Risk and Compliance

 

 

​Monitoring Laws and Regulations and Their Effect on Your Organizationhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Monitoring-laws-and-regulations-and-their-effect-on-your-organization.aspx​Monitoring Laws and Regulations and Their Effect on Your Organization<p>​This is an important topic for every organization, whether public or private, local or global.</p><p>It's especially true when you add interpretations by the regulators and courts of existing laws and regulations.</p><p>Something that you thought you understood to mean A now appears to mean B.</p><p>If you are not up to date on the laws and regulations with which you need to comply, there is a significant potential for harm.</p><p>OCEG recently shared an infographic on the topic of <a href="http://www.oceg.org/resources/regulatory-change-management/" target="_blank">Regulatory Change Management</a>. Sponsored and developed by Thomson Reuters, the accompanying article points out that technology assists that can help monitor changes in the regulatory environment that might affect the organization, its risks, and its ability to remain in compliance.</p><p>I agree that technology like this can be very useful. But I am not 100 percent convinced that it is sufficient.</p><p>If it were up to me, I would develop a map that shows all the areas where laws, regulations, and societal expectations might apply to the enterprise. I add societal expectations because failing to live up to them can be damaging, directly to the organization's reputation and indirectly to its revenue and more.</p><p>I would then, for each area, identify how we could ensure we remain up to date, and who is responsible. I would not ignore sources like:</p><ul><li>The external law firms.</li><li>The external auditors.</li><li>Government affairs consultants.</li><li>The management team and other advisors.</li></ul><p><br></p><p>But it's not enough for designated individuals to receive notification of changes that might affect the organization.</p><p>It's not enough, as implied in the piece, for analysis to be performed at HQ.</p><p>The changes and their implications need to be communicated to all potentially affected individuals across the extended enterprise. That population includes not only employees but partners, service providers, and others in the supply chain.</p><p>Training may be needed; policies and procedures may need to be updated. As noted by the authors, controls may need to be changed or adapted to the new environment.</p><p>It is quite possible that regulatory change may mean that current strategies and objectives need to be changed as well.</p><p>This is an important area, one that deserves the attention of both risk practitioners and internal auditors. From time to time, the board might consider asking management to report on its ability to both identify and then respond to regulatory change.</p><p>Perhaps you can share sources of information about regulatory change that I have missed, as well as measures that organizations should take to address them.</p><p>OCEG is a great source of <a href="http://www.oceg.org/resource_topic/free/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">materials</a> and <a href="http://www.oceg.org/education/grc-fundamentals/?utm_source=OCEG+Members&utm_campaign=aa0204db3e-Reg+Change&utm_medium=email&utm_term=0_2afb06e6d3-aa0204db3e-122229369" target="_blank">training</a>. Membership is free!​</p><p><br></p>Norman Marks0
New Leadership, New Riskshttps://iaonline.theiia.org/2017/Pages/New-Leadership-New-Risks.aspxNew Leadership, New Risks<p>​<span style="text-align:justify;">When a momentous event happens — and without question, the election of Donald Trump to the Oval Office was momentous — people tend to overestimate the consequences for the short term, and underestimate them for the long term. That point is worth remembering as the intern​al audit community tries to decipher what the Trump administration means for business risk.</span></p><p style="text-align:justify;">After all, the Trump team has talked a great deal about sweeping change: tax reform, health-care reform, infrastructure spending, trade policy, and regulatory reform. The immediate impulse to brace for impact is natural. </p><p style="text-align:justify;">A better metaphor, however, might be that audit leaders should acclimate to a new environment — one that will arrive more subtly than people expect, but in the fullness of time, bring about potentially dramatic change. Fundamentally, the business risks themselves will not change. Regulatory enforcement, financial reporting, cybersecurity, supply chain, liquidity — all the risks that organizations faced in previous years will still exist in 2017 and beyond. What will change is the underlying forces and conditions that shape those risks. </p><p style="text-align:justify;">Identifying those changing conditions, and deducing their implications for the organization's own enterprise risk assessment, will be a key challenge for chief audit executives in the Trump Era. What are some of those tectonic shifts likely to happen in 2017 and beyond? Let's look at a few examples.​</p><h3>The Rise o​​​f Political Risk</h3><p style="text-align:justify;">Political risk — that is, dramatic, unpredictable political decisions that can carry far-reaching consequences for a business or industry — has not been a phenomenon in the United States for many years. Now it will be, owing to the new president's willingness to confront corporate decisions head-on. </p><p style="text-align:justify;">One example is his recent admonishments against Ford Motor Co. for its plans to locate a US$1.6 billion manufacturing plant in Mexico, and Ford's subsequent announcement on Jan. 3 that <a href="http://www.reuters.com/article/us-ford-mexico-idUSKBN14N1EO">it would scrap those plans to build a US$700 million plant in Michigan</a>. Another is Trump's comments during his Jan. 11 press conference, where he announced that <a href="http://www.wsj.com/articles/trump-attacks-drugmakers-on-pricing-1484167641">he wants to require pharmaceutical companies to bid on contracts for Medicare and Medicaid</a>. That would be a major shift in government health-care spending; the Nasdaq Biotech Index fell 3 percent within hours of his statement.