Governance

 

 

The internal auditor’s professional opinionhttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-internal-auditor’s-professional-opinion.aspxThe internal auditor’s professional opinion<p>​</p><p>There has been a welcome movement among leading internal audit functions to provide opinions, not only in individual audits of the adequacy of controls over enterprise risks, but of the overall adequacy of internal control over the more significant risks to the organization. </p><p>I have seen surveys indicating that worldwide approaching half of internal audit functions now provide an overall assessment.</p><p>This has been driven, at least in part, by requirements in governance codes that internal audit assess the adequacy of internal control and risk management.</p><p>But is this sufficient?</p><p>This is from the IIA:</p><p><span class="ms-rteStyle-BQ">The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization….</span></p><p><span class="ms-rteStyle-BQ">"To enhance and protect organizational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight."</span></p><p>Certainly, the opinion that internal auditors provide in their audit reports and in their annual report on the condition of internal control, provides <em>assurance</em>.</p><p>The recommendations we include in our reports provide <em>advice</em>.</p><p>But what about that third valuable service: <em>insight</em>?</p><p>Insight talks to the fact that internal auditors have more to say: more than can be contained in the audit opinion, often more than what should or could be put in a formal form of writing.</p><p>Internal auditors are objective and their professional insights can have great value to management.</p><p>For example, how often do we have opinions on one or more of these?</p><ul><li>The capabilities of the managers of an operation</li><li>Whether there are sufficient staff to perform the controls, manage risk, and generally operate the business</li><li>Whether there is a culture of teamwork and share objectives</li><li>The existence of harmful politics</li><li>The management style of managers and supervisors</li><li>The culture of a unit, location, or division when it comes to ethics, risk, or other behavior</li><li>Whether people in the unit are customer-focused</li><li>Whether those operating the business have confidence in local or corporate management</li><li>Opportunities to embrace new technologies or other innovations</li></ul><p><br></p><p>There are some that will say they are unwilling to share their judgments because:</p><ul><li>It wasn't part of the scope of the audit</li><li>It is not our job</li><li>We don't have evidence to support our judgment</li></ul><p><br></p><p>I reject all of these excuses.</p><p>Our job is to help the organization succeed, not just to perform audits.</p><p>There are times where our insights are more valuable than the opinion expressed in an audit. </p><p>For example, if we can inform management that politics or management style are a significant negative influence on a team, that may have a direct effect on the ability of that group, team, or unit to perform at desired levels – requiring prompt action by senior management.</p><p>Internal auditors are professionals.</p><p>As such, they are entitled to a professional opinion – in the same way as doctors.</p><p>Don't be afraid of sitting down with management and sharing your insights, your professional opinion.</p><p>In my experience, that is not only welcome and valued, but will significantly enhance respect from management.</p><p>What do you think?</p><p>Please share your insights and experiences.​</p><p><br></p><p>Join the conversation by clicking Subscribe, below</p><p><br></p><p><br></p>Norman Marks0
A CEO We Know Tells How He Managed Risk During Hurricane Irmahttps://iaonline.theiia.org/blogs/marks/2017/Pages/A-CEO-we-know-tells-how-he-managed-risk-during-hurricane-Irma.aspxA CEO We Know Tells How He Managed Risk During Hurricane Irma<p>​Have a look at Richard Chambers' <a href="/blogs/chambers/2017/Pages/My-Personal-Risk-Management-Journey-Through-Hurricane-Irma.aspx">recent post</a> where he shared how he responded to the threat Hurricane Irma posed both to his family and to The IIA's global headquarters.</p><p>Then think about this.</p><p>He understood the potential for harm based on current information, assessed how it could affect both his family and his work, continuously monitored the situation for changes in the predictions of what might happen (the level of risk, aka the likelihood of different consequences), determined whether what might happen (risk) was acceptable, and then acted when it was outside acceptable ranges.</p><p>He made decisions.</p><p>This is why I talk about how risk management is all about intelligent and informed decision-making.</p><p>There were risks he decided to take, such as the possibility that the money he spent on a backup generator for his home would be wasted. (If it were me, I would have to think about the possibility that I would be unable to assemble and connect the generator.)</p><p>Another risk he took was to his personal and family well-being. He did not evacuate, but decided to remain at home.</p><p>People at all levels take risk all the time. They do so for reasons like the alternatives are worse, the cost to mitigate the risk is too high, or the potential for benefit outweighs the potential for harm (remembering that both harm and benefit may result from an event or situation).</p><p>The key is to do it in a disciplined and systematic fashion after obtaining necessary (and reliable) information, involving all parties who could contribute to the decision or be affected by it, and thinking through all the options and their consequences.</p><p>This is true risk management.</p><p>CEOs and the rest of us have been managing risk all our lives.</p><p>As Alex Sidorenko, says in this <a href="https://www.youtube.com/watch?v=WKeCDWcmu-w" target="_blank">video</a> and <a href="https://www.linkedin.com/pulse/3-fatal-mistakes-corporate-risk-managers-still-make-1-alexei" target="_blank">post</a>, "risk management is not really about managing risk. It is about achieving objectives."