As part of a recent blog post titled “Nobody Knows Anything”
(and there’s a topic worth discussing all on its own; but let’s move on),
author Austin Kleon told the following story:
On our walk this morning, my wife was telling me about
the difference between risk and uncertainty that Arthur Brooks brings up in his
piece about how to stay calm in the pandemic. “Uncertainty involves unknown
possible outcomes and thus unknowable probabilities,” he writes. “Risk involves
known possible outcomes and probabilities that we can estimate.” Our problem,
Brooks says, is that we try to convert uncertainty into risk by bombarding
ourselves with information.
Internal auditors like to consider themselves risk experts. And
discussions about risk, uncertainty, and the relationship between the two should
be our bread and butter.
However, we may fail at this more often than we suspect. For
example, at the most basic level, many of us do not even know what we are
talking about. The words we use flow without us really understanding what we
are saying. Allow me to pose a relatively simple question regarding a very
basic risk concept.
An organization has established the objective “We will make a
profit.” Yes, I know it isn’t the most perfectly worded objective, but it will
do for our purposes. Next, let’s say that the organization, in its extensive
and exhaustive research regarding risks to that objective, starts with a basic
statement: “The primary risk is that the organization will not make a profit.”
(Again, not perfectly worded, but you get the point.)
Show of hands; how many think it is a risk? Show of hands,
how many think it is not a risk? Show of hands; how many of you didn’t raise
your hands because you didn’t think I could see you? (Many of you seem to have
forgotten to place the tape across your computer’s camera lens. Just saying.)
Based on the results I get when I drum this conundrum during
presentations, 50% of you are wrong.
“We do not make a profit” is not a risk. Quite
simply, a risk cannot be the opposite of an objective. (Go ahead, look it up.) But
half of the individuals in our profession — young or old, new or experienced, junior
auditor or chief audit executive — get this wrong. We call ourselves experts, yet we have trouble
with the most basic concepts. We can’t even define risk correctly.
But, let’s move beyond the fact that we may not even know
what we are talking about. Let’s dig deeper and look at the assumptions and
misunderstandings we apply in real audit work.
(And, at this point, a quick caveat. I am probably out of my
depth here. I have a basic understanding of risk and related stuff, but that
doesn’t mean the interpretations contained herein are right. Feel free to
correct me on any of this.)
Given: Risk is the possibility of an event happening that
will impact objectives. Therefore, we cannot know if a risk is worth worrying
about until we have some understanding of the possibility the risk will occur. Anything
that cannot be understood (ideally, quantified) is uncertainty. Uncertainty
leads to unknowable probabilities. And, when there is too much uncertainty, our
grasp of the actual risk is tenuous at best and we cannot determine the impact
We probably all know this, but do we lose sight of it as we
work our way through our work and audit our way through our audits? To find
out, let’s look at the most basic but problematic process within internal
audit, report writing.
You are pulling together your report and are about to broach
the writing of one of the issues to be contained therein. (Let’s skip the fundamental
error that much of this should have been accomplished well before the report
writing stage. I’m on a roll and don’t want to be stopped.) Because it is a
requirement within your department (not to mention that it is part of the
Standards), you will include the impact/consequence related to the issue.
Easy peasy. The impact is obvious — loss of money, inefficiencies,
brand degradation, any of the full set of impact arrows we have in our report-writing
quiver. You write it up and blithely wend your way to the report’s finalization.
But let’s back up and take a closer look. How much thought
has been given to how those impacts relate to the risk assessment that got the
whole audit started? Does anyone take the time to make sure that the story we
tell at the end of the audit matches the one we promised to tell in the
beginning? And what would happen if we did look back?
I have no conclusive evidence — just gut feel and what I’ve
seen from a number of years being an internal auditor — but I think if we were
to look at our impact statements in light of the risks identified at the
beginning of the audit, we would not be able to see how we really got where we
Let’s watch it happen.
A risk assessment is completed using all available
information. Some of that information may not be as complete as we would like,
but we work with it anyway. Yes, there is some uncertainty. But we make up for it
by getting even more information, using our past experiences, and relying on good,
old-fashioned, gut feeling.
(Note that this isn’t as far-fetched as it sounds. I have
yet to see a risk assessment that did not include a weight, measure, or other
criteria that was simply gut feel. It may have had some other name, but,
ultimately, it was the gut feel of the person responsible for the final
document. Look at yours and see if you don’t agree.)
So, we work with that risk assessment and we determine where
to spend our time. The uncertainty already built into the risk assessment
begins to grow as uncertainty builds on uncertainty. “We have to test this
area,” “There’s always a problem here,” or “Let’s not waste our time there” —
every decision made with nothing more than a whim and the hubris of absolute
belief in our experience.
Based on all of that, we talk and test and document and come
up with something. And we write the issue. And then we have to have an impact. And
the uncertainty reaches a new crescendo, all because we have ignored how much
uncertainty has crept into the process.
Do you have enough information to say what the impact really
is? And, if you come up with an impact, does it have any bearing on the original
risks? If not, how did this even get tested? And, with the risk in mind, how
likely is it that, given the condition, that impact will really occur? Or, are
you so adamant that the issue needs to be fixed that you are reaching for a
worst-case scenario? Are you looking for reality or a headline? And how much of
all of this is based on probability and how much on uncertainties?
I may be jumping to conclusions here. Such may not be the
case for many of you. Or it may even be I’ve underestimated the entire
profession. But, as I look back at work I did, managed, and consulted on, I have
not seen anyone literally go back to those original risks. And the most cynical
part of me wonders if this is because we know a match does not exist.
I beg and plead for you to show me I’m wrong. (I’ll even
take your word for it.) But if you haven’t taken that look back — if you haven’t
made the comparisons — take a closer look to make sure that uncertainties are
not driving your final product.
And, one other thing, make sure you even understand the
words that are coming out of your mouth.
And, that was going to be all I had to say and type about
that. But then something else about uncertainty and risk raised its ugly little
head. So, within the next couple of blog posts, expect a little more on the
subject as we explore how all this applies to the real world.