and compliance practitioners. Standardizing
the data means it can come from any practitioner or “silo” and understood as part
of the whole.
Adding the Ingredients
Most of the aggregation failures I have seen have been at the silo level. Invariably they have been cause by too much uncategorized granular data. We need to see the forests. Silos give us the trees. What data to link, and how much of it to gather is a stopic on its own. I’ll share my thoughts on the ingredients in a separate blog. But as with any recipe, you’ll need to be selective in the number and quantity of ingredients and you must adjust the flavor for the audience. Its an art in itelf.
In the words of Russell Ackoff
“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.“
Risk and compliance professionals want be “trusted advisors”. To do this they need to help add value to the business. They usually fail because they don’t know where to start. My simple premise is you can’t add value if you don’t understand where value lies. Here are some clues I found helpful.
Hint 1: Value, in economic terms, is usually not found on the balance sheet or in an org chart.
Hint 2: It changes periodically as the business environment changes.
Hint 3: It tends to be industry specific. Your competitors are managing the same risks. You need to do it better.
Hint 4: Equity analysts will tell you. so will credit rating agencies.
Hint 5: Traditional financial metrics may be useless, but the outcome will have financial implications
Mismatches in Risk and Compliance Management
Example 1: Years ago I was general auditor of an oil and gas company. My staff consisted of financial and EDP auditors focused primarily on verifying the existence and value of product inventory at refineries, in pipelines in terminals and bulk storage facilities across the country.
Equity analysts on the other hand made buy/sell recommendations based entirely (at that time) on our ability to add and produce oil and gas reserves cost effectively. The value of proved reserves far exceeded the value of crude and product inventory. Calculating proved reserves involves an understanding of geology, engineering and economics. My audit resources were totally mismatched with the value creation by the business. I needed geologists and engineers as well.
Example 2: In the late 1990’s a French equity analyst firm decided to study the worlds airlines to make recommendations for their clients. (I’d love to find the report again. Its in an old file I cannot locate.) What did they look at? Not airline capacity, not routes, not operating costs, not aircraft. They decided to base their recommendations entirely on their assessment of each airlines customer experience, from reservations, through check-in and inflight service through to baggage handling . (Remember, I did say that value adding activities change over time.)
The list of todays major surviving global airlines matches the analysts conclusions almost perfectly. The airlines they considered weak in terms of customer experience have been merged or are gone. But customer experience is no longer the value determinant on the airlines I fly.
Example 3: Its been a long time since I have been in an audit role. I’m not sure what auditors in ERP vendors spend their time on these days. But I do know what drives share value. I believe its its the rate of growth in Cloud revenue.
Value Lessons to Learn
Here is what I know for sure. To add value today, risk and compliance professionals need to focus on three things.
1. Understand what drives your business value.
Lesson 1: Look at the Section 1A Risk Factors in your annual filings and in those of your competitors . The Risk Factors describing your value adding activities can be interpreted as inverted objectives each of which can have a performance metric
Lesson 2: Understand the business activities, processes or objectives, including the business risks and risk responses that add that value. Example: in oil and gas at the time it would have started with the acquisition of land and continue, seismic evaluation, exploration and development activities and processes. Given todays prices and reserve levels, I suspect refinery efficiency, capacity and distribution systems drive value now.
Lesson 3. Scan the horizon for changes in the environment. The value drivers will change according to competitive, economic, technological and other factors. The first to figure out the new value drivers will win.
Conclusion: My experience tells me that most risk and compliance professionals are still wandering around looking for but not adding value. My experience tells me that value adding activities may account for only 20% or less of the business, with the balance consisting of critical and non critical core activities that support the value adding and compliance.
I’d love to hear your views. Reach out to me directly or leave a comment.
“… almost every problem confronting our society is a result of the fact that our public policy makers are doing the wrong things and are trying to do them righter. The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.”
Reimagining COSO to create knowledge from beliefs and performance from knowledgeandending our fear of risk, addiction to controls and sedation by assurance
The essence of professionalism is service to the public. Standard setters create a body of knowledge and provide metrics to demonstrate the practices they recommend are evidence based and produce measurable outcomes supporting those practices.
Our ERM* Beliefs Have Stood the Test of Time, But…
Times change. Beliefs that have stood the test of time are just old beliefs. Performance in delivering outcomes is the only true test of beliefs.
There is strong evidence that our ERM institutions are failing us.
ERM practitioners today are generally unable measure the value they claim to deliver. There is no strong evidence to suggest that ERM practices and standards individually or collectively have had any impact whatsoever on catastrophic losses or corporate failures or any corporate or individual behaviors.
When an ERM professional organization publishes a standard or recommends a practice, responsible practitioners are entitled to demand evidence that the standard or practice has been tested and found to be beneficial.
When a regulatory authority demands compliance with mandated practices the burden of proof on the regulator should be extremely high.
To my knowledge none of the professional standards or regulatory requirements driving ERM activities are evidence based or rigorously field tested.
Outcomes are the True Test of Professional Standards
By way of contrast, institutions and regulatory authorities governing professionals in health care, environmental and safety, education, scientific disciplines, and law enforcement are able to define the outcomes they seek, the practices they follow to achieve those outcomes, and they routinely produce metrics that support their progress (or failure) in achieving those outcomes.
Our struggle and the failure of our ERM institutions and regulatory authorities to establish desired outcomes and metrics for measuring them is clear evidence of institutional failure.
Beliefs Should Drive Knowledge
Beliefs are essential to the creation of knowledge. Breakthroughs in knowledge occur when beliefs are challenged. If Christopher Columbus had used decision science, he would never have set sail. His contribution to knowledge is immeasurable.
The beliefs supporting ERM practices can only create knowledge when tested against the outcomes they are designed to achieve. When no outcomes are defined, no testing is possible. Without testing, no knowledge is created. The result is stagnation.
Lacking outcomes, todays ERM standards make us sail in circles going nowhere.
Knowledge Drives Performance
Beliefs, when supported by evidence, create knowledge. Knowledge leads to better practices that in turn drive better performance and desired outcomes.
There have been no breakthroughs in ERM practices in my lifetime. If anything, they have become more regressive and more entrenched.
Our business, economic, political, cultural, technological and social environments have been rocked by disruptive forces. Stability in our professional standards and practices is a sign of fixed, rigid and failed beliefs
The Role of ERM Institutions and Practitioners
If a doctor prescribes a medication which is not cost effective, does not produce the intended outcome, or has unintended side effects, the patient is entitled to an explanation. A quick search of the web will explain how the medication works, its side effects and the specific medical outcomes it has been shown to produce.
When an ERM professional organization publishes a new standard or recommends a new practice, responsible practitioners are entitled to demand evidence that the standard or practice has been tested and found to be beneficial.
New drugs are not sold until evidence-based outcomes are demonstrated and side effects understood.
The primary purpose of our ERM institutions is to seek knowledge and provide continuously evolving evidence-based practices. Our ERM institutions owe us metrics that prove value is added and they owe us a comprehensive growing body of evidence-based knowledge that we can use to drive better practices.
Practitioners must be confident that applying their professional practices consistently and reliably will produce beneficial, intentional business outcomes and that we will continue to adapt to meet the needs of our stakeholders.
Reimagining COSO
Is it possible for our ERM institutions to begin to shift from a belief based to a performance-based paradigm? This is what a reimagined COSO might look like.
Reimagined along these lines, COSO is intended to support professional practitioners in adding value. It is an attempt to define the knowledge that each COSO element can develop in support of turning beliefs into knowledge and knowledge into measurable outcomes supported by metrics.
Can belief-based practices survive in a data driven world?
The paradigms, professional practices and regulatory standards guiding business risk and assurance professionals have been developed over many years, long before the digital world we live in today.
Do the practices we have used as risk, control and audit practitioners actually “work”.
We fear risks, we are addicted to costly and dubious “controls”, and we are sedated by “assurance” practices based on unproven confidence in those controls.
These practices are primarily based on beliefs, not data. Those beliefs were rational at one time.
In a data driven world they are obsolete and possibly dangerous.
Is it time for a New Deal?
Beyond Belief
Digital innovations such as cloud computing, artificial intelligence, machine learning, predictive analytics, robotic process automation, high speed in- memory processing are rarely mentioned in the standards and practices that guide business risk management practices. When digital innovation is mentioned, it is usually considered a risk. (e.g. the risk of cloud computing). Despite our fears, digital innovations have produced immense disruptions that have proved extremely beneficial.
When risk and control professionals view digital innovation with its profound and beneficial outcomes as risks, its time to question our beliefs.
Digital innovations have enormous potential to disrupt and that disruption must impact risk and control professionals. What will that disruption look like in a data driven world?
Confident Performance is the New Assurance
Assurance may be comforting if proof is not possible. It is not a substitute for data, and reliance on assurance is inexcusable when data is available. Effective internal control you say? Show me the data.
To use a simple analogy, today, using our mandated control-based approach we believe we can reduce the incidence of fires by counting and testing fire extinguishers. We provide “assurance” when are satisfied. More extinguishers are usually better. Too many are not enough.
We measure the existence of controls, not business outcomes. (PCAOB AS5 explains this much more clearly).
In a data driven world, we should now be able to confidently state desired outcomes and use data to track our performance in achieving the outcomes.
Assurance not supported with performance is based on superstition.
There is no valid reason for failing to confidently define business outcomes and measure performance against them. Assurance means we do not really know. Things we do not know should be reported as Risk Factors.
In a data driven world critical outcomes become visible and predictable. When outcomes become predicable and measurable, assurance is replaced with data.
Embrace Risk Assessments: They Teach Us How to Confidently Achieve Outcomes
Outcomes are best managed by understanding failure. The original COSO framework was commissioned over 25 years ago to explore the root causes of failures in financial institutions.
If we want to achieve accurate and reliable financial reporting, increase in market share, reduction of cyber fraud or any other outcome we must understand the causes of failure. Cause of failure data, not “control effectiveness” teaches us what performance is possible and what must be done to achieve it. Risk assessment teaches us how to achieve outcomes. Control addiction blinds us to the knowledge we need.
Aviation experts can prove that up to 80% of aviation incidents are caused by human failure. Every detail of every incident is recorded and analyzed. Compare this typical NTSB Incident Report to a Material Weakness disclosure under SOX. This Incident Report is for a near miss, not a fatal accident. It contains over 70 pages of data and analysis.
Compare this detailed Incident Report to the average 500-word Material Weakness disclosure. Compare it to the typical 200-word report on internal control over financial reporting.It is even longer at 75 pages, than my copy of PCAOB AS5 which tells us how to provide “assurance” instead of data.
(Homework assignment: Review the detailed Incident Report and tag each issue identified with its COSO category. Discuss: Can tagging be digitized by AI? What would we learn if we did?)
Does that mean we should provide a 70+ page analysis of every SOX “deficiency? Would it cost more to do so than we spend on “assurance” today?
In the absence of a data driven approach measuring performance against defined outcomes is a 200-word audit opinion on “internal control effectiveness” in a multi billion-dollar global enterprise worth the paper it is written on?
Data informs us. There is a bright side to risk. Naming and shaming teach us nothing.
Data is the new control
Control is now digital innovation and data.
Credit card companies analyze millions of transactions in real time detect and block anomalous or suspicious transactions before they are processed.
We spend billions of dollars on procurement and other routine activities and before the fact “controls” that cause massive increases in elapsed time and huge costs instead of relying on technology and data to detect potential fraud or error.
Collaboration in a data driven digital world is critical. We spend billions of dollars identifying collaborative opportunities and blocking them, thanks to our addiction to Segregation of Duties.
We spend billions of dollars identifying “ineffective” controls without ever analyzing the cause of their ineffectiveness.
We have powerful technology to communicate objectives, track performance, develop, train and motivate employees and we rely on “Control Activities” instead.
As a result, we are frightened by risk, addicted to controls (primarily Control activities) and sedated by assurance that is at best a guess and at worst a superstition.
The Role of Auditors in a Data Driven World
Is there such a thing as an opinion on the effectiveness of digital innovation in confidently achieving business outcomes?
Is there a role for auditors to show how this can be done?
Should auditors help identify and review performance against the companies 5 most critical business objectives? These objectives should be those undertaken to drive business value or protect it from catastrophic losses.
I hope you find my ideas and commentary thought provoking if nothing else. Please feel free to comment and share.