</p><p>Richard stated that he had an "an overarching objective: to weather the looming hurricane as safely and comfortably as possible with minimal property damage. Every key decision I made was guided by the potential risks that could undermine that overall objective. In the end, I made a number of crucial decisions that turned out to be prudent. And, as is often the case in the world of business, I made a few costly decisions to minimize risks that, fortunately, didn't materialize."</p><p>I don't see any reference to a risk officer or risk framework. You can have effective risk management without either formality.</p><p>It just takes people who:</p><ul><li>Anticipate what might happen.</li><li>Decide whether that is acceptable.</li><li>If not, consider the options and what might happen with each.</li><li>Act.</li><li>Monitor.</li><li>Adjust as necessary.</li><li>Do the above in a disciplined and systematic way, based on reliable and actionable information.</li></ul><p><br></p><p>This is risk management, not heat maps, risk profiles, or such.</p><p>Do you need to adopt COSO ERM or ISO 31000:2009 to have effective risk management?</p><p>I welcome your comments.</p><p> </p><p> Please join the conversation by clicking the Subscribe button, below.</p>Norman Marks0
Lessons From the Massive Equifax Cyber Breachhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Lessons-from-the-massive-Equifax-cyber-breach.aspxLessons From the Massive Equifax Cyber Breach<p>​If you are not familiar with the breach, read this first: <a href="http://www.zdnet.com/article/credit-rating-firm-equifax-reveals-breach-as-many-as-143-million-affected/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=20626292965572422724291635607537" target="_blank">Massive Equifax data breach exposes as many as 143 million customers</a>.</p><p>The management team (and implicitly the board) has come under attack for their handling of the situation. <a href="http://www.zdnet.com/article/equifaxs-big-fat-fail-how-not-to-handle-a-data-breach/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=20626292965572422724291635607537" target="_blank">See this article, for example</a>.</p><p>The attacks appear justified.</p><p>For example, the breach was discovered on July 29, but the company only disclosed the issue to consumers and others last week. Six weeks of continuing exposure!</p><p>The breach occurred as early as May but was not discovered until the end of July.</p><p>Apparently, the company didn't even inform all its executives, and three sold shares in the company after the breach but before the disclosure. <a href="https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack" target="_blank">See this</a>.</p><p>Equifax made available a tool that helps consumers find out if they are affected — but <a href="http://www.zdnet.com/article/we-tested-equifax-data-breach-checker-it-is-basically-useless/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=20626292965572422724291635607537" target="_blank">according to reports</a> it doesn't work.</p><p>The "experts," including those responsible for providing guidance and frameworks, typically emphasize two aspects: prevention and response.</p><p>Both prevention and response are clearly highly important.</p><p>But it should be apparent to everybody that it is next to impossible to keep hackers out indefinitely.</p><p>Prompt detection is crucial!</p><p>That should be followed with the abilities to: a) get the hackers out, b) know how they got in, c) know what damage was done, and d) effect necessary repairs.</p><p>My question for every CEO, chief financial officer, chief information officer, and board member is this:</p><p>Is it realistic to expect your team to …</p><ul><li>Understand the risk to the business, even as it changes dynamically?</li><li>Make the right decision as to whether or not to use a specialist firm to manage protection and detection?</li><li>Stay abreast on the changing nature of threats and so on?</li><li>Manage the risk to the business at acceptable levels?</li><li>Do so in a way that complies with legal, regulatory, and societal expectations (e.g., not launching illegal attacks on hackers overseas)?</li></ul><p><br></p><p>I welcome your comments.</p><p>Please join the discussion by clicking the Subscribe button, below.</p><p> </p><p> </p><p>​ </p>Norman Marks0
Reputation and Reputation Risk – Part IIIhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Reputation-and-reputation-risk-–-part-III.aspxReputation and Reputation Risk – Part III<p>​So far, in the two prior posts (<a href="/blogs/marks/2017/Pages/Reputation-and-reputation-risk.aspx">August 12</a> and <a href="/blogs/marks/2017/Pages/Reputation-and-reputation-risk-–-part-II.aspx">August 19</a>), I have discussed how:</p><ol><li>There are multiple dimensions to any organization's or individual's reputation. Reputation is not limited to the value of the brand, but also includes how your organization is perceived with respect to customer-focus; product quality, design, and safety; innovation; fair pricing; regulatory compliance; social responsibility; a good place to work; prompt payment to suppliers; aggressive negotiator with vendors and partners, a trusted partner, and so on.</li><li>Reputation is not a risk, it is an asset or liability — actually, a combination of assets and liabilities, one for each dimension of reputation. It can enable or make it more difficult to achieve organizational objectives.</li><li>A deterioration or improvement in reputation can have an effect on the achievement of one or more objectives. Such a change therefore is a potential source of risk to objectives.</li><li>The way to value your reputation is not by way of a $$ value provided by a third party who "values" your brand. Instead, it should be based on how it can positively or negatively affect the achievement of objectives.</li></ol><p>What does that mean for the risk practitioner, executive, board member, or internal auditor?</p><p>This is what I recommend.