Risk and Compliance



A Question of Audit Prerogativeshttps://iaonline.theiia.org/2019/Pages/A-Question-of-Audit-Prerogatives.aspxA Question of Audit Prerogatives<p style="text-align:justify;">Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate. <br></p><p style="text-align:justify;">How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?<br></p><p style="text-align:justify;">On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the  Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices. <br></p><p style="text-align:justify;">Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.<br></p><p style="text-align:justify;">"We will not be seeking approval of performance audits, but what I will tell you is communication is key,"  Gallion <a href="https://bismarcktribune.com/news/local/govt-and-politics/north-dakota-state-auditor-lawmakers-remain-at-odds-over-new/article_fad595f7-ad1e-541b-abdd-a8b49469f31f.html">told North Dakota lawmakers during a recent hearing</a>.<br></p><p style="text-align:justify;">That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings. <br></p><p style="text-align:justify;">"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing. <br></p><p style="text-align:justify;">The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals <em>and </em>whether it does so in an economical manner.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p style="text-align:justify;"><strong>Putting Differences Aside</strong></p><p style="text-align:justify;">In the corporate world, best practices to avoid these situations abound. Among them: <br></p><ul style="list-style-type:disc;"><li>The chief audit executive should meet with the audit committee chair regularly <em>and</em> informally, between committee meetings, just to build rapport and trust. </li><li>The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.</li><li>Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.</li><li>Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.<br></li></ul><br></td></tr></tbody></table><p style="text-align:justify;">Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">Xcel Energy flew Burgum and his wife to Super Bowl LII</a> in 2018. Gallion also <a href="https://www.inforum.com/news/education/1005685-Audit-ND-college-VP-whos-a-Fargo-commissioner-didn%E2%80%99t-disclose-conflict-of-interest-with-wife%E2%80%99s-firm">released an audit earlier this year that raised questions about a powerful state senator</a>, who didn't disclose a conflict of interest while working at a North Dakota state college. <br></p><p style="text-align:justify;">In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill. <br></p><p style="text-align:justify;">Cynics say the provision <a href="https://www.minotdailynews.com/opinion/community-columnists/2019/05/nd-no-longer-has-an-independent-auditor-thanks-to-burgum-legislature/">was retribution for an auditor unapologetic about doing his job</a>. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff? <br></p><p style="text-align:justify;"><strong>Lines of Authority</strong></p><p style="text-align:justify;">In the corporate world, an audit committee telling the audit executive <em>not</em> to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it. <br></p><p style="text-align:justify;">Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes. <br></p><p style="text-align:justify;">"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently." <br></p><p style="text-align:justify;">Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit. <br></p><p style="text-align:justify;">That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills? <br></p><p style="text-align:justify;">"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."<br></p><p style="text-align:justify;"><a href="https://www.gao.gov/yellowbook/overview">Generally Accepted Government Auditing Standards</a>, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.<br></p><p style="text-align:justify;">"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."<br></p><p style="text-align:justify;">The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together. <br></p><p style="text-align:justify;">Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.<br></p><p style="text-align:justify;">"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says. <br></p><p style="text-align:justify;">We don't know how North Dakota's impasse over performance audits will end. A proposed <a href="https://www.grandforksherald.com/news/government-and-politics/3828217-North-Dakota-group-falls-short-on-all-three-referral-petitions-wont-challenge-auditor-restrictions-at-the-polls">voter referendum to repeal the restrictions failed to gather enough signatures</a>. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues. <br></p><p style="text-align:justify;">The rest of us can watch and wonder what we might do.<br></p>Matt Kelly1
Auditing Culture: Observation and Datahttps://iaonline.theiia.org/2019/Pages/Auditing-Culture-Observation-and-Data.aspxAuditing Culture: Observation and Data<p>There are many ways to audit an organization's culture. With strong support from the top and sufficient resources, some internal audit functions adopt a comprehensive, resource-intensive method. For others — I suspect most — it is best to start with a fairly simple approach and build from there. One such approach combines auditors' observations with data metrics. And because this strategy is not dramatically different from traditional audit techniques, clients shouldn't find it jarring or outside the norm. When implemented correctly, it can be a powerful means of gauging the cultural environment.    <br></p><h2>Auditors' Observations<br></h2><p>In "<a href="/2018/Pages/Beneath-the-Surface.aspx">Beneath the Surface</a>" (<em>Internal Auditor</em>, June 2018) author Doug Anderson compared culture to a volcano that can look calm on the outside while churning internally with lava and gases that could make it erupt without warning. Hard evidence of a culture — such as policies, programs, and even employee surveys in many cases — focuses on the surface. To really understand the culture, employees have to get inside it. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Signs of a Healthy Culture </strong></p><ul style="color:#222222;background-color:#6eabba;"><li>Strong tone at the top, in words and deeds.</li><li>Open communication, an atmosphere of mutual trust.</li><li>Accountability is enforced and accepted, without unrealistic expectations or unfair repercussions.</li><li>A "just culture," which distinguishes among:</li><ul><li>honest mistakes (no one is blamed).</li><li>risky behavior (addressed with coaching and education).</li><li>reckless behavior (intentionally excessively risky or unethical, which is punished).</li></ul><li>Effective challenge is encouraged and valued.</li><li>Incentives that encourage healthy risk taking.