Reliance on Control Activities is enabling bad risk decisions and corporate misconduct. . Is there a way forward?
The fundamental paradigms of risk and control professionals are being tested. Extreme, reactionary advocates of Control Activities to mitigate risk have influenced standards and practices that do not work.
In a recent blog I suggested that we have become addicted to “controls”, or more specifically “Control Activities” as defined by COSO, and that addiction is blinding us to risk. I believe reliance on Control Activities as a primary response is evidence of, and a good predictor, of bad risk decisions. Failures in COSO Control Environment and Risk Assessment are primarily responsible for bad risk decisions and bad corporate behavior.
Those failures should be considered Material Weaknesses and clean audit opinions denied.
Clean audit opinions on internal control effectiveness even where COSO Control Environment or Risk Assessment practices have utterly failed and led to catastrophic losses don’t make sense.
Its Time to Take a Closer Look
Let us start with three hypothetical scenarios:
An airplane manufacturer makes and sells airplanes that cannot fly.
A pharmaceutical manufacturer sells a drug that kill people.
A major data broker loses millions of confidential customer records to hackers.
Would these hypothetical corporations receive a clean audit opinion on internal control over financial reporting using the COSO model below? The answer is Yes.
Did these events have financial impacts? The answer is Yes.
Have these issues been addressed?
Without a strong Control Environment and responsible Risk Assessment poor and even fatal risk decision are certain and internal control over anything should be questioned. Internal control over financial reporting is not quarantined from bad management. COSO did not seem to contemplate excepting internal control over financial reporting from bad management. In fact, as I recall, and I co authored a response to the initial COSO exposure draft, COSO was intended to lead to better risk decisions and fewer corporate failures. What happened?
Bad risk decisions enabled by faulty elements in the Control Environment (e.g. egregious conduct, fraud, incompetence, destructive compensation systems etc.) or faulty Risk Assessment, lead to catastrophic risk decisions, corporate misconduct, or both.
In each of the three hypothetical examples above failures in Control Environment and Risk Assessment were to blame. Can companies with such massive failures, by definition, have effective internal control over anything? If so COSO is meaningless and we have made it so.
The Way Forward
Several changes are clearly needed now.
Call out the real causes of failure
Enforce the PCAOB definition of Material Weakness:
A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
None of these hypothetical companies should receive a clean audit opinion. These types of failures are evidence of total and catastrophic failures in control, specifically in Control Environment and Risk Assessment. All of them should have been denied a clean audit opinion and with it, unrestricted access to capital markets and a pass on debt covenants and other obligations.Isn’t that what SOX was supposed to prevent? I understand that we are dealing with just internal control over financial reporting in audit opinions. But is it reasonable to suggest that with massive failures in the application of COSO the company is still COSO compliant? Wouldn’t it be more prudent to assume that massive failures in the Control Environment or Risk Assessment can reasonably be expected to result in material losses both financial, and nonfinancial now and well into the future? Assessing Control environment and Risk Assessment can be subjective. But we should call out and name failures in those elements when we see them. Shouldn’t we put this type of failure right up there with a lack of Segregation of Duties in the financial close process, an oft reported Material Weakness? Why do we limit Material Weaknesses to failed Control Activities?
2. Drive COSO compliance out of financial reporting and into the business
Replace Risk Factor Reporting with Objective Status Reporting
Replace every reported Risk Factor with a complementary objective. The objectives should reflect and be limited to the core business model of the business. For example, if shifting consumer preferences is a Risk Factor, define an objective that targets revenue or market share. Disclose that objective, the planned performance levels for that objective and the confidence management has that the planned performance level will be achieved. Assess the risks to achieving the objective and the measures needed to manage the risk.
I know this is a radical change, but can we trust companies who do not know this information? In relying on Control Activities, we are blocking insights.
Companies who are not sure what their top risks or objectives should be or are concerned that disclosing objectives and planned performance will be advantageous to competitors can be exempted by simply stating “we just can’t figure this out” or “we know our top risks, and critical objectives but we aren’t going to tell you” and naming those conditions as their only risks. Caveat emptor.
Once the objectives are listed, the company should make “a positive declaration intended to give investors confidence” and provide evidence to support their assertion. The assertions must be risk based and objective centric. Risk Oversight Solutions a business owned by Tim Leech a long-time colleague, offers advice and methodology. Its an enhancement to a methodology I worked with for years with Tim. I have firsthand knowledge of its rigorous tools.
Examples:
If product safety is a risk they could state “We are xx% certain (It could be 99.9 or 10%, just tell us.) that our planes will fly safely xx% of the time,” or, in the case of the pharmaceutical company,
“We have procedures in place to ensure that give us xx% confidence the pharmaceutical products we sell are manufactured and distributed in a way that reduces incidence of misuse and accidental death to x%”, or for the hypothetical data broker,
“We have measures in place to reduce the probability of data loss from hackers to less than xx% but we cannot be completely confident they will work more than xx% of the time.
Just tell us please. Let stakeholders decide the risks they want to accept and the confidence they have in management. Companies can be compared to each other within an industry. The results would be transparent.
3. Provide assurance that is meaningful
Require independent audit opinions that provide real assurance against objectives.
Here is what we get today.
Hint: Assurance is a defined as a positive declaration intended to give confidence.
This is from the 2019 annual report of a company with catastrophic headline grabbing failures.
“Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion”
4. Recognize the tools and talent available to us today.
The tools and talent to begin this journey are here now. I believe the risk management profession has the frameworks to support assertions on objective centric risk-based performance. I believe that auditors I have met in my work around the world could develop standards to audit the reliability of these assertions and provide (or withhold) assurance.
Move to Data Driven Assurance
Transparency is essential. Data is essential.
I am certain that the risk and control professions would make huge advances in technical knowledge and decision making and begin to adopt and exploit powerful technologies available today and I am certain. The data needed to monitor risks and performance against objectives is digitized somewhere. The analytics need to provide insight are here now.
Todays standard and practices are flawed. They do not add value and bad practices have stunted the development of the profession and the adoption of technology.
Reliable risk and control management practices and supporting standards must be driven by data and insight, not belief in flawed criteria and subjective judgement.
Better to do the right thing wronger than the wrong thing righter (Russell Ackoff) That’s how we learn.