</p><ol><li>Understand, for each of your organization's corporate objectives, how and to what extent your reputation matters. For example, if you have a revenue objective understand how a change in your reputation with your customers and channel partners might either positively or negatively affect the achievement of that objective. If you have an objective related to cost management, how would a change in your reputation with suppliers, service providers, and so on affect you?</li><li>Consider how those changes in the value of your reputation assets and liabilities might arise. What would be a source of reputation-related business risk?</li><li>Now assess, evaluate, treat and then monitor those sources of risk.</li></ol><p>There's a major linkage between your organization's culture and its reputation.</p><ol start="4" type="1"><li>Understand the behaviors you need everybody to demonstrate in order to maintain or improve each facet of your reputation. Assess, evaluate, treat, and then monitor desired behaviors.</li><li>Understand how decisions may affect your reputation, and include that consideration in your decision-making process. For example, a decision may affect how customers see your commitment to them; how employees see the workplace and their prospects; whether suppliers perceive you as loyal; and so on.</li></ol> <p>Before I finish this post, let me tell you that each of us has our own personal reputation — with our manager, our peers, our staff, our customers (if we are customer-facing), suppliers (if we deal with them), and so on.</p><p>That reputation or brand distinguishes us from others. It leads to promotion or stagnation, trust or mistrust, excitement in our work or boredom, and more.</p><p>Please read this classic article by Tom Peters, "<a href="https://www.fastcompany.com/28905/brand-called-you" target="_blank">The Brand Called You</a>," and consider applying its principles in both your personal and professional life.</p><p>Is your organization's reputation or brand what it needs to be to be successful?</p><p>How about yours?</p><p>Are you managing those assets? If not, how are you going to achieve your objectives?</p><p>I welcome your comments.</p><p>Please join the conversation by clicking Subscribe, below.</p><p> <br> </p>Norman Marks0
Reputation and Reputation Risk – Part IIhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Reputation-and-reputation-risk-–-part-II.aspxReputation and Reputation Risk – Part II<p>​Last week, I posted the first in a short series on this topic. <a href="/blogs/marks/2017/Pages/Reputation-and-reputation-risk.aspx">"Reputation and Reputation Risk"</a> pointed out that there are multiple dimensions to any individual's or organization's reputation.</p><p>Simplifying the discussion to one about brand is not giving the discussion sufficient attention.</p><p>Addressing one dimension of reputation (such as a reputation for intolerance for violation of corporate ethics) can actually harm another (such as a reputation for being a good place to work where free speech is protected). I am thinking of a situation where a long-term employee is arrested for suspected domestic violence and is promptly fired — before any trial, let alone conviction. The perception among co-workers is that this was unfair treatment, but among the broader public the perception is that the enterprise was adhering to its social responsibilities.</p><p>This week, I want to talk about the nature of reputation risk.</p><p>When we talk about reputation risk, we generally are talking about events or situations (including decisions) that can affect (usually negatively, but there can be positive effects as well) one or more dimensions of our reputation.</p><p>Yet, the definition of <em>risk</em> that I like (from ISO 31000:2009, but COSO is similar) is that risk is the effect of uncertainty on objectives.</p><p>Reputation is an asset, not an objective. So why would we be concerned about risk to this particular set of assets (considering each dimension of reputation as a separate asset)?</p><p>Our reputation can enable or inhibit our achievement of our objectives. Harm to our reputation as a good place to work can inhibit our ability to hire. Improvements in our reputation for quality design and safe products can enhance our ability to drive revenue.</p><p>But it is only after we understand the nature and value of each dimension of our reputation that we can understand how risks to reputation can affect the achievement of objectives — remembering that multiple objectives can be affected.</p><p>I consider events or situations that can affect our reputation as <em>sources of risk</em>. To assess the effect of these sources of risk (i.e., the risk to objectives), we need to understand which dimension(s) of reputation are potentially affected and how the changes to reputation would affect our ability to achieve specific objectives.</p><p>Measuring the value of our brand is not measuring our ability to achieve our objectives.</p><p>I have no problem with measuring the level of each dimension of our reputation. I would even encourage it, where that is an important and valuable asset to achieving specific objectives.</p><p>But we need to move the discussion from brand to the achievement of objectives. Harm to our brand in a single country only affects revenue in that country.</p><p>So to measure reputation risk:</p><ol><li>Taking each enterprise objective in turn (i.e., using a top-down approach), how and by how much would a change in one or more specific dimensions of our reputation affect its achievement?</li><li>How likely is that effect?</li><li>What are the sources of change (i.e., sources of risk) to each dimension of our reputation?</li><li>How likely is it that a source of risk to a reputation dimension could lead to a significant change in that dimension (recognizing that there is a range of effects and likelihoods)?</li><li>After completing the above, assess each source of reputation risk based on the likelihood of it leading to a specific level of effect on the achievement of objectives.</li></ol><p>A similar approach, reversing some of the steps, can be taken in a bottoms-up approach:</p><ol><li>For each source of risk, which dimension of reputation would be affected?</li><li>Assess the likelihood of a certain level of change in that dimension.</li><li>How would that affect one or more specific objectives?</li><li>What is the likelihood of that effect (given that there is a range of possible consequences)?</li><li>After completing the above, assess each source of reputation risk based on the likelihood of it leading to a specific level of effect on the achievement of objectives.</li></ol><p>Do you agree? <span> <span>If you agree, can we change the discussion of reputation risk — and how?</span></span><br></p><p>I welcome your comments.</p><p> <br> </p><p>Please join the conversation by clicking Subscribe and adding your comments.</p>Norman Marks0