<br></li></ul></td></tr></tbody></table><p>I've heard some audit practitioners say that an experienced internal auditor can almost predict an audit rating on the second or third day of an engagement just by sheer presence in the work environment. Talking with people, reading body language, sensing employee's attitudes, observing the physical environment — all contribute to a typically accurate understanding of an area's culture. <br></p><p>Auditors must, of course, keep an open mind and remain objective. Accordingly, many put their perceptions to the side and focus only on the objective, hard evidence. I'm reminded of an audit director who once told me about an instance where he became extremely frustrated with his team. The auditors returned to the office talking about the negative atmosphere of the client's area, citing lack of employee motivation and a hostile manager, among other problems. But when the team submitted a draft of the audit report, it indicated the area was well-run. When he asked about the discrepancy, his team said, "The area is a total disaster, but the controls are fine." Wrong answer! <br></p><p>Internal auditors should not ignore their perceptions — they can lead to the most significant issue of an audit. Observation can be a key tool for gauging culture, as reflected in "Signs of a Healthy Culture" (right), "Red Flags of a Toxic Culture" (below) and "Examples of Toxic Leadership Styles" (below). <br></p><h2>Combined With Metrics<br></h2><p>For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations, such as those listed in "Metrics That Might Support Auditors' Observations" below. <br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Red Flags of a Toxic Culture </strong></p><ul><li>Excessive focus on short-term results.</li><li>Unrealistic performance targets.</li><li>"My way or the highway" management, inhibiting input and healthy debate.</li><li>Lack of open communication (caused by fear, lack of trust, or information hoarding).</li><li>Competition to get ahead rather than cooperation.</li><li>Favoritism.</li><li>Lack of work-life balance.</li><li>Chronic grumbling by employees.</li><li>Cliquishness, gossip, rumors.</li><li>Chronic stress.</li><li>Lack of employee development.</li><li>Lack of accountability (in general or for top performers).</li><li>Lack of motivation in a work group (could be caused by any of the above).<br></li></ul></td></tr></tbody></table><p>Metrics like these can be a powerful tool when combined with observations. For example, if auditors spot red flags of a toxic workplace, employee survey results might corroborate those observations. Turnover and sick leave statistics might reflect the culture's negative impact on the business. Discussing these links with audit clients won't always succeed, but it is far more robust than the auditors' observations alone. <br></p><p>A growing number of audit functions are using metrics that support observations in a variety of other ways, including:</p><ul><li> <strong>To plan and scope an audit project.</strong> An audit function might gather a standard set of metrics for risk assessment on every audit. When some of these metrics appear to be negative, the auditors can seek to determine why. For example, if turnover and sick leave are unusually high and the company has received an excessive number of customer complaints or hotline reports, or if projects regularly fail, the root cause may well be a cultural issue. If auditors suspect this is the case, they can conduct confidential interviews with employees and gather evidence to support and explain the link between the cause and effect. </li><li><p> <strong>To populate a dashboard that executives and the audit committee review regularly for indications of entitywide issues or trends</strong>. This in fact seems to be a growing trend. In "The Board Needs Culture Dashboards" (FEI Daily, March 2018), Dennis Whalen, leader of KPMG's Board Leadership Center, said, "I'd be shocked if, by the end of 2018, most companies didn't have some kind of culture dashboard that somebody monitors and presents for the board on a regular basis so they can see outside the C-suite and the corporate office."<br></p></li></ul><p>If an internal audit function developed a set of metrics meaningful to the organization and got buy-in from executives and the audit committee, it could use them for both of these purposes, in addition to leveraging them for support of audit observations.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Examples of Toxic Leadership Styles </strong></p><ul><li>Narcissistic (egotistic, power hungry, care more about themselves than the organization).</li><li>Autocratic ("my way or the highway," intolerant of ideas contrary to their own).</li><li>Manipulative (charming to superiors, "kiss up, kick down").</li><li>Secretive (hoards information to appear superior or use it to get ahead unfairly).</li><li>Deflecting (blames others for problems or talks around issues to avoid being found out).</li><li>Hypocritical ("Do what I say, not what I do").</li></ul>Disorganized, lacking focus (followers don't feel a real sense of direction). <br> <p></p></td></tr></tbody></table><p>A particularly interesting use of metrics occurred in 2002 when the Office of the City Auditor in Austin, Texas, performed a citywide ethics audit. The audit team gathered indicators of a positive or negative ethical climate in each of the city's departments from a citywide employee survey and a series of management interviews. Using statistical software, the auditors correlated these indicators with metrics like turnover and sick leave usage, complaints and successful claims by citizens, injuries to employees, and employee intentions to continue working for the city. They found that departments with strong ethical climates had significantly less turnover and sick leave, fewer complaints and claims, etc. The city responded by centralizing and strengthening oversight of ethics, drawing on the best practices of high-performing departments documented in the audit report.<br></p><h2> A Powerful Combination</h2><p>Internal auditors' perceptions of a work environment are usually sound but rarely stand by themselves. By combining their observations with data that management trusts, and by discussing the linkage tactfully with their audit clients, auditors can make a real difference in the organization. For auditors struggling with how to begin a culture audit, this could be a useful starting point.<br></p><p></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Metrics That Might Support Auditors' Observations </strong></p><ul><li>Employee survey results.</li><li>Structured interview results.</li><li>Customer survey results.</li><li>Customer complaints.</li><li>Hotline statistics, including evidence of whistleblower protection.</li><li>Statistics for hotline open to suppliers.</li><li>Frequency of legal problems.</li><li>Frequency of audit issues with the same or similar culture-related root cause.</li><li>Frequency of repeat audit findings.</li><li>Timeliness and effectiveness of corrective actions.</li><li>Turnover statistics.</li><li>Sick time statistics.</li><li>Exit interview results.</li><li>IT surveillance results.</li><li>Performance review timeliness.</li><li>Frequency of negative media coverage, including social media.</li><li>Warranty claims.</li><li>Diversity statistics.</li><li>Level of community engagement.</li><li>Environmental impact data, with effective monitoring and continuous improvement.</li><li>Frequency of performance targets being missed (suggesting unrealistic targets that pressure managers to meet them "whatever it takes").</li><li>Frequency of large projects failing.<br></li></ul> </td></tr></tbody></table>James Roth1
