Have We Reached the Tipping Point in Risk and Compliance? Is It Time Now to Connect the Dots?

Thanks to the perseverance of risk and compliance professionals and automation we have built silos where domain specific risks are managed in very granular detail. This data has unexploited strategic value.

The silos exist within all risk domains. We need to begin to connect the dots across the silos. There is no other way to grow as a profession.

 Strong silos are a sign of a maturing profession. But professional growth requires the development of an overarching framework that creates actionable knowledge from siloed risk and compliance information.

Think of the development of financial statements driven by double entry accounting that forced the linkage of financial accounting silos to create financial statements. Reporting Accounts Payable balances alone is not useful. Its necessary to connect those balances to Inventory, Operating Expenses and Cash accounts to create knowledge and make decisions.

Unconnected risk and compliance reporting using risk registers, heat maps, lists of effective and ineffective controls, stacks of single-issue audit reports suggests we have not linked the silos.

We have great data in the risk and compliance silos. We need to get it linked to what the business cares about. Data in the risk and compliance silos must be categorized and linked to explain and anticipate business performance and how objectives will be achieved.

The Art of the Possible

Several years ago, a colleague of mine at SAP demonstrated how technology (SAP technology in this case) can be used to connect the dots across several silos of risk and compliance information and link the siloed results to business objectives.

Thanks to SAP this demo is publicly available on YouTube. Its about 8 minutes in length but well worth the time.

As you watch the demo, imagine the addition of key risk indicators, risk drivers, performance data, audit data providing assurance and root cause analysis.

Imagine also that the data would be updated instantly every time events such as loss incidents, control test failures, audit findings or any one of dozens of potentially triggering events occurred. Finally, imagine instant drill down capability to a very granular level.

Among other things business executives would then be able to instantly:

  1. Anticipate how external and internal risk drivers will impact objectives.
  2. Compare risk and compliance practices between different organizations and over time.
  3. Understand the root causes of failure and ineffective controls
  4. Drive down the cost of control by balancing risk appetite with control cost.
  5. Determine the most cost-effective control portfolios and risk responses for given objectives and risks. (See also my blog offering a Strategic Perspective on Risk and Compliance  
  6. Allocate risk and compliance resources, including audit, to where they are most needed.
  7. Assess the performance of risk and compliance professionals. And their contribution to business performance.

What’s Blocking Progress?

Technology for connecting the dots exists today. The data that needs connecting is available. Risk and compliance professionals are competent and motivated. In my view the next step is getting the silos aligned to a common goal, but silos must remain independent and strong. In my experience, although risk and compliance professionals talk about adding value and contributing to performance, they are primarily aligned with their professional standard setters who give them accreditation. To meet their professional standards auditors are required to audit. risk professionals are required to identify and assess risks, control professionals are required to test controls, compliance people are focused on compliance, or obedience. None of the silos are judged by their contribution to business performance. The sum of all their work is unconnected data. That data only has value when its connected.

I have seen very little evidence of cross silo collaboration in my career. And that may be an overstatement. Alignment must come from the top. Its unlikely to appear spontaneously from the silos.

Customer reactions to the demo above were polarized. Executives and boards were extremely interested. Most risk and compliance professionals were often indifferent at best.

For those of you who want to connect the dots, my suggestion is to start at the top of the organization and create demand with a vision. Use the vision to align and mobilize.

A Recipe for Connecting the Dots

Consistent methodology is critical to connecting risk and compliance data. Here is an example that illustrates the need for consistency and structure.

 My pharmacist usually recommends generic versions of my prescription medication. She claims the ingredients of the generic drugs are the same as the ingredients in the branded versions so why pay more?  I pointed out the key ingredients in a fine souffle and the ingredients in burnt scrambled eggs are also very similar. The ingredients are important, but the recipe used, the skills and training of the chef, the cooking process and the equipment used are equally important. To consistently produce the same result and to scale it the process, a standard methodology must be used.

Tim Leech, a former partner and colleague and now the owner of Risk Oversight Solutions has used a version of this model for many years.

Every risk and compliance silo creates information that fits somewhere in this flow line. All the dots are here and the logical connections between them is apparent. In this case, all the information gathered is linked in some way to a business objective. Variations of this approach are possible and other approaches may work as well.

But by using a standard methodology, everyone understands what information is created who created it, and what it means. In order to integrate risk and compliance practitioners, like chefs, must all follow the same recipe.

A standard methodology provides a recipe for determining and linking all the different data produced by risk and compliance practitioners. Standardizing the data means it can come from any practitioner or “silo” and understood as part of the whole.

Adding the Ingredients

Most of the aggregation failures I have seen have been at the silo level. Invariably they have been cause by too much uncategorized granular data. We need to see the forests. Silos give us the trees. What data to link, and how much of it to gather is a stopic on its own. I’ll share my thoughts on the ingredients in a separate blog. But as with any recipe, you’ll need to be selective in the number and quantity of ingredients and you must adjust the flavor for the audience. Its an art in itelf.

In the words of Russell Ackoff

The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.

Sizing up Risk and Compliance Practices: A Strategic Perspective

The purpose of this blog is to provide a framework for constructive suggestions and insight into how risk and compliance practices can be improved.

What would improvement look like? For starters, I’d like to see:

  • Direct link to business performance from risk and compliance practices,
  • Comprehensive reporting that connects the dots from a common data set
  • Strengthen the silos with consistent methodology, calibration and taxonomy
  •  Adopt and exploit available digital innovation
  • Increased in business engagement, particularly Line 1 of the 3 Lines of defense.

Here’s the problem. The diversity and complexity of regulations, standards and professional practices across the risk and compliance spectrum represent multiple, often conflicting, seemingly irreconcilable and deeply held paradigms and beliefs. Some of todays practices simply do not make sense.

We need to find a way to fit all of this into a simple visual model. My starting point is below.

Primary Response Strategy Quadrants.

Here is how it works:

The 4 quadrants in the middle introduce four basic risk response strategies. The vertical and horizontal axis show risk appetite and risk level. I should be able to assign a primary response strategy for a given risk from any risk driver to one of the quadrants using based on risk level and appetite.

The 4 Quadrant Model shows how risks can be allocated to response strategies based on appetite and level

Left Hand Panel: The Primary Response Strategies Mapped to Risk Domains

I have color coded these risk domains with the primary response strategies I have observed based on my knowledge and experience. It looks to me like the one-eyed monster of “control” has gobbled up most risk domains. The question is, should it?

Right Hand Panel: Primary Response Strategy Mapped to Risk Drivers

Here I display a generalized list of Risk Drivers and suggested appropriate response strategies for each, based on the nature of the risk driver, and again based on my experience and knowledge. It looks to me like the drivers of risks, particularly the external drivers, are more susceptible to the other primary strategies. Again, I could be wrong, but I believe risks resulting from these risk drivers are not being examined and if they are, inappropriate primary response strategies are being used based on the dominate domain strategies.

Primary Response Strategy Quadrants Explained

  1. Primary Response Strategy: Control Activity
  2. Think of COSO and Sox regulations, particularly AS5. These represent the archetypical control response. Resources are spent identifying, assessing, adding, auditing or testing controls for effectiveness. Nothing is wrong with that. But I have a slightly nuanced interpretation. In my experience most of the controls involved are COSO Control Activities. I would argue that by using Control Activities, there is an implicit expectation that the relevant risk event will occur, can be detected quickly and mitigated. In simple real-life terms, if your primary response to the risk of fire is fire extinguishers, then you are accepting the risk of a fire. If you don’t want the risk of a fire, you must deal with the events and conditions that cause them.Broken or missing fire extinguishers become the risk. That’s pretty much how the definition of SOX deficiencies works. Am I oversimplifying? Of course. Is there anything wrong with this strategy?  Not at all. Unless of course you are using it as a response to a risk event that you must prevent. Would you be comfortable if you were given a parachute  when boarding a flight? It worries me that the control strategy seems to be the dominant response across most risk domains. It also worries me that every control activity has negative inintended consequencesIts not a coincidence that I use the word “design” in all the other quadrants. Conrol activities are not ‘designed”, they are proliferated.

  • Primary Response Strategy: Risk Performance Decision

Where severe and unacceptable risks occur, the primary response cannot be controls as we know them today. Years ago, I dined at an elegant restaurant in a dangerous neighborhood in Johannesburg. Guards carrying automatic weapons were visible and on patrol in the dining room. Did that make me feel safe? The answer is of course not. It told me the establishment was willing to accept the possibility of armed intruders entering the dining room and willing to have a gun battle across my table. The armed guards, and I assume they were deemed necessary, would have made me feel safer if they were outside. Better yet a good fence and video surveillance would be appropriate. Unacceptable risks must be predicted and prevented and their source.

  • Primary Response: Employee Performance Design

An example of using human behavior to manage risks undertaken to add value is the aviation industry. Obviously, aviation is inherently dangerous. Yet statistics show that over the last few decades, despite larger aircraft carrying more passengers longer distances more often, the rate of aviation incidents per million miles flown has reduced dramatically. How can this be true? Having travelled frequently and even married an airline employee I had the opportunity to ask this question of flight crew, cabin crew and ground staff. The answer was always the same. Airline employees are intensively

trained and forced to requalify frequently. Fail the training and you may not fly until you requalify. When it came to safety, they know what to do, why it is important, and  how to do it and they keep track of incidents.

In virtually every field of human endeavor, about 50-60% of incidents are caused by human error. Its true for reported SOX deficiencies, auto accidents, fires in the home and every other field of human endeavor where records are kept. Its even true in aviation. The difference is that aviation has reduced the number of incidents dramatically. Human errors remain at the same level. But the rate of incidents has declined.

Risk response strategies that do not deal with human error cannt be more than 50% effective.

4.Primary Strategy: Loss Performance Design

Procure to pay processes, and many other processes in business are extremely complex and use Controls as the primary strategy. On the other hand, any consumer can go to a merchant and use a credit card to purchase goods and services. Technology allows fraudulent purchases to be detected and blocked immediately in the vast majority of cases. Anomalous transactions and patterns of behavior are detected amongst millions of legitimate transactions. This loss management strategy substitutes high speed, real time analysis to authenticate transactions. I’m sure it is less than 100% effective. I am also reasonable sure that it would work on mature internal processes far more effectively than the control-based approach. Particularly if it was combined with strong human resource management. Product warrantees and insurance products also fit this strategy.

Where does this leave me? I think I have a useful way to begin to assign primary response strategies to business risks.

My concern today is that the prevailing paradigms and beliefs are narrow and silo specific and do not seem to allow for an integrated approach. The Control strategy seems to dominate risk and compliance thinking and may be used inappropriately. We need to drive higher business engagement, show direct contribution to business value, higher reliabiity and provide a basis for technology adoption. I will provide thoughts on all those fronts. But I’d like some thoughts, feedback, criticism and/or validation.

Comments, reflections, criticisms are welcome. I hope to hear from you.

In the words of Russell Ackoff

The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.

Risk management won’t add value unless it starts with value drivers

Risk and compliance professionals want be “trusted advisors”. To do this they need to help add value to the business. They usually fail because they don’t know where to start. My simple premise is you can’t add value if you don’t understand where value lies. Here are some clues I found helpful.

Hint 1: Value, in economic terms, is usually not found on the balance sheet or in an org chart.

Hint 2: It changes periodically as the business environment changes.

Hint 3: It tends to be industry specific. Your competitors are managing the same risks. You need to do it better.

Hint 4: Equity analysts will tell you. so will credit rating agencies.

Hint 5: Traditional financial metrics may be useless, but the outcome will have financial implications

Mismatches in Risk and Compliance Management

Example 1: Years ago I was general auditor of an oil and gas company. My staff consisted of financial and EDP auditors focused primarily on verifying the existence and value of product inventory at refineries, in pipelines in terminals and bulk storage facilities across the country.

Equity analysts on the other hand made buy/sell recommendations based entirely (at that time) on our ability to add and produce oil and gas reserves cost effectively. The value of proved reserves far exceeded the value of crude and product inventory. Calculating proved reserves involves an understanding of geology, engineering and economics. My audit resources were totally mismatched with the value creation by the business. I needed geologists and engineers as well.

Example 2: In the late 1990’s a French equity analyst firm decided to study the worlds airlines to make recommendations for their clients. (I’d love to find the report again. Its in an old file I cannot locate.) What did they look at? Not airline capacity, not routes, not operating costs, not aircraft. They decided to base their recommendations entirely on their assessment of each airlines customer experience, from reservations, through check-in and inflight service through to baggage handling . (Remember, I did say that value adding activities change over time.)

The list of todays major surviving global airlines matches the analysts conclusions almost perfectly. The airlines they considered weak in terms of customer experience have been merged or are gone. But customer experience is no longer the value determinant on the airlines I fly.

Example 3: Its been a long time since I have been in an audit role. I’m not sure what auditors in ERP vendors spend their time on these days. But I do know what drives share value. I believe its its the rate of growth in Cloud revenue.

Value Lessons to Learn

Here is what I know for sure. To add value today, risk and compliance professionals need to focus on three things.

1. Understand what drives your business value.

Lesson 1: Look at the Section 1A Risk Factors in your annual filings and in those of your competitors . The Risk Factors describing your value adding activities can be interpreted as inverted objectives each of which can have a performance metric

Lesson 2: Understand the business activities, processes or objectives, including the business risks and risk responses that add that value. Example: in oil and gas at the time it would have started with the acquisition of land and continue, seismic evaluation, exploration and development activities and processes. Given todays prices and reserve levels, I suspect refinery efficiency, capacity and distribution systems drive value now.

Lesson 3. Scan the horizon for changes in the environment. The value drivers will change according to competitive, economic, technological and other factors. The first to figure out the new value drivers will win.

Conclusion: My experience tells me that most risk and compliance professionals are still wandering around looking for but not adding value. My experience tells me that value adding activities may account for only 20% or less of the business, with the balance consisting of critical and non critical core activities that support the value adding and compliance.

I’d love to hear your views. Reach out to me directly or leave a comment.

“… almost every problem confronting our society is a result of the fact that our public policy makers are doing the wrong things and are trying to do them righter. The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.”

Russell Ackoff –

— Oscar Wilde.