Reputation and Reputation Riskhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Reputation-and-reputation-risk.aspxReputation and Reputation Risk<p style="color:#777777;">​The need to understand the value of your reputation and to manage the risks to it are topics that are "in the news" constantly.</p><p style="color:#777777;">The prolific Jim DeLoach recently had a piece published that merits attention: <a href="http://www.corporatecomplianceinsights.com/managing-reputation-risk/" target="_blank">10 Keys For Executives To Manage Reputation Risk</a>.</p><p style="color:#777777;">I plan to cover the topic in two or three different posts, starting with a discussion here of what reputation is in the first place.</p><p style="color:#777777;">Jim says: "Applied to a business, 'reputation' represents an interpretation or perception of an organization's trustworthiness or integrity."</p><p style="color:#777777;">He continues with "We define 'reputation risk' as the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. To one author, it is 'the loss of the value of a brand or the ability of an organization to persuade.' Bottom line, reputation is fragile. What takes decades to build can be lost in a matter of days."</p><p style="color:#777777;">I am not sure this is correct.</p><p style="color:#777777;">In the same way that "culture" has many facets or dimensions (risk culture, compliance culture, customer-focus, performance-oriented, and so on), so does reputation.</p><ul style="color:#777777;"><li>You have a reputation among your customers that affects sales. This is the aspect of reputation that most focus on. Maybe your reputation is for reliability, safety, design, quality, or price competitiveness. So even with your customers you might have several aspects of reputation, some of which are positive while others are not.</li><li>You also have a reputation with your vendors and suppliers. Perhaps you have a reputation for hard-bargaining, or for loyalty to your partners in the supply chain. Maybe your reputation is for paying late and unreasonably disputing their charges.</li><li>Another aspect of reputation is how the regulators and/or law enforcement feel about you. Do you have a reputation for skimming close to the compliance edge or not cooperating with regulators and inspectors?</li><li>Then there's the reputation of managers and leaders with the rest of the employees. Does the organization have a reputation as a safe place to work; a place where efforts and results get rewarded; where speaking up, showing initiative, or challenging your leaders are encouraged — or is such behavior penalized? Do the employees trust their managers and believe in the mission and purpose of the organization?</li><li>Each of these dimensions can be different in different parts of your world, whether geographically, by business unit, or function.</li></ul><p style="color:#777777;"><br></p><p style="color:#777777;">So how do we measure and value an organization's reputation?</p><p style="color:#777777;">It's not as simple as engaging a third party that specializes in assessing your brand and monitoring movements and trends in it.</p><p style="color:#777777;">If your reputation is not what you want it to be, it can affect your success in many different ways.</p><p style="color:#777777;">Further, efforts to upgrade it in one dimension (e.g., compliance) can affect another (e.g., trust in and empowerment of employees).</p><p style="color:#777777;">This is what I recommend:</p><ol style="color:#777777;"><li>Understand and define each of the dimensions or facets of your organization's reputation that are valuable if positive or could hurt you if not.</li><li>Define for each how you want your organization to be perceived by that community.</li><li>Assess, perhaps through surveys or third-party specialists, whether your actual reputation is what you desire it to be.</li><li>Evaluate whether this is acceptable. How much additional value to your organization can and should be created (whether through improved sales, employee morale, reliable supply, or so on)?</li><li>If not, consider your options — including how you might change perceptions positively without impairing other facets of your reputation.</li><li>Act and monitor results.</li><li>Identify, assess, evaluate, and treat risks to each aspect of your reputation — which I will discuss next week.</li></ol><p style="color:#777777;">I welcome your thoughts.</p><p style="color:#777777;"><br></p><p style="color:#777777;">Please join the conversation by clicking Subscribe, below.​</p>Norman Marks0