GRC Conference 2019: Transformative Technologyhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Transformative-Technology.aspxGRC Conference 2019: Transformative Technology<p>​Pamela Nigro, senior director of Information Security at Health Care Service Corp., opened the final day of the Governance, Risk, and Control (GRC) Conference with her general session, "The Future of IT Audit and Industry 4.0." Negro shared with audience members her thoughts on emerging technologies affecting today's organizations and those that will transform the businesses of tomorrow.</p><p>"Organizations are shifting from traditional ways of engaging and interacting with customers, prioritizing digital ones," she says. Citing health care as an example, Nigro pointed to the common practice of sharing patient test results via a portal rather than a phone call. She also cited Tesla as operating not so much as a car company but as a software company that collects and leverages data to serve its customers. <br></p><p>"Now every business is a digital business with software at the core," she says. "There used to be a focus on running IT like a business. Now IT is the business — there is not a business that is not run by IT."</p><p>Data, Nigro adds, has become the world's most valuable resource — much more so than oil. And it's not just about collecting and storing data, it's about transforming that data into useful and consumable information.</p><p>"Digital transformation is the foundation on how organizations deliver value to their customers," she says. "It's more than simply remaining competitive. There's a radical rethinking of how organizations use technology and processes to fundamentally achieve business performance."</p><p>Nigro cited artificial intelligence and Internet of Things interconnectivity as examples of transformative technologies that are driving business ecosystems and changing the way business is done. But this interconnectedness, she points out, creates a host of risks. Among them, she pointed to cyberthreats recently identified by <em></em><em>Security </em>magazine, including cryptojacking, software subversion, and cryptocurrency ecosystem attacks.</p><p>She also referenced the threat of breaking encryption using quantum computers. "As auditors, encryption is an important part of our structure," she says. "It is important that we feel confident that we can rely on that encryption for our security, for our privacy, for our protection. What happens if that is easily breached?" The thinking has shifted, she says, from considering <em></em><em>if </em>a company will get hacked to <em></em><em>when </em>it will get hacked.</p><p>In response to these threats, Nigro challenged auditors to not just keep up, but to "set the pace." "Why can't we and our development partners get sandboxes to start to play and understand and learn this technology so that we can help be a value-added partner to our organizations as they move into these new technologies?" she asked.<br></p><p>Nigro says auditors need to become leaders in the digital transformation space and help organizations move into this technology. She encourages auditors to adapt and think about how to "get ahead of the digital curve."</p><p>Toward that end, she advised attendees to make sure they have the necessary competencies and understanding to tackle digital challenges. "Think about how you are maintaining, or even leading, in your skills set," she says. "Understand how the technology really supports strategic objectives. Focus on those risks that can delay or derail business objectives, and identify how the algorithms are being used."</p><p>Nigro also encouraged auditors to get involved early in technology projects and to partner with the first and second lines of defense to help best manage the risks appropriately. "We have to stop being the 'department of no,'" she says, "and find a way to bake compliance and build controls into these new technologies and processes."<br></p>David Salierno0
GRC Conference 2019: Technology Trends and Disruptive Innovationhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Technology-Trends-and-Disruptive-Innovation.aspxGRC Conference 2019: Technology Trends and Disruptive Innovation<p>​Business futurist Patrick Schwerdtfeger closed the Governance, Risk, and Control Conference with his keynote address, "Embracing Disruptive Innovation." Schwerdtfeger, whose technology expertise includes artificial intelligence, fintech, and blockchain, dissected the topic of business disruption and explained how attendees could spot potential threats and opportunities in their organizations.</p><p>Schwerdtfeger began with an illustration of the rapid growth of data, pointing to research from Amazon showing that, in 2000, the cost of storing one terabyte of data was $17,000 — by 2020, Amazon says, that price will have dropped to $3. In tandem, data processing and data bandwidth also have accelerated by leaps and bounds. And with Big Data, all of this information is being put to use by businesses, municipalities, and other entities — and it is continuing to scale rapidly. Schwerdtfeger terms this "exponential development" and says it is key to understanding future business trends.</p><p>"Human beings are hard wired to think in linear terms," he says. "But what could you do if your business system, such as ERP, were 10 times as powerful as it is now? We need to learn to think this way."</p><p>As an example, Schwerdtfeger pointed to the exponential development of the Human Genome Project, which began in 1990. By 1997, it was just 1% complete — but that actually represented the project's halfway point because it scaled at 100% per year. At that rate, it took just 6.5 years to get from 1% to 100%. The human genome project finished by 2003, and costs were lower than expected.</p><p>With this rapid propagation of technologies, Schwerdtfeger says, changes to organizations are going to be dramatic. As evidence, he cited a recent study from Washington University that says 40% of today's S&P 500 companies will no longer exist by 2026. </p><p>"Hearing this," he says, "people instinctively get into a defensive posture — they ask themselves, 'Who's going to eat our lunch?' But the question should be, 'Who else's lunch can we eat?'" In other words, those companies will be replaced, creating opportunity in the marketplace. Schwerdtfeger told audience members that they are well-positioned to spearhead these conversations and to find a way to stay on offense.</p><p>"There's more and more leverage in the system all the time," he says. "Technology is a form of leverage. You're either on one side of the leverage equation or on the other side of the leverage equation."</p><p>As technology evolves along an exponential curve, Schwerdtfeger says that, over time, repetitive manual jobs will be replaced by robotics. Moreover, repetitive cognitive jobs are likely to be replaced by algorithms. How do we plan for this? Schwerdtfeger says it boils down to two things: creativity and relationships.</p><p>"We need to focus on our ability to be creative and to work with other human beings," he says.</p><p>In his closing remarks, Schwerdtfeger encouraged attendees to think not only about what's happening in the world, but what they can do in response to it. His main message: think bigger. "When you think bigger, you inspire others around you," he says. "If you truly think big, you're going to outdo the competition."<br></p>David Salierno0