Let us shift from a “broken control activity” model of control effectiveness to a positive data driven, comprehensive objective centric risk-based approach. The definition of success and effectiveness should be sustained performance. Let us deal with the causes of failure, not the symptoms. Let’s add value.
Internal control professionals looking through the lens of internal control paradigms might conclude that this situation is “totally out of control”. Aviation experts rely on risk management paradigms. They measure these things. They focus on outcomes, not control objectives. Aviation is indisputably safe and getting safer all the time because it relies increasingly and correctly on human behavior, not despite it. Reliance on people is intentional.
Do we have it all wrong? Is it possible to achieve “control effectiveness” without appropriate human behavior and without measuring performance? Is the notion of “control effectiveness” just a tantalizing tautology?
Risk Management Has Been Hijacked
The “internal control” and the enabling “assurance” paradigms promoted by Radical Control Activists (RCAs) and embedded in the standards and practices they impose have set risk management practices back decades, stunted its growth and development and contributed to countless failures.
Business executives have consistently rated the importance of risk management as “high” and simultaneously expressed dissatisfaction with its current state. That is not a contradiction. Business leaders are not happy with the state of risk management because they are not getting risk management. They are getting control management. And it is not working.
The RCA movement has hijacked risk management and addicted us to “controls”.
Control Addiction Defined: When Control Failure is the Risk, Too Many Controls are Never Enough.
The overwhelming majority of “controls” implemented, tested and audited by Radical Control Activists are based on COSO’s “Control Activities”.
Segregation of duties, reconciliations, authorizations, and various forms of physical safeguarding are simple to implement, tangible and verifiable.
The overwhelming root cause of failure in human endeavor is human error or conduct, not control failure. This is true for aviation incidents, SOX deficiencies, auto accidents, fires in the home, industrial accidents, and every other activity where research exists. We will likely find it true for Covid-19 as well.
RCA standards believe “controls” are “effective” when they do not “fail”. When control failure becomes the test of “effectiveness” then, “ineffective” controls become the de facto cause of failure.
In simple terms, if fire extinguishers fail to function they can be deemed the cause of fires, and more are considered necessary. The risk is not longer the fire. The risk is the failed control. Tautologies can be tantalizing.
Unnecessary Control activities and monitoring block learning and impede performance.
Business risk management has not only been hijacked by the RCA movement; they have addicted us to a paradigm that does not work.
Control Addiction Causes Risk Blindness
Fire extinguishers only work if a fire occurs. If you rely primarily on fire extinguishers to protect you from fires, you are accepting the risk of a fire. You will find plenty of fire extinguishers within reach in oil refineries, but never as a primary response. If you look hard, you will find them in hotel auditoriums as well. But they are less visible. Fire safety standards in public buildings rely on eliminating flammable materials and sources of ignition, not on fire extinguishers. They manage risk at the source, not after the fact.
When segregation of duties as the primary response to fraud risk, we are accepting the risk of fraud. When we rely on safeguarding access to prevent theft, we are accepting the risk of theft. There are a limited number of business risks where control activities are a cost effective and suitable primary response to risk. When control activities become the become the primary response risk is being accepted, not prevented.
In order to reduce risk, we must understand the events and conditions that give rise to the risk event and manage the risk at that points. That is risk management. In proliferating control activities as a primary or sole response strategy, radical control activists promote excessive, implicit risk taking.
Would you feel comfortable if you were given a parachute when you boarded a commercial flight? Would you feel safer if the pilot assured you that the parachute had been tested and was guaranteed not to fail? Would two parachutes be better? How about a SOX type certification in the seatback pocket?
The most catastrophic risks arise from known or foreseeable external sources, such as natural events, political events, disruptive technology pandemic or economic conditions etc. These risks usually “surprise” us.
By focusing on control activities as a primary response, our RCA colleagues blind us to most external risks. Cyber risks, third party risks, disruptive technology and most other external risks have regularly been “surprises”.
When control activities and monitoring those activities are the primary responseto risk, its usually a sign that risks of control failure have been deemed are acceptable. Those “controls”could kill you.
When control activities are the primary response to business risks, it means that only a small fraction of possible risks have been identified and assessed. We are blind to most risks because they cant be “controlled”.
How Smokey the Bear Succeeded by Using COSO
In 1944 (about 3 years after the origin of the IIA and decades before the initial COSO framework) the US Forest Service developed a campaign to prevent forest fires.
They created Smokey the Bear and his slogan “Only You Can Prevent Forest Fire”. Let us compare the Smokey the Bear Approach with the Radical Control Activist approach
COSO was created as a framework to explain the root cause of failures of financial institutions in the 1980’s. Using it to tag Smokey’s tactics with a COSO element, we can see he used COSO Control Environment and Risk Management. Radical Control Activists use Control Activities and Monitoring. Smokey correctly channelled human behavior to manage the risk of fire. He defined the causes of fire as the risks to be managed.
Smokey the Bear Says
Radical Control Activists Say
Objective
Prevent forest fires
Control objectives
Establish accountability
YOU – the Objective Owner
Control Owner*
Primary Risk
Sources of ignition, combustible materials
Control failure
Primary COSO Category
Control Environment/Risk Assessment
Control Activities/ Monitoring
Primary Category Type
Objective communication, clear accountability, capability building, incident/root cause tracking
Segregation of duties, approvals, passwords, access controls, deficiency reporting.
What is Monitored
Incidence of fires
Control failure
*Just a note on Control Owners. I have seen thousands of job descriptions and resumes. I have never seen anyone requiring nor claiming to be a Control Owner.
If Smokey the Bear adopted the practices of todays Radical Control Activists, he would have recommended a primary strategy of hanging fire extinguishers from trees and planting them a little further apart (Segregation of trees).
Doing the Right Thing Wronger and Learning or Doing the Wrong Thing Righter?
The distinguished systems theorist Russ Ackoff describes the trap we are in as ‘doing the wrong thing righter’. ‘The righter we do the wrong thing,’ he explains, ‘the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.’ Most of our current problems are, he says, the result of policymakers and managers busting a gut to do the wrong thing right.
RCAs take us one step further. We are doing the wrong thing righter and then locking it in place with technology.
Curing Control Addiction – Starter Points
Calculate the number of risks and controls you have documented.