</p><p style="text-align:justify;">Businesses will need to explore strategies that can withstand greater political risk. Manufacturers, for example, may invest more in work automation technologies. Services businesses might develop more customer self-help mechanisms to avoid the political risk of outsourcing call centers. Investment strategies might need to be shorter-term, so companies can tack into political winds more easily.</p><p style="text-align:justify;">More broadly, industries might see international sanctions reversed — removing them from Russia, re-imposing them on Iran — or well-understood markets up-ended in light of new political priorities (e.g., health care). For example, a 2017 political analysis published by the law firm Squire Patton Boggs identified several legislative events likely to happen this year: </p><ul><li>The end of free-trade efforts such as the Trans-Pacific Partnership or the Transatlantic Trade and Investment Partnership.</li><li>Significant changes (or even full abolition) of the Consumer Financial Protection Bureau and the Financial Stability Oversight Council, two oversight bodies created by the Dodd-Frank Wall Street Reform and Consumer Protection Act.</li><li>The repeal and replacement of the Patient Protection and Affordable Care Act. </li></ul><p style="text-align:justify;">Each of these potential changes could significantly impact the immediate industries to which they pertain, as well as the broader economy.</p><h3>The Shift in Enf​​orcement Risk</h3><p style="text-align:justify;">Businesses may also see a regulatory enforcement climate of smaller penalties against corporations, especially when companies cooperate with regulators to identify individual wrongdoers at their companies. A precursor to this idea emerged in 2016, in the Justice Department's Foreign Corrupt Practices Act Pilot Program: discounts in monetary penalties for companies that disclosed violations of anti-bribery law and then remediated control weaknesses.</p><p style="text-align:justify;">So what would the implications be if the Trump Administration applies that concept on a wider scale? Foremost, companies would want to revisit their compliance programs to ensure they can cooperate with regulators effectively. For example, if a company wants to win cooperation credit for helping regulators prosecute individuals, it must be able to identify (and gather evidence against) those individuals within its ranks. So the importance of e-discovery processes and investigation protocols goes up.</p><h3>From Che​​ap Money to Easy Money</h3><p style="text-align:justify;">The Trump Administration wants to ease oversight of bank lending and new capital formation. At the same time, we're likely to see more infrastructure spending <em>and</em> higher interest rates as the Federal Reserve keeps nudging rates higher amid stronger economic growth.</p><p style="text-align:justify;">String all those variables together: a world of stronger growth, where companies can get loans more easily but at higher interest rates. What risks emerge from a scenario like that? </p><p style="text-align:justify;">Companies could, for example, face greater liquidity risk if their finances are based on instruments that can't withstand higher interest rates. Or the demand for skilled labor will grow so fierce that companies might face workforce shortages. Merger targets could become unaffordable. Inflation might erode expected profits.</p><p style="text-align:justify;">An over-stimulated economy would be quite different from the past decade of low economic growth, low interest rates, and a tightly constrained financial sector. It would reverse many long-held assumptions businesses have used, with corresponding change to risks, policies, and controls. </p><p style="text-align:justify;">By the same token, the new lending climate could offer significant potential for growth without some of these downsides – and organizational leadership will want to consider whether they're positioned to leverage that opportunity. Chief audit executives could help ensure the organization has adequately examined the upside potential of economic growth. </p><p style="text-align:justify;">Every company would experience bank lending changes in its own way, but more than anything else, this new economic climate could be the most tangible change that a Trump Administration might bring about.</p><h3>Remember​​ the Limits</h3><p style="text-align:justify;">For all the potential transformations that the Trump Era might bring, internal audit professionals should also remember another truth: political power is often fragile. For <em>any</em> policy change to move forward, <em>all</em> Republicans in Congress and<em> </em>Trump must agree on the policy. Any crack in party resolve could fracture the whole plan.</p><p style="text-align:justify;">That could translate into delays and disputes on any number of legislative efforts. In fact, those delays have already emerged over health-care reform. Tax reform might see similar treatment, as special interests lobby to preserve their favorite corners of the tax code. (This also means that we're more likely to see change that the executive branch can enact itself, much like we saw in the later Obama years.)</p><p style="text-align:justify;">A recent analysis by the law firm Arnold Porter demonstrates the challenge. For tax reform, the analysis says, Trump's main thrust will be to increase the benefits of manufacturing in the U.S., to stimulate job growth. The early proposals also mean, however, that <a href="http://www.wsj.com/articles/toy-makers-gird-for-tax-code-change-1484143201">retailers that import cheaper goods from overseas could see painful tax increases</a>. </p><p style="text-align:justify;">That will likely lead to fierce battles in Washington, with some powerful corporate voices fighting to preserve their interests. When will those questions get resolved? Nobody knows.​​</p><p style="text-align:justify;">In other words, internal auditors shouldn't ask, "How will the Trump administration change my world?" A far better question is to ask, "How will the Trump administration change the broader world — and what is the organization doing to prepare for it?" </p>Matt Kelly0
