PwC gets it right on internal audit gets it right on internal audit<p>​</p><p>I have two hands. While one is <a href="" target="_blank">slapping at PwC and their paper on risk oversight</a>, the other is stretched out in acknowledgement of an excellent short article by them on internal audit.</p><p><a href="" target="_blank">Agility and internal audit? Yes, these two can and should go hand in hand</a> is spot on target.</p><p>While I still believe that it is not internal audit's role to identify risks (as the author, Jason Pett says at one point), it is certainly imperative that internal audit engage on every major initiative and ensure that risks to their achievement are being identified and addressed by management.</p><p>In this time of technology innovation and disruption, the technology specialists in internal audit (previously known as IT auditors) have a critical role to play.</p><p>I like Jason's talk about:</p><ul><li>Preparedness, or thinking ahead. "…agile internal audit requires auditors to face forward, plan strategically and then share their perspective with other departments and the C-suite. Working across the organization to build in flexibility and enable faster reactions are all part of preparedness.</li><li>Adaptiveness: "Agile internal audit functions are sufficiently flexible that they can shift their audit plan development, audit planning, fieldwork and reporting as circumstances change." As Richard Chambers and I have both said, "audit at the speed of risk" or "audit at the speed of the business". Discard annual audit plans in favor or agile, continuously updated audit plans that reflect the risks of today and tomorrow, not the past.</li><li>Having the skills to execute. Where necessary, partner with co-sourcing providers to enhance the internal audit team's ability to go where the risks are and will be.</li></ul><p><br></p><p>The IIA's core principles for effective internal audit talk to this.</p><p>An effective internal audit function:</p><ul><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul><p><br></p><p>Does yours?</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe line below.</p><p><br></p>Norman Marks0
Elevating the Board’s Oversight of Cyber Risk’s-oversight-of-cyber-risk.aspxElevating the Board’s Oversight of Cyber Risk<p>​I have known Jim DeLoach of Protiviti for a very long time. He's a friend. </p><p>While we may disagree on details and the way of saying things, we tend to agree more than we disagree.</p><p>For example, I frequently quote Jim when it comes to the periodic review of a list of risks. As he says, this is "enterprise <em>list</em> management," not enterprise risk management — which is about taking the right level of the right risks (my expression).</p><p>When it comes to cyber risk and the board's role, I think we again agree on more than we disagree. He has written a couple of posts for the (U.S.) National Association of Corporate Directors (the second is a continuation of his thinking):</p><ul><li><a href="" target="_blank">Elevating Board Oversight of Cyber Risk</a>, March 2017.</li><li><a href="" target="_blank">Ask These Key Questions to Assess Cyber-Risk Oversight</a>, April 2017.</li></ul><p><br></p><p>These are both good food for thought. But are they enough? Are his questions and insights consistent with what I would do as a board member?</p><p>Frankly, no.</p><p>I would take each of the organization's key objectives (such as the earnings target, customer satisfaction goal, and so on) and ask the executive team how a breach might affect their achievement. It's a simple question, but it's not simple for them to answer. They would have had to complete a careful assessment of the risk to the enterprise, the effect on its various business initiatives, of a breach. </p><p>Most don't go far enough. They may consider the effect on a critical application and its availability, or the cost of disruption, but they haven't thought through how a breach could affect its ability to provide quality products and services to their customers, the organization's reputation and what that means to revenue, and so on.</p><p>So, I would start with a single simple question. The discussion may extend to consideration of his other points, such as the ability to detect a breach and then respond. I have decided that it is better for the board (and management, including the risk officer) to stop trying to manage or mitigate risk. Instead, they should focus on what it will take to achieve the objectives of the organization: How will potential events, situations, and decisions affect that achievement?</p><p>It is easy to go overboard with concern about cyber risk. Of course it is important. But is it the most significant threat to earnings per share?</p><p>The only way to know is to answer my question: "How would a breach affect our ability to attain our critical targets, our measures for success?"</p><p>I welcome your thoughts and comments.</p><p><br></p><p>Please join the conversation by subscribing to this post. See link below.</p><p> </p>Norman Marks0