GRC Conference 2019: Building Your Brandhttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Building-Your-Brand.aspxGRC Conference 2019: Building Your Brand<p>​Day two of the IIA/ISACA Governance, Risk, and Control Conference (GRC) opened with a keynote address from internal audit executive Nancy Haig on creating "Your Personal Brand." Haig shared her advice on building a brand identity, and then maintaining that brand once it's established.</p><p>To begin, she explained, professionals must understand what does not fall within the scope of their brand. "Your personal brand is not about stuff, it has nothing to do with your stuff," Haig told the GRC audience. "It doesn't matter — your house, your car, your clothes, any possessions at all. It doesn't factor into your personal brand." She adds that brands are not about bragging, self-promotion, attention-seeking, disingenuous behavior, or self-centered connections.</p><p>Instead, Haig says, personal brands comprise a genuine, meaningful representation of ourselves. She says one's brand should present an authentic personal image — one that is both unique and professional, and speaks to reputation. Perhaps most importantly, Haig adds, a personal brand needs to be promoted on social media — if done correctly, it will help create an expanded presence in one's industry, enhance engagement with other professionals, and facilitate career advancement.</p><p>As a first step toward developing a personal brand, Haig recommended audience members ask themselves a question: "If someone heard your name, what would they associate it with?" She suggests approaching friends, colleagues, and family members to determine their perceptions. What strengths and weaknesses do they see?</p><p>Next, Haig advised determining which social media platforms to target. She pointed to LinkedIn as a logical venue for most professionals, though other platforms with a mix of social and professional content may be useful as well. "You're going to have to assess which are the best places for you to be," she says.</p><p>Once online, Haig says, a personal brand needs to establish trust from its audience. She recommends accomplishing this through consistency and repetition. "You don't want to be one way to some people and someone else to other people," she says. Moreover, the brand needs to be monitored regularly to make sure information online represents the brand accurately and that someone hasn't hijacked it.</p><p>Haig also offered numerous practical tips for personal brand enhancement, such as searching for oneself online to look for brand inconsistencies and setting up automated news alerts for references to one's name. She also suggested participating in a local professional association chapter, contributing an article to an industry magazine, and creating a personal website as ways of expanding a personal brand and solidifying it with professional connections.</p><p>For more information on personal branding, read Nancy Haig's article, "<a href="/2018/Pages/Your-Personal-Brand.aspx" style="background-color:#ffffff;">Your Personal Brand</a>" — winner of this year's <em>Internal Auditor</em> John B. Thurston award for literary excellence.<br></p>David Salierno0
GRC Conference 2019: Owning the Momenthttps://iaonline.theiia.org/2019/Pages/GRC-Conference-2019-Owning-the-Moment.aspxGRC Conference 2019: Owning the Moment<p>​Keynote speaker Simon T. Bailey kicked off the ISACA/IIA Governance, Risk, and Control (GRC) Conference in Ft. Lauderdale, Fla., today with his session, "Shift Your Brilliance — Leading Amidst Change and Uncertainty." Bailey, a business strategist and entrepreneur, advised leaders on how to accept change and embrace uncertainty as their businesses face unprecedented technological, cultural, and other tectonic shifts.  </p><p>"We have an opportunity to own the moment," Bailey told the sold-out GRC audience. "The question we have to ask ourselves is how am I showing up in this moment to be my best self — to lead my organization, to lead my team, especially in the midst of uncertainty?"</p><p>That process, Bailey emphasizes, begins internally. To lead effectively, he says, every leader needs to introspect and seek to improve him or herself. Toward that end, he advises applying what he calls the "15-7-30-90" method. The process begins with taking <em>15</em> minutes a day to focus on what you want to accomplish — this is practiced <em>7</em> days per week, checking in every <em>30</em> days to review progress, and then taking a deeper dive every 90 days to assess progress from a broader perspective.</p><p>To further self-improvement efforts, Bailey encouraged audience members to surround themselves with a "personal board of directors." The board would comprise individuals "with different competencies, different skill sets, and a different understanding that challenges you to rise to the occasion," he says. It should be a group of people who inspire you, motivate you, and challenge you — whose advice you seek on important personal and professional matters.</p><p>Turning toward how leaders influence and inspire others, Bailey emphasized the importance of establishing good relationships. "One of the goals every leader needs to be thinking about is how do we move from command and control to collaboration and connection," he says. Relationship-building, he explains, is key to a leader's ability to motivate and inspire. And creating those relationships depends largely on one's ability to empathize, he says, adding that empathy is the No. 1 skill taught in Silicon Valley. "People don't care what you know until they know how much you care," he says.</p><p>To effectively lead through change, Bailey says leaders must embrace what he calls the "vuja de moment." This is the opposite of déjà vu, and it reflects the ability to look at what you have been doing with a fresh set of eyes as if you've never a seen it before. "It's asking yourself a different set of questions that will challenge you on the way you've done things, as well as on what <em>can</em> be done and what needs to be undone," he says.</p><p>After sharing numerous tips and strategies for leading through change and uncertainty, Bailey concluded with a quote from philosopher Eric Hoffer: "In times of change, the learners will inherit the earth, while the learned find themselves beautifully equipped to live in a world that no longer exists."<br></p>David Salierno0
The Control-Culture Connectionhttps://iaonline.theiia.org/2019/Pages/The-Control-Culture-Connection.aspxThe Control-Culture Connection<p>​All audit committees want strong internal controls over financial reporting, and a strong ethical culture where employees who suspect impropriety feel unafraid to speak about what they see. What is sometimes less understood are the connections between those two things — how corporate culture and internal controls should complement each other, to further the goal of strong, reliable financial reporting. Design them well, and the organization has a powerful buttress against executive misconduct. Don’t, and the opposite is just as true.