An Important Cyberrisk Framework​https://iaonline.theiia.org/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspxAn Important Cyberrisk Framework​<p>​Perhaps the most important cyberrisk framework is that published by the U.S. National Institute of Standards and Technology (NIST). Recently, NIST shared for comment a proposed update to their framework.</p><p>You can <a href="https://www.nist.gov/cyberframework" target="_blank">download the document and view related videos here</a>.</p><p>Here are some key excerpts from the executive summary:</p><ul><li>Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers.</li><li>The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes.</li><li>The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.</li><li>The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.</li></ul><p><br></p><p>Later, the authors say this:</p><p><span class="ms-rteStyle-BQ">"Enterprise risk manageme​nt is the consideration of all risks to achieving a given business objective. Ensuring cybersecurity is factored into enterprise risk consideration is integral to achieving business objectives. This includes the positive effects of cybersecurity as well as the negative effects should cybersecurity be subverted."</span></p><p>There's a good amount of material to like.</p><ul><li>The framework is risk-based and talks about, in my words, investing in cybersecurity commensurate with the level of risk.</li><li>When it talks about risk, it is to the achievement of business objectives. They don't talk about protecting information assets, but rather drive to what is important to the success of the business.</li><li>It uses a maturity model (although it doesn't describe it as such) as a useful way to assess the effectiveness of the cyber program.</li><li>It makes the point that those responsible for the cyber program need to be at an appropriate level within the organization.</li><li>It emphasizes that the management of cyberrisk needs to be integrated within the broader enterprise risk management activity.</li></ul><p><br></p><p>However, there are some few areas where I would have liked to have seen more discussion.</p><ul><li>Appendix B is a list of objectives for the cyber program. However, in my opinion it is over-simplified and probably incomplete. For example, I do not see anything about protecting the organization from the effects of social engineering.</li><li>While detection is emphasized, the need for <em>timely</em> detection is not mentioned.</li><li>The framework mentions the need for continuous improvement and that cyberrisk is dynamic. However, the sea is constantly rising and defenses have to adapt at least as fast as the risk changes. Investment needs to be in resources that enable threats to be monitored and defenses upgraded continuously.</li><li>The task of assessing the likelihood of a breach is hardly covered at all. There is general acceptance of the fact that a breach is almost inevitable, so the emphasis perhaps should be on the likelihood of different degrees of impact. Past experience may not be a good indicator, as prior breaches may not have been detected — leaving management with the unjustified belief that the incidence of breach is lower than it really is.</li><li>The framework suggests that the organization should have an inventory of all assets or points on the network. However, with the extended supply chain plus the Internet of Things plus the fact that employees and other individuals are hacked as entry points, the problem is far more severe than is presented. I am not persuaded that an inventory can ever be considered complete.</li><li>While the framework talks about integration with the enterprise risk management program, it is important to note that cyber may be one of several risks that might affect the achievement of one or more business objectives. Decisions about acceptable levels of risk to an objective should consider all these risks, not just one. In other words, cyber and other risks to an objective may appear to be at an acceptable level individually, but the aggregate effect may be intolerable and require action.</li><li>The framework references the ISO 31000:2009 global risk management standard (curiously not the COSO ERM Integrated Framework) but defines "risk" in its own way. It also uses the term "risk tolerance" in its own way, inconsistent with that of COSO or ISO. (It is essentially the same as COSO's risk appetite).</li></ul><p><br></p><p>A framework is simply that, a framework that any organization can build out to suit its situation and needs.</p><p>I encourage everybody to consider the document, respond with suggestions for improvement, and perhaps use it to assess and then upgrade your organization's cyber program.</p><p>Your comments?​</p><p><br></p>Norman Marks0