In the Face of Nature the Face of Nature<h3> When considering natural disasters, what are the biggest risks to organizations?</h3><p> <strong>​​KASTENSCHMIDT</strong> Unlike events that impact only the organization, natural disasters can affect an entire local area or even a region. As a result, natural disasters have the potential to impact a large portion of the organization's staff, making them unavailable to participate in the recovery effort. Such events also often impact the organization's vendors, business partners, customers, etc. — all of which are factors that may significantly increase the impact of a business disruption event and the nature of the required response.​​<br><br></p><p> <strong>​​<img src="/2017/PublishingImages/Pages/In-the-Face-of-Nature/Damian%20Walch%2070%20x%2070.jpg" alt="Damian Walch 70 x 70.jpg" class="ms-rtePosition-1" style="margin:5px;" />​<span style="white-space:nowrap;">WALCH</span> </strong>Generally speaking, the biggest natural disaster risks in the U.S. are tornadoes, hurricanes, and floods. While the U.S. hasn't seen a significant earthquake in many years, Ecuador, Italy, and Taiwan all experienced catastrophic earthquakes resulting in major loss of life and business disruptions with global impact. No matter the form of the natural disaster, they all pose possible major disruption to employee health, safety, and housing — not to mention disruption to business partners and supply chain participants.​<br></p><h3>What are the greatest risks to organizations of prolonged downtime? </h3><p> <strong><strong><span style="white-space:nowrap;">WALCH</span></strong></strong> Disruption of normal operations due to prolonged downtime can slow communications, ultimately resulting in brand and reputation damage that leads to customer loss, C-suite and board involvement, negative media coverage, and shareholder value loss. ​<br><br></p><p> <strong><img src="/2017/PublishingImages/Pages/In-the-Face-of-Nature/Kastenschmidt_Rob_business%20attire%2070%20x%2070.jpg" alt="Kastenschmidt_Rob_business attire 70 x 70.jpg" class="ms-rtePosition-1" style="margin:5px;" />​<strong>KASTENSCHMIDT</strong></strong> Being unable to adequately recover key systems and business functions timely can expose an organization to any number of unacceptable consequences. Beyond the more immediate impacts the organization may incur during downtime, such as lost revenue and additional expenses, one of the more serious long-term concerns is the potential erosion of hard-earned market share. After working for years or even decades to develop a solid market share, an organization can see it erode quickly if it is not able to meet the needs of its customers following a disaster. To keep their own businesses operational, even the most loyal customers may turn to a competitor to obtain required products or services — and once they've departed, they may never return.<br></p><h3> What types of staff protections should be in place?</h3><p> <strong><strong>KASTENSCHMIDT</strong></strong><strong> </strong>A comprehensive recovery plan must consider situations that substantially limit the availability of the organization's staff. To mitigate the risk associated with a limitation of employee availability, organizations should factor contingency staffing considerations into their recovery plans. Such considerations may include staffing redundancy or overlap for critical functions, formal cross-training of key activities, thoroughly documented standard operating procedures, and arrangements with third parties to provide required assistance when needed.<br></p><p> <strong><strong>WALCH</strong></strong> Employee protections should include basic protections like the ability to shelter in place and evacuation plans, training on how to respond in a crisis, and resources available to them in the unlikely event of widespread disaster. Companies should have simple playbooks to instruct employees, notification systems, and training programs that include simulations.<br></p><h3> What safeguards should organizations have to protect against data loss?</h3><p> <strong><strong>WALCH</strong></strong> Having a strategy for data backup, off-site storage, and recovery is considered mature by many business leaders. However, the exponential growth in data combined with interdependencies between systems and applications has made that more difficult. Companies of all sizes are struggling to protect against storage corruption, data leakage, and ransomware attacks. Special precautions some companies are leveraging include taking frequent data snapshots to minimize data loss, moving data off site or far from an incident location, and creating isolated networks for data backups to protect against malware attacks.<br></p><p> <strong><strong>KASTENSCHMIDT</strong></strong> Many organizations have adopted system replication or similar technologies to minimize the data that would be lost if their primary systems were destroyed and they were forced to restore the systems in an alternate environment. However, despite these modern technologies and the small window of potential lost data, organizations still must consider how lost data and transactions would be replaced, reconciled, etc., following a disaster, through using a backup solution that considers various factors such as potential data corruption, geographic separation, and security threats. While the potential data loss, or recovery point objective, may have decreased substantially in recent years, few backups are truly "real-time" copies, and losing even a few minutes' worth of data/transactions can be devastating.<br></p><h3> Why is a coordinated response important?</h3><p> <strong><strong>KASTENSCHMIDT</strong></strong> Following a disaster, time and resources are both severely constrained. As a result, efficiency is paramount in executing an effective response/recovery effort. Without thorough coordination across the response process, participating teams and individuals may unnecessarily duplicate tasks, while other key activities may be overlooked. Furthermore, key elements of the response process — including internal and external communication — can be inconsistent or even contradictory, if not coordinated across the organization. Coordination of the response effort can not only allow the organization to recover quicker and more successfully, but it can also help to alleviate some of the impacts that can be encountered as a result of the event.