If your ratio of risks to controls is 1:3 or more then you are addicted to controls and have risk blindness. Consider a policy prohibiting the implementation of new controls unless existing controls are being replaced. A healthier ratio of risks to controls is in the range of 3:1 or more.
Specialized institutions may require special consideration. But if the ratio is more than 1:5 I hope you are managing a prison.
Tag each control with its COSO category
If you rely on Control Activities as a primary response you are under the influence of Radical Control Activists. (If you find this difficult and if you are making SOX certifications, you may wish to consult an attorney).
Compare the number of controls added vs. eliminated in the past year.
If you are continuously adding new controls and not eliminating old ones, you are addicted. If decades of adding controls has not resulted in sufficient controls, we will never have enough.
Begin to tag each “deficiency”, “issue” or “finding” with its root cause
COSO was developed as a root cause model, not a control model. Use COSO categories to identify root cause of issues, deficiencies etc. For example, if failure to comply with a policy occurred because the policy has not been communicated, or because accountability is not clear, it is a Control Environment root cause. The solution lies in improving the Control Environment, not adding, or improving Control Activities.
Tag each new recommended control with its COSO category
If you are primarily adding Control activities or Monitoring, reconsider. Consider another approach.
Formally assess your Control Environment
This will require some subjectivity and judgement. Compared to Control Activities and Monitoring, the Control Environment covers a lot of intangible and abstract ground. The Institute of Internal Auditors have issued guidance for auditing the Control Environment. If you are not a member, they will sell their guidance to you. Its probably a good place to start. But Goodwill, Intangible assets, and Deferred taxes, like “control effectiveness” are also intangible and abstract and are quantified in financial statements. You do not need to quantify Control Environment. Just describe it for now.
Eliminate Orphans and Connect the Dots.
Every significant data element must be linked to an objective or performance target, and as much as possible to each other. We need to be able to explain the impact of risks, controls, issues, loss events on business objectives and performance. We need the ability to perform root cause analysis, to compare and predict. We need a taxonomic structure equivalent to a chart of accounts. And we need consistent calibration across the participants.
Transform
Consider the methods your company uses to set and communicate and align objectives, create motivation and commitment, develop necessary capabilities and monitor performance. If those elements of control environment are not in place, make the necessary recommendations to address them.
Technology can help
Technology exists today to enable virtually every element of the Control Environment. Adoption of technology by RCA today are slow. Worse, it is often counterproductive. We have incredible technology to identify possible collaboration. We use it to block collaboration.
The Future
Once risk management is freed from controls expect a smaller, more analytical forward-looking , data based function offering insights with clear value adding potential.
Even better, control management will change for the better as well. Expect control management to shift from control assessment to control portfolio design driven by data and digital innovation . Expect far closer alignment with business management and far more respect.
We need far better public reporting of risk factors. The tools and technology are available. Practices must improve.
Pandemic
Like many of the posts on GRC and COVID 19 these days, this one is another case of closing the barn door after the horse has escaped. But its sometimes worth looking back, not to assign blame but to learn for the future.
For years I have worked with internal auditors and risk managers. In the case of internal auditors building a risk rated audit universe is critical. Internal auditors need to prioritize their resources to the most critical risks. For risk managers identifying and managing the right enterprise risks was usually the topic. In either case assigning resources to the right risks seemed worthwhile.
Who Knew?
One rich source of information, usually regarded with indifference, if not contempt by GRC professionals, is Section 1A Risk Factor reporting in corporate 10k filings and in similar filings in other jurisdictions. I can’t think of a single audit or risk management client who regarded this as useful information that could inform their work. Indeed, risk factor reporting is very broad and general. There is no formal risk assessment and no ranking of risks and little if any graphical information is provided.
But risk factor reporting is usually quite comprehensive in terms of categories of risks and their impacts even if lacks an analytical perspective or an objective focus. I think of it as raw data that could drive knowledge and action.
With this thought in mind I thought I’d download and search a few annual reports and filings from several global pharmaceutical companies, global insurance companies and global manufacturers. It seemed to me the first two of these industry groups at least would be very susceptible to losses as well as opportunities from pandemics. Other global companies would potentially suffer business interruption as a minimum. All would have some stake in managing the risk.
So far, I’ve looked at only a handful of company annual reports. Pandemic was disclosed as a risk factor in about 40% of cases in my small sample. Interestingly companies in the same industry failed to disclose it consistently. (One would think if pandemic was a risk for one financial institution, others would see it too. They didn’t.) But where pandemic was listed as a risk factor, the description of impacts was as grim as we are experiencing.
What Now?
Where should internal auditors and risk managers spend their time if not on critical risks with catastrophic consequences or opportunities?
Research, corroborated by my many years of experience shows they spend most of their time, some studies suggests in excess of 90%, on tactical operational risks in mature business processes. That is managing known risks and known responses to known risks. Who needs that?
I suggest GRC professionals review and assess their corporate Risk Factor reporting.
– Is your business affected by the current pandemic?
– Was it disclosed in your filings?
-What other risks are described and how are you taking them into account in your professional activities?
-How is your organization responding to risk factors?
-How are your GRC resources responding to risk factor reporting?
How can stakeholders benefit from the information?
How can risk factors be incorporated into business objectives and how can they drive business performance?
In short, how can we make public risk reporting better? We may not be able to prevent pandemics. But we can do a far better job of rating, prioritizing, assessing and reporting risks. Pandemics are not a Black Swan event. They occur regularly.
The methodology, technology and skills necessary to dramatically tranform risk management and tie risk management to objectives and performance exist today. Implementation must reach a far higher standard.
I’ve always been uncomfortable with the term “agile” when
applied to GRC generally or Audit specifically. I guess I still have some
internal auditor left in my DNA, but it sounded like the flavor of the month. “Agile”
seemed a little too furtive and vague to be an attribute to aspire to. Its
serious stuff and success require consistent practices and methodology. Agility
didn’t seem to fit.
I was reminded of my aversion recently in a recent blog by Norman
Marks. (Why
does internal audit need to be agile?).
While he questioned the use of the term “agile” he did propose some alternative
terminology and audit practices that I totally support.
I am also convinced that the perception of internal
auditors is not aligned with the characteristics of agile behavior or practices
as illustrated below.
The underlying belief driving Agile project management is
that “best business value emerges when projects are aligned to clear business
goals, delivered frequently and involve the collaboration of motivated and
empowered people.