</p><p>A fascinating example of this point comes from <a href="http://bankrate.com/" rel="nofollow">Bankrate.com</a>, which paid $28.5 million to the U.S. Justice Department earlier this year to settle long-running financial fraud charges. Back in 2011, Bankrate’s then-Chief Financial Officer Ed DiMaria concocted a cushion-accounting scheme to manipulate quarterly earnings. He and others fabricated expenses on a bogus spreadsheet, while hiding the true numbers from Bankrate’s audit firm. When the U.S. Securities and Exchange Commission (SEC) began inquiring about the company’s finances, DiMaria directed others to reply with material not responsive to the SEC’s document requests. </p><p>Of course this all unraveled eventually. Bankrate announced a restatement in 2014. DiMaria was dismissed, indicted, and sentenced to 10 years in prison. The company hired new outside counsel, and its audit committee cooperated fully with the SEC. </p><p>Think about what happened here. First, the company used technology and business processes that gave DiMaria the ability to fabricate financial data while concealing true information. Second, nobody raised alarms about DiMaria’s misconduct — not when he lied to the audit firm, not when he misled the audit committee, and not when he had others mislead the SEC. </p><p>The issue, really, is about transparency and freedom. Internal audit needs to be able to roam freely through the enterprise to assess risks, and it needs to be able to see real data, rather than whatever report management provides. Or, as Debi Roth, chair of the Audit Advisory Committee for Orange County Public Schools in Florida, puts it: “Can the audit department get it, and pull it themselves?” </p><p>That might seem like a straightforward part of governance. In the real world, however, Bankrate is by no means alone. For example, when Polycom Corp. agreed last year to pay $16 million to settle U.S. Foreign Corrupt Practices Act charges, the misconduct was fundamentally similar. Executives in China recorded false information on bogus spreadsheets to hide bribery violations from Polycom’s global managers, while masterminding a payoff scheme to Chinese government officials. </p><p>Technology and business processes that allow executives to create a false narrative; plus a corporate culture that allows them to spread the false narrative — if those are the ingredients for an audit committee’s nightmare, what’s the antidote? It comes in two parts: strong control activities over financial reporting, and strong corporate culture that encourages everyone to sound the alarms about misconduct. </p><h2>Ingredient 1: Control Activities</h2><p>The first ingredient is unimpeded access to the company’s transactional data. Access should include not just whatever reports someone might provide to internal audit or the audit committee, but also the actual data about payments, due diligence checks, beneficial ownership, contracts, or whatever else the audit team might want to see. </p><p>That’s partly a question of technology. Accounting systems should rely on a single data source to make frauds like bogus spreadsheets and false transaction entries harder to accomplish. In an ideal world, auditors should be able to drill down from balance sheet, to line-item accounts, to transactions within those accounts, to supporting documentation for those transactions. </p><p>As an audit committee chair, Roth wants to hear the chief audit executive (CAE) explain how the process for gathering data works, and whether there are any concerns about potential interference. For example, does the audit team depend on the IT department to generate reports? That’s a risk, no matter how well-intentioned the IT department might be. “I’m looking for the internal audit function to have a good process in place that addresses internal controls, and that they’re able to go out and do their job and do it well,” she says.</p><p>Once upon a time, when companies used data warehouses, the audit team could have access to them, too, and pull whatever information it needed. Today’s systems are more complicated, as many firms rely on cloud-based applications that might store data in different locations, or employees might use cloud-based applications but not tell IT about it. </p><p>Audit and accounting teams need to think about the design of financial reporting systems and transparency into the data, so that suspicious transactions stick out like a sore thumb. <br></p><h2>Ingredient 2: The Control Environment</h2><p>Even when suspicious transactions are more visible, someone still needs to point them out. After all, at organizations of any appreciable size, many fraudulent activities won’t be spotted by the audit team — especially if more than one person is involved in the misconduct, as happened at Bankrate, Polycom, and many others. The organization needs to foster an environment where employees feel comfortable raising concerns about misconduct. “That’s always top of mind as an audit committee member,” says Raoul Ménès, who serves on the audit committee of the Salt River Pima-Maricopa Indian Community in suburban Phoenix. </p><p>“The bad perception to have is, ‘Don’t worry, internal audit will get it,’” Ménès says. “Well, internal audit cannot see everything. They’ll show up for two weeks to do an audit, and then they’re gone.” </p><p>Ménès encourages audit committee members to spend more time at their organizations, getting to know employees casually. Show up early for a committee meeting, for example, and chat with the employees. (That’s in addition to any executive sessions at the committee meeting, or any conversations the committee chair has with the CAE between meetings.)</p><p>“Meet the audit team, or talk to the controller. Just see how things are going,” Ménès says. “When you’re able to connect with folks, to work with them and talk with them, they’ll open up.” </p><p>Fair enough, but how else can the audit function identify warning signs about corporate culture? “Auditing culture” is a lofty idea, but a bit vague. Instead, audit teams need to design tests for traits or behaviors that suggest the culture is wrong. Ménès, for example, once worked with a firm where employees received a three-question quiz about the code of conduct shortly after they had certified that they’d read it. The goal wasn’t to see how well they memorized the answers; it was to see whether the enterprise had high failure rates as a whole — which would suggest that employees weren’t taking the code seriously, a big culture risk. </p><p>Roth, meanwhile, wants to hear about managers who try to interfere with auditors’ ability to talk to other employees. “If someone is telling the auditor, ‘You can’t work with anyone else, you have to go through me’ — that’s an automatic red flag,” she says.  </p><h2>Shutting Down Abuse</h2><p>The truth is, an organization can’t achieve strong financial reporting without both elements present: systems that provide clear visibility into transactions and a corporate culture that encourages internal audit — or other parts of the enterprise — to put that visibility to good use. </p><p>That’s the buttress organizations need to thwart executives who might abuse their power to override controls or lie to the board. It can be tough to build in the modern enterprise, with complex IT systems and a globalized workforce. Build it right, however, and that buttress can be pretty powerful. <br></p>Matt Kelly1