<br></p><p> <strong><strong>WALCH</strong></strong> We have seen strong coordinated response and recovery efforts help decrease the financial and reputational impact of prolonged outages, disasters, and incidents. A good response requires consistent information synthesis during the event. Information sharing among executives in communication, legal, operations, and human resources is vital to the success of response. Coordinated response is required for transparency to shareholders, stakeholders, and customers in the event of a natural disaster or negative event.<br></p><h3> What lessons can organizations learn from past large-scale disasters?<br></h3><p> <strong><strong>WALCH</strong></strong> As with most things, having a plan in place is better than not. Companies that analyze their critical business processes and develop appropriate resiliency strategies to protect them are often able to respond in a more measured and cohesive manner during the hours immediately following a disaster. Planning efforts can include creating and thinking through crisis response playbooks and strategies, as well as war gaming or simulating crisis events to train leaders, employees, and sometimes business partners how to respond. <br></p><p> <strong><strong>KASTENSCHMIDT</strong></strong> In the aftermath of major events such as Superstorm Sandy, many organizations determined that the way they have traditionally approached disaster recovery plan testing was simply not adequate. In particular, organizations discovered that making assumptions — or cutting corners — in their testing prevented them from uncovering severe deficiencies in their recovery strategies and plans. Although effective testing has always been an important part of the recovery planning process, some previous large-scale disasters have only increased awareness of the importance of assuring that such testing is truly realistic.​<br></p> <style> </style>Staff1
The Internal Audit Risk Assessment Internal Audit Risk Assessment<p>​I am not talking about the risk assessment that drives the audit plan. I am talking about the risk that the internal audit function will not achieve its objectives!</p><p>The external audit profession has standards that require that they identify and assess the risk of an incorrect opinion on the financial statements or the system of internal control over financial reporting. (In the U.S., these are standards established by the Public Company Accounting Oversight Board. In 2010, they released Auditing Standards 8 through 15 on the issue.)</p><p>The question is whether the CAE performs a risk assessment that identifies, assesses, and then treats risks to the efficient and effective delivery of quality internal audit services to the board and other stakeholders.</p><p>I'm not an expert on The IIA's quality assurance program, but I don't see any reference in The IIA's <em>International Standards for the Professional Practice of Internal Auditing </em>that requires such a risk assessment.</p><p>I see a lot of objectives and mandates, but I don't see where the CAE is expected to identify, assess, and then treat risks to them.</p><p>As CAE, I would certainly consider risks such as:</p><ul><li>The possibility that the audit risk assessment is incomplete or inaccurate, leading to the "wrong" audit plan.</li><li>Audit staffing (including both quality and quantity) is insufficient to deliver quality results on every engagement.</li><li>The board, audit committee, and management fail to understand those results and their implications for the governance and management of the organization (such as the need to change strategies).</li><li>Audit communications fail to provide the information our stakeholders need, when they need it, in actionable form.</li><li>Expectations from the board, audit committee, and management limit, due to their lack of knowledge, the services performed and the value delivered by internal audit.</li><li>Changes in the business are not identified promptly so that the audit plan can be updated.</li></ul><p><br></p><p>Does your CAE perform such a risk assessment? How confident are you in it?</p><p>I welcome your comments.</p><p><br></p><p>Please join the conversation by subscribing to this post — see below.</p><p><br></p>Norman Marks0
Risk, Controls, and Culture,-controls,-and-culture.aspxRisk, Controls, and Culture<p>​This is a post in two parts.</p><p>First, I want to discuss the relationship betwee​n risk and controls.</p><p>The traditional view, which is not incorrect, is that you have controls to manage risk — to ensure that risk (both the positive and negative effects of uncertainty on objectives) is maintained at desired levels. Nothing wrong with that, except that it is an incomplete explanation of the relationship.</p><p>When the chief financial officer provides a report on the financial condition and results, perhaps with a forecast for the next period, we might be concerned about the completeness and accuracy of that information. We rely on the system of internal control to provide us with reasonable assurance that the report is complete, accurate, and up-to-date.</p><p>When the chief risk officer provides a report on the current level of risks and their potential to effect the achievement of objectives, we should similarly be concerned about the completeness, accuracy, and currency of the report.</p><p>Just as with the financial report, we should have internal controls over the risks that might affect the completeness, accuracy, and currency of the risk report. While we assess controls over financial reporting (internal as well as external), we may fail to consider and assess the controls over risk reporting. To do that, we must first understand the risks to reliable risk reporting — in fact, to effective risk management in decisions across the extended enterprise.