If that is what agile means in a business sense, I am on board.
But what does it mean to internal auditors? Let me suggest a few areas where agility
is needed from internal auditors.
Adding
Business Value: The first premise is that internal auditors must
add value. As things stand today, I do not believe most internal audit resources
and practices are focused on value adding activities. Business adds value by
managing strategic risks. Studies show that audit resources are focused instead
on critical but non-value adding activities. Strategic risks can be derived
from the Risk Factors reported in regulatory filings. My personal experience is
that the reported Risk Factors are not a major input in creating an audit
universe and defining auditable entities.
Clear
Business Goals: My experience is that most value is derived
from achieving relatively few business objectives. In my experience with a global
oil and gas company early in my career, most of the value of the business was derived
from finding oil and gas reserves. The company had to achieve dozens of other
objectives to stay in business. But finding and producing oil and gas reserves
drove the share price. Failure in other areas could drive value down. But
preserving value in my view is managements role. Internal audit can only add
value if it focuses on where the value is.
Deliver
Frequently: This is where Norman Marks hit the nail on the head.
Every audit project needs to be as short as possible. Documentation must be
minimized. Long audit projects suggest a lack of focus. Excessive documentation
does not add value. I was a CAE before work paper automation took hold. Our
files were paper files. We used our audit file room as a conference room. Meetings
were seldom disturbed by someone looking for an audit file. And when we were,
the old file was used to plan the new audit, making the same mistakes as the first
and producing another file no one wanted. Creating unnecessary documentation does
not add value. Automating unnecessary documentation is not progress.
Collaboration
of Motivated and Empowered People: The internal audit
profession values independence and rightly so. But independence does not mean isolation.
Independence is required to exercise judgement. It should not be used as a barrier
to collaboration. Risk and control self assessment practices are a measure of
collaboration and they have not flourished and have not evolved. Unreliable
self-assessments are a measure of the organizations ability to be agile, and a
measure of the skill of the auditor. Business and internal audit resistance to proven
self assessment practices can be a sign that internal audit is not aligned with
business goals.
Achieving
Agility in the Business: The single biggest contribution internal
audit can make to create or increase agility in the business is to streamline
internal controls and allow the business to take more risk. In my experience
the ratio of internal audit recommendations that increase “controls” (I am
referring to the number of controls primarily, not the level of control) to
those that reduce controls is about 50:1. I believe careful design of control
portfolios at the portfolio level could reduce the number of controls by 30-40%
without having an adverse impact on overall control effectiveness. Specifically,
I am calling for the assessment of internal controls at a portfolio level for a
given objective or process. That is only possible if the focus is shifted to business
objectives.
The bigger issue is not whether internal auditors can
embrace agile behaviors and practices. No doubt some of the requirements of the
IPPF may present some obstacles, but none should be major. The bigger issue is
whether internal audit can help make the business agile.
The words of Russell Ackoff provide some guidance
on how to be agile
“The righter we do the wrong thing, the wronger
we become. When we make a mistake doing the wrong thing and correct it, we
become wronger. When we make a mistake doing the right thing and correct it, we
become righter”.
This report, available
here, is a must read for anyone interested
in scaling and sustaining risk management to drive business value. Its not
necessary to agree with the reports approach or conclusions. The question is
can we build on and refine practices from this starting point? The answer to
that is yes. Even its flaws have virtue.
Top 3 Things to Like
1. A Fresh Perspective
According
to the report “Managing risk is the art of building value while
understanding what can be gained or lost from action or inaction, the foreseen
or the unforeseen, the planned or the unplanned”.
With that kind of statement, I was hooked. Recognizing the dual nature of risks is essential but, in my experience, this has not been a belief widely associated with internal auditors. It opens all kinds of possibilities and directions.
2. No Risk Heat Maps
The standard medium for risk conversations has for years been risk heat maps. They are refreshingly absent. You will find very little dogma here. In its place is much needed intelligence and fresh perspective.
3. Innovative Methodology
The report was based on quantitative and qualitative surveys and provides interesting, original and innovative graphics to present its conclusions. The “alignment triangles” should prompt discussion and progress.
Top 3 Areas to Explore Further
1. Better Categorization of Top Risks
There are
many ways to define top risk categories. The report lists 11 risks from among
the vast assortment likely to be experienced in organizations. I’m a bit of a
stickler for taxonomy. Some categories seem to describe the nature of the risk (Cybersecurity),
some seem to describe the area of impact (Data Protection), some seem to
reflect where the risk occurs (Third Party) and some seem to describe “controls”
(Talent Management). In my experience it helps to have a common standard for
defining risk categories. Its important to keep the list short while making it
inclusive.
One way to do that is to define categories of risk drivers or risk sources. For example, Digital Innovation is a category of risk drivers that causes a wide variety of risks. Other broad categories might be competition, consumer behavior, employee engagement etc. The number of risks that can occur is almost infinite. The factors that drive those risks are far more finite and possible more useful to start with and study.
2. More Risk Views
The report captures the views of the Board, the C suite and the CAE. I think it would be extremely useful and informative to add the views of the CRO, the CCO and the 1st line of defense to gain a richer understanding.
3. Tools for Managing Risk Stages
Auditors are
typically charged with assessing the effectiveness of internal control. The
report identifies and defines 4 constantly evolving stages of risks and
describes the characteristics of each. Let’s think through some guidance for
all GRC professionals in approaching each stage. Is it the role of GRC
professionals to guide the business through these stages? Are there existing
tools and technology capabilities that could assist?
Congratulations to the IIA. In his introduction Richard Chambers President and CEO describes this as the inaugural edition of an exciting new report from the IIA. I am looking forward to seeing more of this kind of research. Kudos to the IIA.
In the words of Russell Ackoff
“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter“
All controls will fail. They will
fail at a predictable rate. Internal controls not designed for failure are
designed to fail.
The week of Oct 14 was “Risk Awareness Week” (RAW), a series of interactive workshop that began on Oct.14. The workshops were designed to raise awareness about risk management applications in planning, forecasting, budgeting, construction, investments and performance management and are intended to significantly enhance decision making.
The tools and techniques discussed provide an objective basis
for understanding risks and making sound decisions. I was inspired by what I
heard and saw in these presentations.