Internal Audit Needs Risk Management, Toohttps://iaonline.theiia.org/2017/Pages/Internal-Audit-Needs-Risk-Management,-Too.aspxInternal Audit Needs Risk Management, Too<p>​Part of an internal audit department’s mission is to ensure that the organization has effective governance and management around its risks. But what about internal audit, itself? <br></p><p>Audit departments face similar risks to other corporate functions. If internal auditors cannot manage their own risks appropriately, it is hard for them to educate others about the need to manage their risks effectively. Auditors should practice what they preach.<br></p><p>Internal audit’s risk management program should result in risks being managed like in any other competent risk management program. The audit function needs to identify all relevant risks; perform risk assessments; set its risk appetite; mitigate, manage, avoid, transfer, or accept the risks; and continuously monitor the risks. <br></p><p>Risk in the context of internal audit can be defined as an uncertain event or condition that, if it occurs, has an effect on at least one internal audit objective. As such, internal audit should start by examining its mission and objectives, which are typically defined in the internal audit charter approved by the organization’s board of directors or audit committee. By understanding internal audit’s key objectives, auditors can then identify the risks that can prevent them from achieving those objectives. <br></p><h2>Strategic Risk </h2><p>One of the most significant risks is strategic risk. For internal audit, one risk is whether the department is strategically positioned within the organization to achieve its objectives. Other considerations include whether the department has the authority, independence, and objectivity to provide assurance and help the organization improve its risk management; whether it is focused on assurance or financial recoveries; and whether the audit team has the right personnel. <br></p><p>Strategic risk also could arise when audit strategy does not align with the organization’s overall strategy. For example, this can happen in an organization that is planning to expand into emerging markets when internal audit is not equipped to cover anti-bribery and foreign corruption risks associated with the expansion. Every organization is different, but the chief audit executive (CAE) can generally manage this risk by refining the internal audit charter; interacting with the board, senior management, and other stakeholders; and ensuring risk assessments and audit plans are up to date.<br></p><h2>Reputation Risk </h2><p>Credibility is the most important asset of any audit function. Reputation risk is the potential that negative publicity regarding internal audit’s practices will cause a decline in trust in the department. Misconceptions about internal audit can damage its ability to achieve its objectives. Also, reputation risks can arise from operational or compliance risk. <br></p><p>This risk can be managed by maintaining timely and efficient communications among stakeholders, reinforcing ethics, creating awareness at all staff levels, developing a comprehensive audit methodology, focusing on risk and built-in controls, responding promptly and accurately to stakeholders, and establishing a quick response team in the event there is a significant action that may trigger a negative impact on the function. A strategically positioned internal audit function also may be better prepared to defend its own reputation. <br></p><h2>Compliance Risk </h2><p>Compliance risk is becoming important for internal auditors, particularly in highly regulated industries such as large banks. For example, the U.S. Office of the Comptroller of the Currency created Heightened Standards that includes guidelines about the roles and responsibilities of internal audit. The Federal Reserve Bank has issued a Supplemental Policy Statement on the Internal Audit Function and its Outsourcing.<br></p><p>As audit departments get deeper into data analytics, compliance with consumer data and cross-border privacy laws could become a concern. The key to managing the risk is to thoroughly evaluate the laws and regulations and address them through internal audit’s own policies and procedures as well as ensuring the ability to demonstrate compliance with the rules. Internal reviews performed by an independent quality assurance team can help identify potential issues and prevent noncompliance incidents.<br></p><h2>Operational Risk </h2><p>Apart from the previous risks, the category most relevant to internal audit’s day-to-day activities is operational risk, which consists of risks that arise from deficiencies in people, process, or technology. Like other departments, internal audit has specific operational goals such as completing the annual audit plan, validating audit-identified issues, maintaining costs within a defined budget, and developing a skilled workforce.<br></p><p>A systemic approach should be taken to manage the operational risks, including creating operational risk appetite, developing key performance and risk indicators, monitoring, and taking actions to mitigate the risks. For example, to ensure timely completion of the audit plan, it may be helpful to closely monitor audit start, fieldwork completion, and report dates. A dashboard stratified by teams may help manage each team’s execution risks. A graph about quality assurance review results by team also may enable the CAE to identify teams that have issues with executing audits and provide training to remedy the risk. <br></p><p>Once identified and defined, internal audit should establish thresholds to monitor and mitigate the risks. Color codes could highlight areas of focus. For example, if more than 20 percent of the audits in progress are delayed more than 30 days, a red status may indicate the risks to timely completion of the audit plan. If one team’s turnover ratio is more than 20 percent, it may be time to highlight the risk as red for action. <br></p><p>The thresholds are dependent on the CAE’s risk appetite, but they also should consider input from key stakeholders. For example, the CAE may want to specify that no more than 5 percent of the audit plan may be carried over into the next calendar year. If that target appears to be at risk, then the CAE should take action to mitigate risks. For example, if turnover around a certain time of the year is elevated, a prenegotiated cosourcing arrangement may help mitigate the risk of not completing the audit plan. <br></p><p>Furthermore, internal audit should apply the organization’s enterprise risk management polices where relevant, at least in principle. For example, when operational incidents such as near misses — incidents that almost happened — occur in internal audit activities, internal audit should file internal incident reports, analyze root causes, and prevent similar events in the future. <br></p><h2>Better Risk Assurance</h2><p>In addition to risk indicators, thresholds, and incident tracking, other useful tools exist. For example, internal audit can use a risk control matrix to perform a risk control self-assessment that evaluates the adequacy of internal controls in place within the department. By creating a library of risks and corresponding controls and self-evaluating periodically, internal audit departments can have better assurance about their own risks. </p><p>A holistic approach to managing internal audit’s strategic, reputation, compliance, operational, and other risks can bring more consistent performance. Moreover, it can better position the department to help the organization improve its risk management process </p>Kevin Shen1