</p><p>I discuss the many sources of risk in <a href="" target="_blank"><em>World-Class Risk Management</em></a> and suggest we should only assess <strong>risk management as effective when we have </strong>r<strong>easonable assurance that risks to it are at acceptable levels</strong>. That is what internal audit should set as the criterion for their assessment of risk management.</p><p>One source of risk is an ineffective culture. The culture of the organization will affect the taking of risk.</p><p>And so to part two.</p><p>When most people talk about risk and culture, they are thinking about curbing behavior that involves taking more risk than desired. But how about when the culture leads people to be so risk averse that they don't take enough risk?</p><p>At the beginning of the 2008 Great Recession, according to my good English friend Richard Anderson, the banks in the U.K. were so risk averse that they stopped taking risk and were not making enough money to survive long term. </p><p>Banks, insurance companies, hedge funds and so on exist to take risk. They have to assess the situation, the potential for loss and for gain, and take the desired amount of risk to drive returns.</p><p>In fact, every organization needs to take risk to survive. The only way to eliminate risk for a business is to close the business.</p><p>Another example is the risk of disruptive technology.</p><p>It used to be that a company couldn't afford to be on the "bleeding edge." Now they can't afford to be the second company to disrupt the market with new technology. They have to take more risk than they did a decade or so ago if they want to retain or grow market share. If they are too risk averse, they will not survive.</p><p>But there is more to culture.</p><p>Do you want a culture that emphasizes compliance with laws and regulations?</p><p>Arguably, that was United Airlines. If you were one of its employees, you had to follow the rules or else. The ability to use your judgment was limited.</p><p>Now we are starting to appreciate that a relentless focus on a single aspect of culture, such as compliance or keeping risk below "risk appetite," can increase risks in other areas such as reputation, customer satisfaction, market share, and stock price.</p><p>So, where am I going?</p><p>You have controls to provide reasonable assurance that risk is at desired levels. You have controls to provide reasonable assurance that risk management is effective. You also have controls to ensure that the behavior of management and staff is as desired, some combination of taking the desired level of risk, complying with applicable laws and regulations, and being focused on delivering optimal performance.</p><p>If you emphasize one aspect of culture at the expense of others, it might reduce risk in one area and increase it in others. It's all interwoven and not as simple a model as some might portray.</p><p>What do you think?</p><p>Comments, as always, are very welcome.</p><p><br></p><p>Please subscribe to this post by clicking on the link below so you will be notified of comments.</p><p><br></p>Norman Marks0
The Many Facets of Risk Many Facets of Risk<p>​Feeding the world is the great legacy of Cyrus McCormick, whose invention of the mechanical grain reaper in 1832 was the first harvesting productivity improvement in 1,000 years. Shortening harvesting time decreased the risk of missing the narrow window for harvesting ripened grain. To grow sales, he produced reapers of higher quality than competitors. Perhaps a greater innovation was the widespread introduction of equipment financing to enable farmers to buy a reaper before they received the money from their harvest. For this, McCormick had to manage credit risk.</p><p>McCormick's innovations illustrate that risk always has been a multifaceted concern for companies, with each facet's methods refined over time. Practically every role in any organization is directly or indirectly related to risk management. Different industries and professions have long-standing methods for managing risk. To be conversant in how the organization addresses risk, internal auditors navigating today's complex and interdependent business environment must be able to understand the risk management views and calculations used by many different disciplines. </p><h2>Many Perspectives</h2><p>Over time, organizations have created a plethora of functions that manage business risks from their own point of view. </p><p><strong>Product and Market </strong><strong>Research</strong> Researchers look at risk by product or market life cycle. For example, missing customer needs, mistakes in product design, poor messaging, insufficient trial or repeat purchases, product extensions, upgrades, and delays in discontinuing a product are all risks that product managers routinely face. Mathematically, a key formula is "expected value of perfect information." Product managers are constantly asking themselves, "What is the risk (probability) of missing an insight if we don't invest more in research?" <em>New Products Management</em> by Merle Crawford and Anthony Di Benedetto is a key resource.<br></p><p><strong>Strategy and Competitive Analysis</strong> Strategic professionals look at risk in stark terms — the potential of having business value diminished by failing to understand dynamics in competitors, customers, and products (including substitutions). They are constantly asking, "What am I missing?" and looking for ways to overcome structural blindness. For strategists, the risk that springs from change creates opportunity. Taking risk and managing it better than competitors is the ultimate competitive differentiator. This is illustrated by popular books such as Jim Collins' <em>How the Mighty Fall</em>, Harold Evans' <em>They Made America</em>, and Peter Diamandis' <em>Bold</em>.