But what does this have to do with designing, implementing
and assessing control effectiveness? The answer today, unfortunately, is almost
nothing.
The standards for internal control design, implementation and
assessment are largely devoid of any rigorous quantitative analysis, any simulation,
any modeling or any recognition whatsoever of human behavioral response. They
are designed to fail.
Risk treatment strategies in other fields are designed to treat predicted failure rates and offset known negative impacts. In other words, “controls” as we call them are designed based on predictable failure rates. They are designed to achieve outcomes despite control failure.
There is plenty for auditors and other control practitioners
to learn from these RAW workshops.
Any assumption that a given control can ever be 100% effective is fundamentally flawed. Controls will always fail. But the rate of failure is predictable, and the nature of failures can be determined and offset.
Designing Controls for Failure
Designing Controls to Fail
Goal
Achieve a defined desired outcome
Achieve a Control Objective vs. a defined business outcome
Success criteria
Evidence that the treatment contributes incrementally to the outcome
Evidence that the treatment (e.g. Control) is performed as intended
Strategy
Anticipate and manage failure. Effectiveness is defined as achieving targeted
failure rates with acceptable negative impacts
Anticipate 100% compliance. Detect and correct failures. Effectiveness
is zero failures. Negative impacts are not considered.
Failure criteria
Adverse impacts or side effects outweigh benefits.
Failure to perform the treatment (e.g. Control)
Remediation measures
The objective is achieved through a variety of complementary treatments
to offset the expected failure rate. The “treatment” is designed to recognize
failure.
Forced compliance with treatment (e.g. Control). The treatment
becomes the objective. Failures are considered “deficiencies”.
Example 1 – Designed for Failure
When seeking regulatory approval for a new drug,
manufacturers must conduct extensive fact-based research. One pharmaceutical product
with which I am familiar has been proven scientifically to achieve specific
beneficial clinical outcomes. However, the research behind its “effectiveness” shows
that despite its proven ability to achieve results in most patients:
20% of those taking the medication unintentionally
skip 30% of their doses,
15% stop taking the medication because of
its side effects, and
in a small number of cases potentially
fatal reactions occur.
This drug was considered “effective” and approved for use. Measurement of effectiveness is based on the outcome. The rate of and reasons for failures are known and predictable. They are not deficiencies. They are reality.
Physicians try
to offset the known failure rates and negative side effects with other complementary
measures. They recognize that humans will exhibit a behavioral response to the medication.
They constantly measure success against the outcome desired. The goal is cure, not treatment.
Example 2
– Designed to Fail
A business
decides to reduce the incidence of fraud and error though the introduction and automation
of a “treatment” such as Segregation of Duties (SoD).
In my experience, here is how I would assess the “effectiveness” of SoD using the logic of the FDA. (These examples are based on my experience. Yours may differ).
Approximately 20% of the time SoD is deliberately breached (through shared passwords or pre signed forms or other means).
A small portion of these breaches result in fraud or abuse. Estimates of the specific rate of failures resulting in fraud or abuse is knowable and predictable.
SoD increases elapsed time for procurement for critical processes on average by 10%
SoD adds about 2-5% to the total economic cost of an average procurement transaction.
SoD requirements are often a powerful disincentive to incur operating costs or invest in the business and may have a negative impact of 2-3% on profitability.
In the world of GRC, SoD is generally considered “effective” simply if it is implemented. The compliance rate is not predicted or known, and the negative impacts are not recognized.
When treatment, not the outcome, is the criteria for success, failure is inevitable.
No attempt is made to measure or predict the failure rate and negative impacts are not recognized. If breaches of SoD are detected the remedy is more enforced compliance. If a breach of SoD results in fraud, occurs it is considered a failure of SoD. Such reasoning is tautological and leads to endless destructive repetition
It is not a failure of SoD. It is a failure of control
design.
When the “effectiveness” of a control is judged by the degree
of compliance with the control, and not the outcome sought, then that control
is designed to fail.
Designing
Controls for Failure: What Needs to Change
Define the intended outcome: The business objective is paramount. Abandon the notion of “control objective”. In my example above if 100% of the patients took 100% of their doses but the desired clinical outcome was not achieved, the treatment can’t be considered effective. The control objective would be met But the goal of medical treatment is to cure. The goal of internal control is to achieve business objectives, not control objectives.
Recognize and Assess Adverse Impacts: The cost of some treatments exceeds the benefits. Assess the importance of the outcome and weigh the adverse impacts of treatment in as part of the design decision.
Define Deficiencies Carefully: A deficiency should be assessed against the target failure rate. Correcting a deficiency must improve performance against the outcome. Tolerate control failures within the target range or change the target range and accept additional adverse impacts.
Recognize Human Behavior: There is a reason COSO created the “Control Environment” category as a root cause of failure. Over 50% of reported deficiencies under SOX are related to Control Environment. Your control portfolio must recognize and enroll the human behavior needed for success.
Design
Control Portfolios for Failure: Controls
work in combination. Assess the effectiveness of the entire portfolio, not
individual controls. My experience suggests that the ratio of controls to risks
in clients is about 5:1. That ratio should be reversed.
Add
Risk Management Tools to your Toolkit:
Learn how to apply the quantitative analytical of risk management
professionals. Predict failure. Model control portfolios for effectiveness. Drive
efficiencies and effectiveness into internal control.
The righter we do the wrong thing, the wronger
we become. When we make a mistake doing the wrong thing and correct it, we
become wronger. When we make a mistake doing the right thing and correct it, we
become righter. Therefore, it is better to do the right thing wrong than the
wrong thing right.
In reflecting on the state of Enterprise Risk Management (ERM)
recently, (I will use the term ERM generically for all its current variations)
I have come to conclude ERM is far from reaching its potential and may be in a
state of decline.
As a profession we have developed what I will call Enterprise Risk Accounting (ERA) capabilities. ERA practices are, sometimes useful and in some cases mandatory. But they differ dramatically from Enterprise Risk Management (ERM) and should not be mistaken for or substituted for ERM.
Much of what we call ERM today is, in fact what I would call ERA. They are far from the same thing. Confusing ERA for ERM may be blocking progress.
Characteristics of Enterprise Risk Accounting (ERA)
Very little real “management” is involved in ERM today. Todays
risk “management” practices look much more like “accounting” for risks than
managing them. (Fair disclosure: I am a professionally qualified accountant and
former auditor and have been an unwitting risk accountant as well as a risk
manager).