The Winds of Trade Warshttps://iaonline.theiia.org/2019/Pages/The-Winds-of-Trade-Wars.aspxThe Winds of Trade Wars<h2>​How can a global company determine how to comply with volatile trade regulation shifts? </h2><p>In a changing global landscape, organizations need to be aligned, agile, and prepared. Specific to tariffs, the compliance office, supply chain, and public affairs/regulatory teams need to work together to develop a comprehensive response plan. In an escalating trade war, all functions need to understand their roles within the plan and be agile enough to ensure timely implementation. Items to prioritize are reviewing third-party contracts, updating costing models, investigating alternative supply options and coordinating with logistics, and ensuring controlled processes are in place to comply with changing duty rates and classifications. </p><p>As a risk leader within the organization, internal audit first should vocalize and elevate the potential impact of geopolitical risks, including trade wars and tariffs, to the audit committee, senior leadership, and others within the business. Second, internal audit should work with the appropriate teams to ensure response plans are in place if trade wars escalate or continue for an extended period. Third, internal audit should review the customs compliance process, paying particular attention to classification procedures and documentation to minimize the risk of transshipment [through intermediate sites] and payment noncompliance.</p><h2>What are some of the risks to a company with a global supply chain? </h2><p>The most immediate implications of tariffs are higher costs, limited alternative sourcing options, more complex logistics, and greater compliance risks. Businesses may look to adjust their manufacturing and sourcing strategies, but these cannot be changed overnight. The reality is that most companies have spent years planning and building their global supply chains.  </p><p>Although New Balance has been focused on preparedness and agility within our supply chain — including running internal scenarios for a trade war escalation — sourcing shifts are still capital-, resource-, and time-intensive challenges. All departments, from development through transportation, need to be in alignment and coordinating fully to achieve the overall strategic objectives. </p>Staff0
In Line With Riskhttps://iaonline.theiia.org/2019/Pages/In-Line-With-Risk.aspxIn Line With Risk<p>​Risk management has evolved and grown since its inception in the mid-20th century, as evidenced by the introduction of methodologies such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) <em>Enterprise Risk Management –Integrating With Strategy and Performance</em>, the International Organization for Standardization’s ISO 31000, and the Basel Accords. Yet, only 23% of respondents describe their risk management program as mature in the American Institute of Certified Professional Accountants’ 2019 The State of Risk Oversight, conducted jointly with North Carolina State’s ERM Initiative. Additionally, the perceived level of maturity has declined over the past two years, and most organizations struggle to integrate their enterprise risk management (ERM) program with the strategy and objective-setting process. </p><p>Understanding and managing risk has tremendous benefits, as it helps organizations better prepare for the future. So why aren’t ERM programs more mature and better accepted? Most likely it is because organizations do not know how to develop a program or because they do not embrace risk management.</p><p>The current way of thinking about this practice can be challenged to discover new ways of evolving it to more effectively manage strategic risk. My former organization developed and successfully implemented an ERM function, and I am currently using the same strategic program to build a function at Covetrus, an animal-health technology and services company. Building a systematic and strategic program at my former company was educational and rewarding, as it allowed my team and me to familiarize ourselves with many aspects of the organization. </p><h2>Where to Begin<br></h2><p>Before establishing the program, my team and I identified key points of concern that needed to be addressed during implementation: </p><ul><li>Risks were too generic to create measurable plans.</li><li>Issues and controls were not systematically mapped to risks. </li><li>It was difficult to quantify and qualify the impact to the organization.</li><li>Progress tracking of risk remediation plans was not well-documented.</li></ul><p> <br>The program implementation was then divided into three phases spanning several years.</p><h2>Phase 1: Pilot<br></h2><p>During this phase, the team developed a detailed risk library and hierarchy that aligned with the organization’s life cycle, mapped issues and controls to risks providing a real-time picture of the organization’s risk profile, developed measurable remediation plans for the top risks, and implemented centralized reporting.</p><p>Participation in the risk program initially was limited to the internal audit, vendor due diligence, and compliance teams. Some of the key steps taken to complete this phase included: </p><ul><li>Selecting an ERM standard. We decided on COSO’s updated ERM framework. </li><li>Defining purpose, scope, roles, and responsibilities. </li><li>Formalizing a risk-rating methodology. </li><li>Developing a master risk library.</li><li>Documenting a process for identifying risks, assessing severity, implementing responses, tracking, and reporting. </li><li>Conducting initial risk assessments with critical areas.</li></ul><p> <br> </p> <img src="/2019/PublishingImages/Hamzo-Enterprise-Risk-Areas.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:570px;" /> <p>The development of the risk library was vital, as it defined the program foundation and provided common terminology for all of the program participants. Over time, the team updated the library based on management feedback to customize it to the type of risks inherent to the organization. The team organized risks into a three-tiered hierarchy. At the top were the key enterprise risk areas, which follow the organization’s life cycle (see “Enterprise Risk Areas," right).</p><p>Underneath each enterprise risk area, there are intermediate risks that represent the subfunctions of that risk area. Within each intermediate risk, there are individual risks that are potential events that can impact that business area. The individual risks are linked to processes, objectives, key risk indicators, financial losses, mitigating controls, incidents, and findings (see “Risks, Controls, Issues, and Remediation Mapping” below). </p><p>Mapping the more than 900 internal controls and issues to each individual risk took the most time, but it was the most important step. Mapping processes provided further insight into the ratings, which often are subjective. More specifically, the occurrence of an issue increased the likelihood, while the presence of compliant internal controls decreased the likelihood, of one or more risks occurring. </p><p>After the completion of this phase, we realized that we tried to accomplish too much in too short a time. For example, we defined the end-to-end risk process while simultaneously automating it via our risk management system. Looking back, we should have operationalized the process before introducing a tool. <br></p><h2>Phase 2: Implement the Program </h2><p>During phase 2, my team and I developed a formal risk management policy, fine-tuned the process, expanded risk assessments across all divisions, and established a governance committee. The team also incorporated other key risk management functions under the umbrella of the ERM program to include business continuity, information security, legal, and patient safety teams. </p><p>The individual teams had their own governance committees, which were consolidated into a single governance, risk, and compliance team comprising executive leadership. This team met several times a year to discuss top risks and the status of remediation plans, and to escalate critical issues, as necessary. </p><p>Issue tracking from these key functions was consolidated into one consistent process and tool. This effort took one year, and we followed the same process for each team: </p><ul><li>Conduct current state analysis of processes, people, and tools. </li><li>Normalize rating methodologies.  </li><li>Migrate all open issues and implement a process for identifying and tracking issues and remediation plans in the ERM system. </li></ul><p> <br>To ensure accurate risk tagging for these issues, we configured the tool to route any new issues to the risk management team for approval. We used the review as a learning opportunity for both our team and the business where once a month we reviewed issues, related root causes, remediation plans, and impacted risks. </p><h2>Phase 3: Integrate ERM With the Strategy </h2><p><img src="/2019/PublishingImages/Hamzo-Risk-Controls-Issues-Remediation-Mapping.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:640px;height:634px;" />Early in our process, we learned that a successful integration is dependent on the organization having a strategic approach for identifying, managing, and reporting on the strategy and objectives. Integration with the ERM program becomes just one of the steps in that process. </p><p>The integration process started with the definition of our risk appetite statements for each of the company objectives. For example: </p><ul><li>Objective: Develop new products and attract new customers. </li><li>Risk Appetite: An organization will not make decisions that compromise its reputation by using defective new products that introduce security vulnerabilities and cause customer data breach. </li></ul><p> <br>Next, the leadership team identified projects or initiatives that supported the organization’s objectives and strategy and included information such as opportunities, dependencies, resources, budget, and timeline. Coordination with the general and administration functions to discuss resource and budget needs, as well as any regulatory and compliance implications as a result of these projects, was necessary, as these dependencies could become risks to the objectives. This included human resources, legal, audit, and finance planning and forecasting teams.</p><p>The ERM team, partnering with leaders, identified additional risks at the project level. These risks were rated using the rating methodology and rolled up to the enterprise level. The prioritization and responses to the risks were aligned to the risk appetite statements. These statements also will guide the organization’s response to emerging risks that surface throughout the year. </p><h2>Organizational Alignment</h2><p>Throughout this program, the team learned to work more productively with the organization in order to be met with less resistance. From the start, we learned that discussions about risk without the right approach can be perceived as an attack and critical of the business. </p><p>As a result of this project, the team embraced a teaching and learning approach where we spend more time educating the organization about risk principles, which helped us better understand business and risks from the organization’s perspective. Collectively, the organization became more aligned with its risk profile. </p><p>Internal auditors can make a difference if organizations overcome their giving-up point. By giving risk management a try and not waiting for a big event to happen that forces internal auditors to adopt risk management haphazardly, they are doing right by their organizations. Progress cannot be made through fear. <br></p>Dorina Hamzo1
Don't Manage Risk — Manage Valuehttps://iaonline.theiia.org/2019/Pages/Dont-Manage-Risk-Manage-Value.aspxDon't Manage Risk — Manage Value<p>​Risk management’s traditional focus on adversity is changing. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2017 <em>Enterprise Risk Management (ERM)–Integrating With Strategy and Performance</em> framework now refers to risk holistically as “the possibility that events will occur and affect the achievement of strategy and business objectives.” With “adversely” removed from the definition, a risk is no longer something that must be prevented from happening. In addition, the framework no longer speaks of <em>risk management</em> as a separate process, but defines it in terms of “culture, capabilities, and practices.” </p><p>The updated COSO ERM framework and the International Organization for Standardization’s ISO 31000: Risk Management standard present great opportunities to replace the term <em>risk management</em> with <em>value management</em>. According to both standards, managing risk is all about creating and protecting value. However, they retain the term risk management. </p><p>Business activities always involve uncertainty. To increase success, leadership teams have to take advantage of opportunities and limit threats. Ultimately, they want to increase the certainty they will achieve their objectives and will not get what they do not want. For that reason, organizations need a pragmatic approach to keep key stakeholders satisfied by realizing value for them.</p><p>The value management approach offers intriguing opportunities for internal auditors because it focuses on the quality of decision-making within the organization. Internal audit can help the organization by assessing to what extent decision-makers possess the right competence and integrity to reconcile dilemmas caused by the conflicting interests of stakeholders. </p><h2>Becoming Future-proof</h2><p>Being future-proof requires an organization to continually create and protect value for its core stakeholders. However, terms such as <em>value</em>, <em>result</em>, <em>success</em>, and <em>improvement</em> only gain substance through the meaning that stakeholders attach to them. Stakeholders look at an organization from their own perspective. Based on their interests, they find certain things valuable such as innovation, punctuality, privacy, safety, compliance, integrity, efficiency, and continuity.</p><p>Future viability is about anticipating what might happen. The leadership team wants to know where the organization is expected to end up and to what extent this differs from what the organization’s core stakeholders expect. Is the organization on the right track? Or is there a real chance that it will not achieve its objectives? In that case, is the organization taking appropriate measures? Conversely, the organization may be exceeding expectations, because it is able to deal well with uncertainty. </p><h2>Bringing Experts Together</h2><p>Strategic, tactical, and operational decisions imply making choices and balancing potential pros and cons. Working standards and methods are intended to guide the decision-makers in the right direction. Determining these rules is the domain of specialized departments such as business continuity, compliance, control, information security, privacy, quality, and safety. Typically, all these functions conduct risk assessments, build control frameworks, and produce management reports, which easily can lead to functional silos and value destruction in practice.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Value Management and Internal Audit</strong></p><p>Embracing the value management approach is different from advocating conventional risk management practices. Here are examples of what will change for internal auditors:</p><ul><li>Instead of focusing on the organization’s biggest vulnerabilities, internal audit holistically focuses on assessing the quality of management. Decisions made when planning, executing, monitoring, and improving business activities always have potential positive and negative effects on the interests of key stakeholders.</li><li>Instead of believing the organization should have a separate risk management process, function, or system, internal audit focuses on the organization’s capabilities to become future-proof. Propagating lots of separate risk terms, such as risk manager, risk culture, risk appetite, and risk report, may not lead to the realization of business objectives.