<br></p><p><strong>Financial Management</strong> A central responsibility of finance is to allocate capital to the best investments. Two frequently used formulas for guiding these investment decisions are net present value (NPV) and options modeling. NPV is the more popular of the two. The numerator in the NPV formula is the risk-adjusted return of a proposed investment. The denominator is the overall or average risk-adjusted cost of capital to a business or business line. Both the proposed investment and average NPV include the time value of money. If the proposal's return is better than the average, the decision criterion is to fund the project. Options modeling extends NPV by breaking an initiative into phases. At each phase, the question is asked, "What is the probability that the value of the business options for action created by funding the initiative is greater than the cost of funds?"</p><p><strong>Operations Management</strong> Operations managers use a huge tool kit of risk-balancing equations. One of the most basic equations is the "economic order quantity" (EOQ), which centers on stock-out risk. For example, if too much of a perishable product is ordered, it expires and is wasted. If too little is ordered, sales opportunities are lost. To calculate the EOQ given risk, this formula includes factors such as delivery time, cost of capital, and cost of storage space. Bar code check-outs have become important because they provide more precise data to calculate EOQ to manage stock-out risk.<br></p><p><strong>Marketing Execution and Sales Management</strong> "What will be the year, quarter, month, week, and day-end sales?" This is the critical question from marketing and sales managers. Forecasting is vital to allocating marketing and sales resources as well as ordering the right quantities of the right products for the right locations. A key risk management method is analysis of the marketing-sales funnel. In the new world of online sales, "clicks" funnel stages include people aware of a product, aware of a seller, visiting a website, clicking around, putting a product in a shopping cart, ordering, ordering again, and telling their friends. Today's forecasts are cascades of probabilistic equations tracking the clicks through online shopping chains. <br></p><p><strong>Human Resources</strong> Hiring and resource planning, from the initial job posting to the interview and selection process, is about risk management. What's the risk a job candidate won't perform as expected? Reducing this risk is the reason organizations engage expensive consultants to conduct personality surveys, emphasize employee benefits and retirement plans, and create on-boarding plans. <br></p><p><strong>Quality Management</strong> Quality and risk are closely related. Quality is about the probability that products will meet expectations. Risk is about the probability of a defective product.  <br></p><h2>The Common Thread</h2><p>For all their differences, these business disciplines share many risk-related concepts and assumptions. A common thread running through their risk management processes relates to the use of mathematical concepts, which have been refined over many decades. For all of them, math based on probabilities is central to managing risk. Other common ground includes: </p><ul><li>Managing risk is needed to enable taking risk — som​etimes huge risk — to achieve objectives.<br></li><li>Risk resides in a dynamic world of change, complexity, and fatigue. These are the three catalysts of risk. <br></li><li>Each process requires an appreciation of systems, interconnectedness, and the need to understand deep root causes and process interactions. <br></li><li>Asking "what if?" with scenario analysis is the heart of managing risk.<br></li><li>Decisions seek to optimize risk and return.<br></li><li>The roots of risk management are millennia old.<br></li></ul><p><br></p><p>In short, appropriate risk mathematical and management methods matter. Internal auditors, while rotating their focus from one part of the organization to another, can observe and learn from each role's math and methods.</p><h2>Cross-pollinating Risk </h2><p>By learning from the risk methods in each business area, internal auditors can help cross-pollinate risk methods across the organization. Opportunities to cross-pollinate include bridging strategy and finance through the options modeling approach, smoothing the flow of risk math from all business areas into the risk calculation used inside options models or NPV, streaming together the quality improvement and sales risk analyses to make it more likely that quality will be free of cost, and encouraging teams to come together in scenario analysis workshops to more easily achieve shared business objectives. Each bridge built could become financial value created and personal trust earned.</p>Brian Barnier1
Internal Audit and Fraud Risk Audit and Fraud Risk<p>​Are internal au​ditors obsessed with fraud?</p><p>Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"</p><p>There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?</p><p>Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?</p><p>In fact, few organizations are brought down or even materially impacted by fraud.</p><p>Let's consider some sources of risk that may be found at many, if not most, organizations:</p><ul><li>The effectiveness of risk management.</li><li>The quality of information used in decision-making.</li><li>Strategy-setting.</li><li>The decision to acquire or divest a business.</li><li>The ability to develop and introduce successfully new products and services.</li><li>The ability to identify the value of and then deploy new technology.</li><li>Cybersecurity.</li><li>Customer satisfaction and product/service quality.</li><li>Marketing.