Many of our risk management initiatives are guided by the
risk management standards and guidance we follow but seem to embrace the paradigms
of the accounting profession.
Enterprise Risk Management, as often practiced today, is
focused on past events, not the future, it
is focused on what is known or clearly predictable rather than decision making
in uncertainty, and is focused with identifying, classifying and reporting what
has happened, not really managing uncertainty and making decisions.
In my assessment most risk responses today are largely
limited to COSO Control Activities. But we have fallen into the “I have a hammer;
we need to find nails” way of thinking. Only risks susceptible to Control Activities
tend to be accounted for. If risks were the same as debits, we try to balance
the ledger with Control Activities.
For a risk to be included in the scope of most ERM initiatives, it probably has already happened. If it is likely to happen but hasn’t yet, it might be “accrued” by adding it to the Risk Ledger (aka Risk Register).
Risks that have already happened or are clearly predictable exist in mature business processes. Why do we focus on these risks? It is self defeating.
Let me be clear. I am not opposed to” risk accounting”. But
risk accounting is not risk management and it may not help the business.
Characteristics of Enterprise Risk Management (ERM)
While ERA is focused on identifying events, ERM should be
focused on predicting them. That’s often not the case today. COSO ERM guidance
for example classifies risks into one of four types; Financial, Compliance,
Strategic and Operational. I agree that these are useful ways to classify business
activities. And when risk events occur, maybe we can use these categories to assign
them to. But risk management needs to predict risks, not account for them after
they occur, and to anticipate risks we require an understanding of the events
and conditions preceding the risk event. These COSO risk categories tell us
where we can “book” the risks in the Risk Ledger but nothing about their cause.
That’s risk accounting not risk management.
The first step in ERM should be identifying broad categories
of risk drivers. If we want to prevent fires, we need to understand what causes
a fire. Fire extinguishers don’t prevent fires. If we rely on fire extinguishers,
we are accepting that the risk event will occur. That’s risk accounting. If we
want to prevent fires, we need to eliminate flammable materials and sources of
ignition. That’s risk management. Underlying every risk is some type of preceding
vent or condition. Understand those events and conditions and how they behave
is risk management. Classifying the risk event after the fact is risk
accounting.
ERM must focus on key value adding activities where the
future is uncertain and volatile. Evidence suggests that most of what we call risk
management takes place in mature operational processes where most risks are
known and predictable. By my definition, 90-95% of risks in operational process
are well known. Listing and assessing them is risk accounting.
Risk management for example should tell us how trade
barriers and tariffs will impact supply chains, currencies and markets. And it
should have told us that two years ago. Evidence of the lack of anticipation of
risk drivers is the newly “emerging” field of Digital Risks, and 3rd
Party or Supply Chain Risks? Why could we not anticipate fraudulent financial
reporting by examining executive compensation trends years ago? If we were
managing risks, we would have seen them coming. These examples are all risk management
failures, but we can consider them risk accounting successes.
Every year I see
lists of “emerging risks”. Every “emerging” risk I have seen on anyone’s list
has already emerged. It wouldn’t be on the list of it hadn’t. We’ve been
looking over our shoulder for emerging risks when we should be looking over the
horizon.
Risk managers must look at emerging risk driver before they
drive the risks. Risk managers today should be evaluating the impact of digitization
and other significant technological, social, economic, political or
environmental trends.
I attended a presentation recently where a well-known clothing
brand was evaluating whether social changes would result in the elimination of gender-based
clothing and what they needed to do to survive in that environment. That’s risk
management. If they wait for the risk to happens, its too late to manage it. It
becomes another risk accounting story. Ask Blackberry or Blockbuster.
Practicing Enterprise Risk Management
I’m not sure how to
make the conversion from ERA to ERM. Its probably best to keep them separate. There
is room for both but let’s recognize the differences. Here is some advice to
get you may wish to consider. Please also take another look at
Focus ERM on value adding activities rather than
mature operational processes. Value adding activities probably make up no more
than 30-40-% of your overall business activities. Risk management is useful
where your business is investing capital and where you want it to grow.
If you are having risk or control issues with
the performance of mature operational, financial or compliance processes, you
probably need to shuffle or replace management. ERM and ERA will delay the
solution.
Consider risk drivers; the social, economic,
political, competitive and other external forces that will impact your value
adding activities. Learn how to exploit them for gain by managing those risks.
Your competitors will be doing the same thing.
Engage the business, especially the 1st
Line of Defense. They are the risk managers. They make things happen. If you
cannot engage them, you are probably asking them to be risk accountants. Chances
are they are already engaged and motivated to manage risk.
If you produce and distribute Heat Maps or Risk
Registers, you are a Risk Accountant. If you provide opinions on “control
effectiveness” you are a risk accountant. Try assessing the effectiveness of
risk management instead.
If more than 30% of your recommendations are
COSO Control Activities, you are a risk accountant. I am not a fan of COSO, but
it was intended to be, and is, a valid root cause of failure model. If you rely
only on Control Activities, you do not understand COSO and if you do not understand
and manage root causes of failure you are accounting for and not managing risks.
Evaluate the risk management technology, if any,
that you use today. Is it really risk management technology or is it risk accounting
technology?
Exploit the risk management technology that is
available today. It may not be called risk management technology. And what is
called risk management technology is probably risk accounting technology.
Use key risk indicators to trigger alerts and
actions. Use predictive analytics to discern patterns and trends. Use modelling
and quantitative techniques to help with decision making. Use surveys and
collaborative tools. These are the tools of risk managers.
Focus all your risk and compliance activities on
business performance and business objectives. If you report on “internal
control effectiveness” you are a risk accountant.
The Bottom Line: Do the Right Wronger and Learn.
Enterprise Risk
Accounting is not a bad thing. Some of our standards and regulations require it.
My point is that if
we believe ERA is ERM, we are missing an opportunity to serve our companies and
clients. We need ERM as much or more than ERA.
The righter we do the wrong thing, the wronger
we become. When we make a mistake doing the wrong thing and correct it, we
become wronger. When we make a mistake doing the right thing and correct it, we
become righter. Therefore, it is better to do the right thing wrong than the
wrong thing right