Is Your Board Ignorant?https://iaonline.theiia.org/blogs/marks/2017/Pages/Is-your-board-ignorant.aspxIs Your Board Ignorant?<p style="color:#777777;">​A recent article in the <em>Journal of Accountancy</em>, "<a href="http://www.journalofaccountancy.com/issues/2017/aug/effective-corporate-boards.html?utm_source=mnl:cpald&utm_medium=email&utm_campaign=03Aug2017" target="_blank">Building a More Effective Board</a>," points out problems with many boards of directors.</p><p style="color:#777777;">This was their overall conclusion:</p><p style="color:#777777;"><span class="ms-rteStyle-BQ">Directors aren't fully confident that they have what it takes to tackle the challenges, manage risks, and focus on long-term strategic goals, according to surveys the Stanford Graduate School of B​​usiness and the National Association of Corporate Directors (NACD) conducted with more than 800 participants in 2016.</span></p><p style="color:#777777;">Here are some conclusions of concern:</p><ul style="color:#777777;"><li>Only two-thirds (68 percent) of board members … say they have a high level of trust in their fellow directors or in management.</li><li>The average board member believes that at least one fellow director is not effective and should be removed from the board. </li><li>Fifty-three percent said directors do not express their honest opinions in the presence of management.</li></ul><p style="color:#777777;"><br></p><p style="color:#777777;">When you add concerns raised in other surveys, such as directors not fully understanding the organization's strategies and related risks, or not feeling that they receive the quality information they need when they need it, it is clear that this is something that should worry practitioners, regulators, and stakeholders.</p><p style="color:#777777;">But what needs to be done?</p><p style="color:#777777;">The author of the article correctly suggests that boards need to have periodic (IMHO, at least annual) self-assessments that not only address the board and its committees, but individual directors.</p><p style="color:#777777;">That is not enough.</p><p style="color:#777777;">The board needs to have the strength, led by the chairman or lead independent director, to fire non-performing directors. Too few can do that.</p><p style="color:#777777;">It's not a matter of process, as the article asserts. It's a matter of courage, the ability to tell a friend that they need to leave the board.</p><p style="color:#777777;">I also think it should not be the CEO that sacks a director. That confuses who reports to whom. The CEO should not be able to get rid of a director that stands up to him. It should only be the board as a whole that can dismiss a director.</p><p style="color:#777777;">Another issue for me is that the board seems unwilling or unable to act if and when they have a problem like those discussed above.</p><p style="color:#777777;">Whose fault is it if the board doesn't have full trust and confidence in management but does little about it?</p><p style="color:#777777;">Whose fault is it if the board doesn't get the information it needs about strategies, risks, or performance — especially if that state continues?</p><p style="color:#777777;">Whose fault is it if the directors don't get the training they need?</p><p style="color:#777777;">Whose fault is it if the board is ineffective in their oversight?</p><p style="color:#777777;">It's their own fault if they fail to use their authority to demand and ensure change.</p><p style="color:#777777;">The chairman or lead independent director should own the responsibility for the effectiveness of the board.</p><p style="color:#777777;">Can a risk practitioner do anything about this? In practice, it would be rare. But if the chief risk officer reports directly to the board and is independent of management, perhaps he could diplomatically raise any issues with the lead independent director and provide advice on solutions.</p><p style="color:#777777;">Can an internal auditor do anything? Yes, I believe so.</p><p style="color:#777777;">For a start, the chief audit executive (CAE) can work with the board or governance committee to ensure a robust self-assessment process. He or she can also help individual committees, such as the audit committee, with their self-assessment.</p><p style="color:#777777;">The CAE can also assist with director education. See this <a href="https://normanmarks.wordpress.com/2011/12/27/training-the-audit-committee/" target="_blank">earlier post</a> about my work with the audit committee at Tosco Corp.</p><p style="color:#777777;">Finally, if the CAE can see issues with the board's effectiveness, I believe he or she should have a confidential discussion with at least the chair of the audit committee, probably with the CEO, and perhaps with the lead independent director.</p><p style="color:#777777;">What do you think?</p><p style="color:#777777;">Can you share any stories where board effectiveness has been improved by actions taken by practitioners?</p><p style="color:#777777;"><br></p><p style="color:#777777;">Please join the conversation by clicking Suscribe, below.</p>Norman Marks0
A Discussion of Risk Management Between Jim DeLoach and Mark Beasleyhttps://iaonline.theiia.org/blogs/marks/2017/Pages/A-discussion-of-risk-management-between-Jim-DeLoach-and-Mark-Beasley.aspxA Discussion of Risk Management Between Jim DeLoach and Mark Beasley<p>​</p><p>Mark Beasley, Deloitte Professor of Enterprise Risk Management at North Carolina State University, recently interviewed Jim DeLoach, Managing Director with Protiviti.</p><p>Mark's <a href="https://erm.ncsu.edu/" target="_blank">Enterprise Risk Management Initiative</a> has a wealth of information about ERM, although it seems limited (IMHO) by a focus on COSO ERM and traditional enterprise list management. </p><p>Jim, on the other hand, has been working with boards and executive management teams on governance and risk management for many years. While he is an advisor to COSO he is also familiar with the ISO 31000:2009 global risk management standard. Full disclosure requires that I mention I consider Jim a good friend, although we may agree to disagree on occasion.</p><p>Recently, <a href="https://erm.ncsu.edu/library/article/insights-about-what-boards-are-looking-for-in-erm" target="_blank">Mark interviewed Jim and you can view the video here</a>. (There is a transcript but it has not been edited and contains mistakes, so please watch the interview.)</p><p>Please watch and then see my comments, below.</p><p>******************************************</p><p>So what did you think?</p><p>IMHO, the interview has two parts: T​he first is poor but later Jim makes some excellent points.</p><p>******************************************</p><p>Part 1</p><p>The discussion focuses on something they both refer to as a "risk profile." I believe this is a nice way of describing a list of risks – more enterprise list management rather than risk management.</p><p>They discuss whether the profile is complete and how the board can obtain assurance about the process for developing and managing the risk profile.</p><p>But there are several problems with thinking that risk management or risk oversight is about the risk profile:</p><p>1.      A list of risks is never complete and is always out of date.</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>Risks are created or modified with every decision and sometimes with devastating effect. The Deepwater Horizon disaster was the result of cumulative decisions made many levels below the executive team and I seriously doubt this sort of operational risk would ever appear on any list of top risks.</p></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>Further, we live in a dynamic and disruptive world. It takes time to develop and then present for review and discussion a list of top risks (a.k.a. risk profile). During that time, risks change.</p></blockquote><p><br></p><p>2.      You need context to consider risks</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>It's not about risk. It's about the achievement of enterprise objectives; it's about risks to the achievement of those objectives.</p><p>Considering just the risk profile tells you nothing that is actionable, helping you determine which risks might affect which objectives, to what degree, whether that is acceptable, and what to do about it.</p></blockquote><p><br></p><p>3.      Focusing on the risk profile lulls the board and top management into a false sense of security</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>Boards and executives may feel they have effective risk management because they are satisfied that the risk profile is complete and accurate (which it is not).</p><p>They need instead to know whether management is considering what might happen and whether that's ok with every decision they make.</p><p>It's not about the process for maintaining the risk profile. It's about the processes for setting strategy, making decisions, monitoring performance, and delivering value to stakeholders.</p></blockquote><p><br></p><p>There is a degree of value in a risk profile or list of the more significant risks to strategies and objectives. It provides insight and context for the setting of strategies; selection of objectives, goals, and plans; and the continuing monitoring and adjustment of same.</p><p>As ISO31000:2009 explains, you need to understand both the external and internal context for the organization before you can govern or direct the organization effectively.</p><p>Unfortunately, this is not mentioned in the short interview.</p><p>It's also only a small part of effective risk management.</p><p>This all gets better as Jim moves on.</p><p>******************************************</p><p>Part 2</p><p>Jim makes a few excellent points in a row.</p><p>He talks about the board understanding how ERM can provide value to them. While he doesn't say it explicitly, I believe he means that it helps them understand the context within which strategies and objectives are established, decisions made, and performance managed and delivered.</p><p>He makes the excellent point that the consideration of risk must be part of the rhythm of the business, part of how decisions are made across the [extended] enterprise.</p><p>Then he highlights the issue with many practices today: risk management is an "appendage" to the business, rather than an integral part of effective management and oversight.</p><p>As he says in a segment that starts at around 4:00 minutes into the interview:</p><p><span class="ms-rteStyle-BQ">"…what is 'enterprise risk management'? Just coming to grips, grappling with that question, coming to grips with it, is a big challenge and makes CEO's uncomfortable. They hear the term. They don't know what it means. And CEOs don't want any undue burden put on their organization. They want to do the right thing but they don't want to do anything that puts a lot of burden on the organization. So how it fits and what it is, and then there's the value proposition question. That's the question around what am I going to get out of this if I do it? So that's a big challenge as well. And I think there's the question of ok, if I implement this, how is it going to impact the way I run my business? So if it ends up being an appendage from the rhythm of how I run and manage my business, it's a disaster. It never works. An appendage has very little impact. But how you implement it in the context of your strategy setting and execution, your performance management, and those kinds of core management activities is very important."</span></p><p>Key points:</p><p>1.      "CEOs don't want any undue burden put on their organization." If they don't see how it helps them be successful, they won't fund it beyond the minimum necessary to satisfy regulators and so on.</p><p>2.      "…if it ends up being an appendage from the rhythm of how I run and manage my business, it's a disaster. It never works." That is the case with many risk management functions, especially when risk management is set up as an independent check on management.</p><p>3.      "…how you implement it in the context of your strategy setting and execution, your performance management, and those kinds of core management activities, is very important."</p><p>Towards the end, Jim makes another critical point by talking about integrating risk management into decision-making.</p><p>I met Mark Beasley just once, many years ago (although we are connected on LinkedIn) at an IIA leadership conference on risk management. I am not sure where he stands on the issues of taking ERM beyond enterprise list management and making it an integral element in the rhythm of the business: how value is determined, objectives and strategies selected, performance measured, and decisions are made.</p><p>I invite him to comment on this post.</p><p>In fact, you are all invited to comment. Please click on the Subscribe button to join the conversation.​</p><p> </p>Norman Marks0
From Risk Management to Risk Leadershiphttps://iaonline.theiia.org/blogs/marks/2017/Pages/From-Risk-Management-to-Risk-Leadership.aspxFrom Risk Management to Risk Leadership<p>​My congratulations go to <em>NonProfit Quarterly</em> for their interview this month with David Renz [1].</p><p>"<a href="https://nonprofitquarterly.org/2017/07/18/from-risk-management-to-risk-leadership-a-governance-conversation-with-david-o-renz/" target="_blank">From Risk Management to Risk Leadership: A Governance Conversation with David O. Renz</a>" has great content, not only for nonprofits but for <span style="text-decoration:underline;">all</span> of us. Here are some excerpts (<em>emphasis</em> added):</p><ul><li>The imperative here is to embrace risk leadership rather than just risk management. The question is, <em>are we taking the most appropriate risks our constituents and stakeholders deserve from us, as well as engaging in an appropriate level of fiduciary care</em>? </li><li><em>The risk-averse — and, frankly, risk-agnostic — character of board behavior leads organizations to continue operations in program areas beyond the time when they are really delivering the greatest value to and for the stakeholder and client communities they exist to serve</em>. There is less perceived risk in being slow to act to make change; organizations seem to think it's safer to make the move to new and different kinds of programming — innovative and entrepreneurial new strategies — only when it's extremely clear that such change is necessary and well advised. <em>But the risk is that of mission performance</em>. You may well be short-changing your clients in a world where the changes in client need warrant earlier and more dramatic changes in programs and services.</li><li>For me, the bottom line is that there is <em>a myriad of elements that combine to affect how well a board and its members address the issue of risk</em> in the governance of a nonprofit organization. Some are the result of varying levels of knowledge, experience, and overt attention that boards and their members bring to the consideration of risk and what is warranted and appropriate for their organization; and some are the result of seemingly irrelevant factors, such as group and interpersonal dynamics. And they all affect organizational effectiveness. <em>It's time for executives and boards to consider how to more fully and effectively prepare boards to engage in the increasingly important work of risk leadership as well as risk management. Our organizations' futures depend on doing this well.</em></li></ul><p><br></p><p>What I like is the recommended shift from traditional risk management thinking — <em>what might go wrong</em> — to a focus on whether the <em>right levels of the right risks are being taken</em> (something I discuss at length in <a href="https://www.amazon.com/World-Class-Risk-Management-Norman-Marks/dp/151199777X/ref=sr_1_1?ie=UTF8&qid=1451362676&sr=8-1&keywords=world+class+risk" target="_blank"><em>World-Class Risk Management</em></a>) — the result of <em>informed and intelligent decision-making</em>.</p><p>Those involved in nonprofit leadership will benefit from the discussion of board functions at those organizations, but several of the points also are relevant for other organizations, including whether group dynamics affect board decisions.</p><p>I close my in-person presentations with a slide that asks whether you are helping your organizations succeed.</p><p>The focus of risk practitioners has to be answering this same question: "Are you helping your executives, board, and management across the extended enterprise make informed and intelligent decisions that drive the organization to success —​ the achievement of its objectives by intelligent risk-taking?"</p><p>Making executives or the board risk-averse is paving the path to failure, not to success.</p><p>Please contrast this article and discussion with my other post on <a href="https://normanmarks.wordpress.com/2017/07/22/positioning-risk-management-to-succeed/" target="_blank">Positioning risk management to succeed</a>.</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe button, below.</p><p>​<br></p><p>[1] David Renz is the Beth K. Smith/Missouri Chair in Nonprofit Leadership and the director of the Midwest Center for Nonprofit Leadership, an education, research, and outreach center of the Department of Public Affairs in the Henry W. Bloch School of Management at the University of Missouri-Kansas City.</p><p><br></p><p><br></p>Norman Marks0

  • MNP_Natonal Can Conf_Sept2017_Premium 1
  • SCCE_Aug2017_Prem 2
  • IIA FallTraining_Sept2017_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Attribute Sampling Planshttps://iaonline.theiia.org/attribute-sampling-plansAttribute Sampling Plans2010-01-01T05:00:00Z2010-01-01T05:00:00Z