</li><li>Hiring, retention, and development of people.</li><li>The effectiveness of the management team.</li><li>The effectiveness of the board.</li><li>The ability of IT to meet the needs of the business.</li><li>The completion of major projects on time and within budget.</li><li>Efficient procurement.</li><li>Management of the sales pipeline.</li><li>Sales contracting.</li><li>Revenue recognition.</li><li>Tax.</li></ul><p> <br> </p><p>Now where would fraud risk rank among these <span style="font-size:12pt;line-height:115%;font-family:"times new roman", serif;">—</span>​ and I am sure your organization would have other high-risk areas?</p><p>Have a look at the following from The IIA:</p><ul><li> <a href="" target="_blank">The Definition of Internal Auditing</a>.</li><li> <a href="" target="_blank">The Mission of Internal Audit</a>.</li><li> <a href="" target="_blank">The Core Principles for the Professional Practices of Internal Auditing</a>.</li></ul><p> <br> </p><p>Can you find the word​ "fraud" in any of the above?</p><p>Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.</p><p>If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.</p><p>I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.</p><p>Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, <a href="" target="_blank"> <em>Auditing That Matters</em></a>, as enterprise risk-based auditing.</p><p>Do you agree or disagree?</p><p>I welcome your comments.​</p><p> <br> </p><p>If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.</p><p> <br> </p>Norman Marks0
Leveraging Relationships Relationships<p></p><p>​Today, whenever corporate fraud or scandal hits the headlines, no player is held harmless. Along with everyone else involved, internal auditors will be asked, "What did you know, and when did you know it?" Internal audit departments must continue to ask themselves how they can better help the organization maintain a healthy, ethical culture. </p><p>Several years ago, Farmers Insurance Internal Audit addressed that question by putting in place its Relationship Management process. This four-step cycle has enabled us to keep our fingers on the pulse of the company's culture by sitting down at regular intervals with the top leaders to review their visions, values, and strategies. The process has afforded the means of reassessing company risk and adjusting our audit plan to cover those risks timely. </p><p>Our relationship management cycle has played a big role in conforming to IIA Standard 2010: Planning, which states: "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals." </p><p>As the diagram below shows, the relationship management cycle consists of: </p><ol><li>Conducting periodic meetings with the top 150 leaders.​<br></li><li>Reassessing risks based on those meetings. <br></li><li>Adjusting the audit sched-ule to meet the changing risk environment.<br></li><li>Updating the audit universe to ensure adequate coverage in all key areas. <br></li></ol><p>Step one of the cycle — the relationship management meetings — is the engine that drives the other three steps in the process and is the focus of this article. The benefits of the meetings are multifold, as they enable us to:</p><ul><li>Promote a relationship of trust, mutual respect, and partnering between company leaders and internal audit. <br></li><li>Systematically identify business strategies, objectives, initiatives, risks, and controls. <br></li><li>Update our audit universe and schedules to reflect emerging risks and business needs.<br></li><li>Grow our talent by having audit managers, and often auditors, participate in the meetings.<br></li><li>Provide value and insight to our customers through these meetings and the projects that result from them.<br></li></ul><p> ​<br></p><p>​<span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"></span></span></span></span><span id="DeltaPlaceHolderMain"><span><span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"><img src="/2017/PublishingImages/Pages/Leveraging-Relationships/Governance_p.63.jpg" alt="Governance_p.63.jpg" class="ms-rtePosition-2" style="margin:5px;width:550px;height:414px;" /></span></span></span></span></span></span>For this process to work, relationship management owners<span id="DeltaPlaceHolderMain"><span id="DeltaPlaceHolderMain"></span></span> must be adroit and capable. The owners are audit staff who are matched to company leaders based on their expertise, areas of specialty, and interests. Take, for example, an audit manager who specializes in underwriting. It makes sense to assign him as relationship management owner to the Underwriting head. The commonalities between staff and leader can go a long way toward creating mutual relationships of trust, rapport, and respect. Without that, the cycle will fall short. </p><p>Relationship management owners are responsible for all aspects of the meetings. Planning and scheduling the meetings may require tenacity and persistence in tracking down leaders who are often on the road. Conducting the meetings requires the use of effective soft skills to draw the leaders out so they are forthcoming and frank. They should feel comfortable enough not only to share their strategies, but also to reveal the obstacles and threats to achieving them. Relationship management owners' notes of the meetings must be accurate and complete, as they will often provide the springboard for discussions with senior audit leadership on what was learned.</p><p>The relationship management owner sets the agenda for the meeting. Agendas will cover strategy, objectives, and business plans and the risks that threaten them. If warranted, past audit results also will be covered. The audit schedule will be reviewed to verify content and timing of planned audits. If the leader is new or unfamiliar with the audit process, we will add our charter to the agenda so we can cover our principles. </p><p>​The frequency with which relationship management owners meet with company leaders depends on several factors, including: leader experience, size and complexity of the operation, ongoing changes or initiatives, and past audit results. For example, Claims is Farmer's largest department and the pace of change within it may warrant meeting with its leaders three or four times a year. Meeting once a year may be sufficient for smaller departments or those with a slower pace of change. Relationship management owners confirm the meeting frequency with senior audit leadership.</p><p>Before the meetings, relationship management owners will email the agenda to the leaders, inviting their input on areas to discuss. The email will often include the ongoing and planned audit schedule for the leaders to review. Whenever possible, the relationship management meetings will be held on site. Relationship management owners will often include other auditors who have an interest or are specializing in that area of the company. This provides an opportunity to grow our talent, as these auditors observe and learn from participating. One of those auditors will usually be the scribe, and after the meeting send the notes to the relationship management owner for review and distribution. Meetings usually run about one hour. All meeting records are stored in a database.</p><p>Each quarter, our senior audit leadership team meets to review and adjust the audit plan. This is when our relationship management meetings pay off. The relationship management owners will share results of those meetings, and, in particular, focus on changes that have occurred to the risk landscape of the department in question. Reassessing risks, the leadership team will adjust the audit plan,​ moving up some audits, pushing back others, and, in some cases, setting up new audits. This is also the time when the leadership team will consider requests made by leaders during relationship management meetings for us to provide consulting services.</p><p>While we may attribute organizational failures to things like fraud and poor leadership decisions, culture is really at the crux. Bad decisions stem from an unhealthy culture. Our relationship management cycle puts us in a unique position to help ensure our company's culture remains healthy.</p>Dan Clemens1
Risk and the United Airlines Fiasco and the United Airlines Fiasco<p>​I think we can all agree that what happened to the United Airlines passenger who was forcibly removed from the plane was a disaster not only for the passenger but for the airline.</p><p>Sometimes being in the right according to the law is not enough.</p><p>But this post is not about that.</p><p>It's about the fact (a highly likely assumption) that what happened was not on the company's risk register or the heat map shared with executives and the board.</p><p>It's fine to have a list of the "top risks" or the "strategic risks," but what actually causes harm or even disaster to an organization is more often than not the result of a bad decision. Perhaps there have been a series of bad decisions, where people didn't think through well enough what might or might not happen.</p><p>The United (UA) CEO said that the company's on-site staff was following policy.</p><p style="text-decoration:underline;"><em>Somebody wrote and somebody else approved that policy.</em></p><p>Did they think through what might happen if the policy was followed and the passenger refused to leave? Did they consider not only the possibilities of legal action (assuming that the action was legal and the "risk" was low) but the reputation damage, including whether other passengers would decide not only to avoid UA in the future but spread the word and video recordings on social media? What about the possibility that other passengers would be affected, either defending the passenger or being harmed by him or the security personnel?</p><p>I doubt that they thought it through. As a result, they made what most would agree was a poor decision.</p><p style="text-decoration:underline;"><em>Somebody within UA decided to follow the policy.</em></p><p>Did they also think through what might happen? Did they consider that the airport security staff might use what others might consider excessive force to remove the passenger? Did they even consider not following policy and exercising their legal rights?</p><p>Again, I doubt that they thought it through.</p><p>They may or may not have considered all other options to get crew to their destination (the passenger was removed so that UA crew members could get to a plane they were to man). For example, I wonder whether the issue was escalated so that more senior UA management could assess other options for getting crew for that plane, including moving other personnel around, or delaying the departure of the plane so that crew could get to it on another flight.</p><p style="text-decoration:underline;"><em>UA on the plane took no action when the passenger was being removed.</em></p><p>To my knowledge, neither UA gate personnel nor crew members stepped in on behalf of the passenger when force, perhaps excessive force, was being used to remove him.</p><p>Was that a good decision? In hindsight, no, it was not.</p><p>Did those individuals consider what might happen if they took action, including whether they stood by and allowed it to happen without comment?</p><p>UA's stock price declined 1.13 percent on April 11th following the news. They also refunded the fares of every passenger on the flight and are now facing a lawsuit.</p><p>Was that within management's "risk appetite"?</p><p>Risk was taken with each of the decisions and lack of decision in this incident.</p><p><strong>Did the company's risk appetite statement help the decision makers?</strong> I strongly doubt it.</p><p>I am recounting all of this in support of my contention that a risk appetite framework, a list of top risks in a risk register, the periodic review of a list of risks by management and the board, and even "objective-based ERM" (i.e., the assessment of whether objectives are likely to be achieved) are insufficient.</p><p>Risk is being taken every hour of every day across the extended enterprise.</p><p>Every hiring decision creates or modifies risk.</p><p>Every selection of a vendor creates or modifies risk.</p><p>Every sales proposal creates or modifies risk.</p><p>Every word to an employee can create or modify risk.</p><p><strong>The only way to provide reasonable assurance that the right level of the right risk is being taken is to address the quality of decision-making at all levels of the organization.</strong></p><p>Is it disciplined, informed, and are all potentially affected individuals included?</p><p>In other words, risk management is about effective decision making, or should I say effective management.</p><p>I welcome your thoughts.</p><p><br></p>Norman Marks0
Common Risk Management Mistakes Risk Management Mistakes<p>​I was reading my copy of the Spring 2017 issue of <em><a href="" target="_blank">Enterprise Risk​</a></em>, the official magazine of the Institute of Risk Management, when I started getting annoyed.</p><p>This is usually a good product, representing a fine association that focuses on enterprise risk magazine (as opposed to insurance, contingency planning, and other forms of risk management).</p><p>​But this time, it said some things that I would call "mistakes."</p><p>The magazine has a generally useful "Trending" section with infographics. This issue had four topics it covered, one of which was very useful (on cyberattacks and their consequences) and one that made no sense to me at all.</p><p>"It's getting more difficult to forecast risk," according to the magazine.</p><p>What?</p><p>You can't <em>forecast</em> risk!</p><p>It's always an educated guess, at best. At worst, it's a gut feeling. But the idea that you can accurately and confidently assess the likelihood of an event or situation with a specified set of consequences is nonsense.</p><p>"Forecast" is not a sound word.</p><p>If they had talked about assessing the level of risk <em>with an acceptable degree of confidence</em>, that would have meant something.</p><p>In fact, that idea, that there is a level of confidence in your assessment, is something I address in <a href="" target="_blank"><em>World-Class Risk Management</em></a><em>.</em></p><p>Moving on.</p><p>The issue has an article on "Seeing the bigger picture." The idea is that visualization tools can enhance the value of a heat map. I like the idea of showing the interrelationships among different risks, but there's a huge and perhaps insurmountable problem: They are "putting lipstick on a pig."</p><p>Heat maps are a problem! They assume that there is a single point for a risk level, where one axis is probability and the other is impact (using the terms in the article).</p><p>But that is wrong. It's a common mistake, but it's still a mistake.</p><p>If you tried to plot a risk on a heat map, you would not get a point — you would have a <span style="text-decoration:underline;"><strong>range</strong></span>.</p><p>When you consider any potential event or situation, there are multiple possibilities and not one.</p><p>For example, let's take the possibility of a fluctuation in the rate of exchange between the Euro and the U.S. dollar.</p><p>It's almost certain that there will be some level of change between the opening and closing levels. But the change could be anywhere from 0.0001 percent to 2 percent (assuming anything over that level is infinitesimal — an assumption that may not always be valid) and -0.00001 percent to -2 percent. There are different levels of likelihood for each degree of change.</p><p>Some take that range of values and convert it to a single number. But that also has problems, as it is possible that different ranges might convert to the same number.</p><p>In addition, while the range overall might appear acceptable, it is also possible that one or two points within the range are not.</p><p>Another mistake that I see from time to time is thinking that a surprise, a loss or other adverse event, indicates that risk management failed.</p><p>Risk management is not perfect.</p><p>It is not a precise science where the future can be predicted with confidence.</p><p>It's about doing your best to consider what might happen, assess whether that's okay, and then doing something about it, if not.</p><p>Surprises are inevitable. Risk management only fails when it should have been able to provide more insight about what might happen — but for some reason did not. There are many possible reasons for this, which I cover in detail in the book.</p><p>I will close with one final common mistake. That is the belief that the review of a list of risks every so often is risk management.</p><p>It's not. It's simply list management.</p><p>Going further, risk management is not even about risks! It's about the achievement of objectives!</p><p>When the focus is on a set of risks, it is not on whether there is an acceptable likelihood of achieving (or exceeding) objectives.</p><p>It sounds odd that risk management is not about risks — but this is essential to understand for it to be effective.</p><p>I welcome your comments.​</p><p><br></p>Norman Marks0

  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Five Classic Myths About Internal Auditing Classic Myths About Internal Auditing2012-06-20T04:00:00Z2012-06-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z