Frightened by Risks, Addicted to Controls, Sedated by Assurance

Can belief-based practices survive in a data driven world?

The paradigms, professional practices and regulatory standards guiding business risk and assurance professionals have been developed over many years, long before the digital world we live in today.

Do the practices we have used as risk, control and audit practitioners actually “work”.

We fear risks, we are addicted to costly and dubious “controls”, and we are sedated by “assurance” practices based on unproven confidence in those controls.

These practices are primarily based on beliefs, not data. Those beliefs were rational at one time.

 In a data driven world they are obsolete and possibly dangerous.

Is it time for a New Deal?

 Beyond Belief

Digital innovations such as cloud computing, artificial intelligence, machine learning, predictive analytics, robotic process automation, high speed in- memory processing are rarely mentioned in the standards and practices that guide business risk management practices. When digital innovation is mentioned, it is usually considered a risk. (e.g. the risk of cloud computing). Despite our fears, digital innovations have produced immense disruptions that have proved extremely beneficial.

When risk and control professionals view digital innovation with its profound and beneficial outcomes as risks, its time to question our beliefs.

Digital innovations have enormous potential to disrupt and that disruption must impact risk and control professionals. What will that disruption look like in a data driven world?

Confident Performance is the New Assurance

Assurance may be comforting if proof is not possible. It is not a substitute for data, and reliance on assurance is inexcusable when data is available. Effective internal control you say?  Show me the data.

To use a simple analogy, today, using our mandated control-based approach we believe we can reduce the incidence of fires by counting and testing fire extinguishers. We provide “assurance” when are satisfied. More extinguishers are usually better. Too many are not enough.

We measure the existence of controls, not business outcomes. (PCAOB AS5 explains this much more clearly).

In a data driven world, we should now be able to confidently state desired outcomes and use data to track our performance in achieving the outcomes.

Assurance not supported with performance is based on superstition.

There is no valid reason for failing to confidently define business outcomes and measure performance against them. Assurance means we do not really know. Things we do not know should be reported as Risk Factors.

In a data driven world critical outcomes become visible and predictable. When outcomes become predicable and measurable, assurance is replaced with data.

Embrace Risk Assessments: They Teach Us How to Confidently Achieve Outcomes

Outcomes are best managed by understanding failure. The original COSO framework was commissioned over 25 years ago to explore the root causes of failures in financial institutions.

 If we want to achieve accurate and reliable financial reporting, increase in market share, reduction of cyber fraud or any other outcome we must understand the causes of failure. Cause of failure data, not “control effectiveness” teaches us what performance is possible and what must be done to achieve it. Risk assessment teaches us how to achieve outcomes. Control addiction blinds us to the knowledge we need.

Aviation experts can prove that up to 80% of aviation incidents are caused by human failure. Every detail of every incident is recorded and analyzed. Compare this typical  NTSB Incident Report to a Material Weakness disclosure under SOX.  This Incident Report is for a near miss, not a fatal accident. It contains over 70 pages of data and analysis.

 Compare this detailed Incident Report to the average 500-word Material Weakness disclosure. Compare it to the typical 200-word report on internal control over financial reporting.It is even longer at 75 pages, than my copy of PCAOB AS5 which tells us how to provide “assurance” instead of data.

(Homework assignment: Review the detailed Incident Report and tag each issue identified with its COSO category. Discuss: Can tagging be digitized by AI? What would we learn if we did?)

Does that mean we should provide a 70+ page analysis of every SOX “deficiency?  Would it cost more to do so than we spend on “assurance” today?

 In the absence of a data driven approach measuring performance against defined outcomes is a 200-word audit opinion on “internal control effectiveness” in a multi billion-dollar global enterprise worth the paper it is written on?

Data informs us. There is a bright side to risk. Naming and shaming teach us nothing.

Data is the new control

Control is now digital innovation and data.

Credit card companies analyze millions of transactions in real time detect and block anomalous or suspicious transactions before they are processed.  

We spend billions of dollars on procurement and other routine activities and before the fact “controls” that cause massive increases in elapsed time and huge costs instead of relying on technology and data to detect potential fraud or error.

Collaboration in a data driven digital world is critical. We spend billions of dollars identifying collaborative opportunities and blocking them, thanks to our addiction to Segregation of Duties.

We spend billions of dollars identifying “ineffective” controls without ever analyzing the cause of their ineffectiveness.

We have powerful technology to communicate objectives, track performance, develop, train and motivate employees and we rely on “Control Activities” instead.

As a result, we are frightened by risk, addicted to controls (primarily Control activities) and sedated by assurance that is at best a guess and at worst a superstition.

The Role of Auditors in a Data Driven World

Is there such a thing as an opinion on the effectiveness of digital innovation in confidently achieving business outcomes?

Is there a role for auditors to show how this can be done?

Should auditors help identify and review performance against the companies 5 most critical business objectives? These objectives should be those undertaken to drive business value or protect it from catastrophic losses.

I hope you find my ideas and commentary thought provoking if nothing else. Please feel free to comment and share.


Published by Bruce McCuaig

I'm interested in all aspects of risk and compliance management. I want to make it work for business executives, the practitioner community and the business.

Join the Conversation

1 Comment

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: