The purpose of this blog is to provide a framework for constructive suggestions and insight into how risk and compliance practices can be improved.
What would improvement look like? For starters, I’d like to see:
- Direct link to business performance from risk and compliance practices,
- Comprehensive reporting that connects the dots from a common data set
- Strengthen the silos with consistent methodology, calibration and taxonomy
- Adopt and exploit available digital innovation
- Increased in business engagement, particularly Line 1 of the 3 Lines of defense.
Here’s the problem. The diversity and complexity of regulations, standards and professional practices across the risk and compliance spectrum represent multiple, often conflicting, seemingly irreconcilable and deeply held paradigms and beliefs. Some of todays practices simply do not make sense.
We need to find a way to fit all of this into a simple visual model. My starting point is below.
Primary Response Strategy Quadrants.
Here is how it works:
The 4 quadrants in the middle introduce four basic risk response strategies. The vertical and horizontal axis show risk appetite and risk level. I should be able to assign a primary response strategy for a given risk from any risk driver to one of the quadrants using based on risk level and appetite.
Left Hand Panel: The Primary Response Strategies Mapped to Risk Domains
I have color coded these risk domains with the primary response strategies I have observed based on my knowledge and experience. It looks to me like the one-eyed monster of “control” has gobbled up most risk domains. The question is, should it?
Right Hand Panel: Primary Response Strategy Mapped to Risk Drivers
Here I display a generalized list of Risk Drivers and suggested appropriate response strategies for each, based on the nature of the risk driver, and again based on my experience and knowledge. It looks to me like the drivers of risks, particularly the external drivers, are more susceptible to the other primary strategies. Again, I could be wrong, but I believe risks resulting from these risk drivers are not being examined and if they are, inappropriate primary response strategies are being used based on the dominate domain strategies.
Primary Response Strategy Quadrants Explained
- Primary Response Strategy: Control Activity
- Think of COSO and Sox regulations, particularly AS5. These represent the archetypical control response. Resources are spent identifying, assessing, adding, auditing or testing controls for effectiveness. Nothing is wrong with that. But I have a slightly nuanced interpretation. In my experience most of the controls involved are COSO Control Activities. I would argue that by using Control Activities, there is an implicit expectation that the relevant risk event will occur, can be detected quickly and mitigated. In simple real-life terms, if your primary response to the risk of fire is fire extinguishers, then you are accepting the risk of a fire. If you don’t want the risk of a fire, you must deal with the events and conditions that cause them.Broken or missing fire extinguishers become the risk. That’s pretty much how the definition of SOX deficiencies works. Am I oversimplifying? Of course. Is there anything wrong with this strategy? Not at all. Unless of course you are using it as a response to a risk event that you must prevent. Would you be comfortable if you were given a parachute when boarding a flight? It worries me that the control strategy seems to be the dominant response across most risk domains. It also worries me that every control activity has negative inintended consequencesIts not a coincidence that I use the word “design” in all the other quadrants. Conrol activities are not ‘designed”, they are proliferated.
- Primary Response Strategy: Risk Performance Decision
Where severe and unacceptable risks occur, the primary response cannot be controls as we know them today. Years ago, I dined at an elegant restaurant in a dangerous neighborhood in Johannesburg. Guards carrying automatic weapons were visible and on patrol in the dining room. Did that make me feel safe? The answer is of course not. It told me the establishment was willing to accept the possibility of armed intruders entering the dining room and willing to have a gun battle across my table. The armed guards, and I assume they were deemed necessary, would have made me feel safer if they were outside. Better yet a good fence and video surveillance would be appropriate. Unacceptable risks must be predicted and prevented and their source.
- Primary Response: Employee Performance Design
An example of using human behavior to manage risks undertaken to add value is the aviation industry. Obviously, aviation is inherently dangerous. Yet statistics show that over the last few decades, despite larger aircraft carrying more passengers longer distances more often, the rate of aviation incidents per million miles flown has reduced dramatically. How can this be true? Having travelled frequently and even married an airline employee I had the opportunity to ask this question of flight crew, cabin crew and ground staff. The answer was always the same. Airline employees are intensively
trained and forced to requalify frequently. Fail the training and you may not fly until you requalify. When it came to safety, they know what to do, why it is important, and how to do it and they keep track of incidents.
In virtually every field of human endeavor, about 50-60% of incidents are caused by human error. Its true for reported SOX deficiencies, auto accidents, fires in the home and every other field of human endeavor where records are kept. Its even true in aviation. The difference is that aviation has reduced the number of incidents dramatically. Human errors remain at the same level. But the rate of incidents has declined.
Risk response strategies that do not deal with human error cannt be more than 50% effective.
4.Primary Strategy: Loss Performance Design
Procure to pay processes, and many other processes in business are extremely complex and use Controls as the primary strategy. On the other hand, any consumer can go to a merchant and use a credit card to purchase goods and services. Technology allows fraudulent purchases to be detected and blocked immediately in the vast majority of cases. Anomalous transactions and patterns of behavior are detected amongst millions of legitimate transactions. This loss management strategy substitutes high speed, real time analysis to authenticate transactions. I’m sure it is less than 100% effective. I am also reasonable sure that it would work on mature internal processes far more effectively than the control-based approach. Particularly if it was combined with strong human resource management. Product warrantees and insurance products also fit this strategy.
Where does this leave me? I think I have a useful way to begin to assign primary response strategies to business risks.
My concern today is that the prevailing paradigms and beliefs are narrow and silo specific and do not seem to allow for an integrated approach. The Control strategy seems to dominate risk and compliance thinking and may be used inappropriately. We need to drive higher business engagement, show direct contribution to business value, higher reliabiity and provide a basis for technology adoption. I will provide thoughts on all those fronts. But I’d like some thoughts, feedback, criticism and/or validation.
Comments, reflections, criticisms are welcome. I hope to hear from you.
In the words of Russell Ackoff
The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right.