</li><li>Instead of seeking to assess whether what COSO’s 2017 ERM framework calls the second line of accountability fulfills its responsibilities for overseeing performance and conformance, internal audit assesses the competence and integrity of decision-makers at all levels of the organization.</li><li>Instead of unilaterally focusing on money, internal audit recognizes that <em>value</em> implies more than cash, profit, stock price, and dividend. Key stakeholders have different interests and attach value to divergent matters.</li><li>Instead of embracing in-control statements oriented to the past, internal audit realizes that the key question is to what extent decision-makers at all levels of the organization are capable of creating and preserving value for key stakeholders in the future. </li><li>Instead of assuming that the future is makeable and perfectible through risk analyses, risk and control matrices, and control testing, internal audit acknowledges that the world is volatile, unpredictable, complex, and ambiguous, requiring a considerable degree of agility and flexibility.</li><li>Instead of assuming that risk management should be a separate item on the agenda for team meetings, internal audit emphasizes that each of the items is about effectively dealing with opportunities and threats.<br></li></ul></td></tr></tbody></table><p>Conventional risk management is a flawed concept (see “Value Management and Internal Audit,” right). Instead of having a separate program, function, or committee for managing risks, organizations should focus on connecting the functional experts. Generating and preserving value is dependent on these specialists collaborating to assist decision-makers at all levels with seizing opportunities and limiting threats. As an independent advisor, internal audit can help reduce organizational complexity and silo-thinking. <br></p><p>To connect the experts effectively, leadership teams should seek answers to five key questions. These basic business questions are the building blocks for the practical analyses that leaders can carry out for a separate business process, project, department, branch, division, value chain, or the entire organization. </p><p>Answering each of these questions requires making choices and balancing opportunities and threats. For example, implementing extensive control frameworks (part of the “how” question) may send the message to those involved that they have flawed judgment or lack integrity. Internal audit should independently assess to what extent leaders answer the questions satisfactorily.</p><p><strong>Who Can Decide?</strong> Value management hinges on the effectiveness of governance: Who is authorized to make which choices? This applies to allocating resources both to daily operations and continuous transformation. The individual responsible for achieving formulated objectives also should be able to decide how best to deal with relevant opportunities and threats. This can be done by optimizing the associated business processes and controls. </p><p>A prominent and practical issue concerns the mandate of the experts in the organization’s staff departments. To what extent are they allowed to prescribe working standards to their colleagues or are they only expected to provide advice? How does the leadership team ensure that the staff specialists keep the line managers in focus? On the other hand, how can leaders prevent the experts from exaggeration caused by enthusiasm? An example is information security specialists who produce unworkable policies and procedures. </p><p><strong>What Do We Do?</strong> Each leadership team benefits from having an integrated overview of the clustered activities of everyone involved within their entity. This structured summary of current tasks shows the organization’s common playing field. The overview of managerial, primary, and supporting processes provides insight into all relevant transaction flows and volumes. It also forms the basis for the IT application landscape for processing the transactions. Hence, it is the foundation for information management, business intelligence, and forecasting. Do those in charge have the right information for making balanced decisions? The advantages of better insight into who does what are evident in initiatives such as integration projects.</p><p><strong>Why Do We Do What We Do?</strong> The organization’s success is determined by the extent to which its core stakeholders are satisfied. They are primarily interested in how the leadership team’s performance affects their interests. That is why the stakeholder analysis is essential. If all goes well, the team’s ambitions fit in with the value that the organization wants to create and protect for specific stakeholders. This value is expressed in the organization’s mission, vision, and strategy, and is translated into concrete success factors, objectives, and indicators. Using clear tolerances for the key indicators and preparing regular forecasts provide ample input for timely adjustment. If the estimated outcomes are not within the bandwidths, the two options are to adjust the controls or to inform key stakeholders that they must accept revised tolerances. <br></p><p><strong>How Do We Do What We Do?</strong> To apply judgment, decision-makers need a framework and rules such as working standards and methods. The practical details of these rules are laid down in the charters, policies, guidelines, procedures, protocols, and work instructions. Clear working arrangements streamline decision-making, facilitate work hand-off among colleagues, and provide a clear reference for audits. The “how” question is about autonomy. For example, to what extent are subsidiaries allowed to make their own rules? <br></p><p>The decisive factor in the “how” is the organization’s culture. Is it characterized by managers setting the examples? Are decision-makers willing to face the possible consequences of their choices? Is it acceptable to challenge the assumptions in overly ambitious plans?</p><p><strong>What Can We Improve?</strong> A continuous improvement program helps the leadership team focus on what really matters. When asked about the “best improvements,” people typically mention situations where the risk exposure is bigger or the chance taking is smaller than desired. The necessary improvements are usually about better designing, implementing, applying, and monitoring the organization’s working methods and standards. These renovations explicitly deal with the competencies of those involved — not only their professional knowledge and skills, but especially their personal leadership qualities. <br></p><p>A continuous improvement program can enable the team to identify, prioritize, and realize improvement initiatives. The better the information management is and the more that employees feel free to report issues, the sooner trends can be identified.</p><h2>Value for Stakeholders</h2><p>Conventional risk management can easily turn into a separate, illusory, and compliance-driven system. Alternatively, value management is an integrated approach that can give leadership teams a single platform for all common types of management. It can help decision-makers identify, prioritize, and realize relevant improvements that are needed to satisfy their core stakeholders. <br></p>Marinus de Pooter1

  • GEICO_September 2019_Premium 1__
  • Chartered Prof Acct Canada_Sept2019_Preimum 2
  • IIA CERT CIA_September 2019_Premium 3