​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyondhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Deloitte-shares-a-list-of-“risk”-trends-to-watch-in-2017-and-beyond.aspx​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond<p>​Rather than the list of top risks, the people at Deloitte suggest that there are a number of trends "that have the potential to significantly alter the risk landscape for companies around the world and change how they respond to and manage risk."</p><p>They share 10 in <a href="https://www2.deloitte.com/us/en/pages/risk/articles/future-of-risk-ten-trends.html" target="_blank">The Future of Risk: New Game, New Rules</a>.</p><p>I like the way they start:</p><p><span class="ms-rteStyle-BQ">The risk landscape is changing fast. Every day's headlines bring new reminders that the future is on its way, and sometimes it feels like new risks and response strategies are around every corner. The outlines of new opportunities and new challenges for risk leaders — indeed, all organizational leaders — are already visible.</span></p><p><span class="ms-rteStyle-BQ">What you'll see is that risk's onset and consequences, and the entire nature of the risk discipline, are evolving. The good news? The strategic conversation around risk is changing too. For leaders today, risk can be used as a tool to create value and achieve higher levels of performance. It's no longer something to only fear, minimize, and avoid.</span></p><p>For the moment, let's put aside our differences about the meaning of words such as "risk" and "risk source." </p><p>The 10 trends they have listed merit consideration. As Deloitte suggests, we should all consider these trends. Do we agree with the facts as presented? Will they affect us and, if so, how? How should we respond?</p><p>Please read the report, which is fairly short, before coming back to this discussion.</p><p>The first trend is <span style="text-decoration:underline;">cognitive technologies</span>, which is a fancy term that includes big data analytics, predictive analytics, AI, machine learning, and so on. Deloitte says it is about "using smart machines to detect, predict, and prevent risks in high-risk situations."</p><p>Broadly speaking, every organization should be watching and exploring ways to use new or advances in technology for this purpose.</p><p>But more might be done.</p><p>Machine learning and similar technologies may not only detect patterns and so on, analyze them, but actually make decisions and initiate action. Smart software, as well as machines, is starting to replace humans that perform repetitive analysis and response.</p><p>The second is "<span style="text-decoration:underline;">Controls become pervasive</span>." Deloitte is not talking about internal controls, here. They are talking about controls automation. They could have easily rolled this into the first trend, since it's really about the use of technology for risk monitoring.</p><p>The third is quite different: It's about advances in <span style="text-decoration:underline;">behavioral science</span>. I'm not sure what they expect to be different in 2017 and beyond, because the study of human behavior is not new at all. The key is whether the science will be <span style="text-decoration:underline;">used</span>.</p><p>Deloitte then uses the term "<span style="text-decoration:underline;">vigilance</span>" for its next trend. This is another fancy word; <strong>detection </strong>would have worked just as well, perhaps more accurately, but vigilance is more exciting and appealing to the consumer of Deloitte services.</p><p>Yes, more attention needs to be placed on risk monitoring and detection controls, especially with respect to cyber.</p><p>The next one is "<span style="text-decoration:underline;">risk transfer</span>." Arguably, risk is never transferred. It can only be shared or mitigated. Also, preventive controls do not eliminate risk; they just reduce the level to hopefully acceptable levels, because there is always the possibility that the controls will fail. The only change in this area I am aware of is the emergence of (limited) cyber insurance.</p><p>Deloitte thinks that the fact that <span style="text-decoration:underline;">innovation outpaces regulation</span> is a trend. I am not persuaded. However, the relaxation of regulation under President Trump would be a change — but may not be <span><span>in effect </span></span> long-term if he is not re-elected in four years.</p><p>Using <span style="text-decoration:underline;">risk management to drive performance</span> is not a new thought. I have been pressing for it for a while myself. If it becomes a reality, that would certainly be an important trend.</p><p>"<span style="text-decoration:underline;">Collective risk management</span>" is an interesting concept. However, laws and regulations can limit the sharing of information.</p><p>"<span style="text-decoration:underline;">Disruption</span> dominates the executive agenda" is not new. I agree with Deloitte that it should be expected to increase this year and into the future.</p><p>Then Deloitte picks <span style="text-decoration:underline;">reputation </span>risk — again, not really new. The change is that new technologies can help us address it.</p><p><br></p><p>Overall, a couple of points that should stimulate some thinking. But most of this should be ho-hum for most of us.</p><p>What do you think?​</p><p><br></p><p><br></p>Norman Marks0
Healthy Compliancehttps://iaonline.theiia.org/2016/Pages/Healthy-Compliance.aspxHealthy Compliance<h2>​What are health care’s top compliance risks for 2017? </h2><p>Cybersecurity is on every industry’s top 10 list, but health care is particularly susceptible because its data is worth 10 times the price of credit data on the black market. And, health-care organizations are increasingly becoming the target of ransomware attacks. The second risk is government’s recent focus on the quality of care provided to patients. Physicians, hospitals, and other providers that did not comply with Medicare’s regulations regarding the medical necessity of services provided have had to pay settlements to the U.S. government. Health-care providers need to ensure compliance with these requirements.<br></p><h2>How can compliance officers best ensure they do not face personal liability in compliance failures? </h2><p>This is the $64,000 question! Having asked myself that question on many occasions, I have only one response: Be diligent. We must thoroughly investigate and respond to every compliance complaint and report. Gone are the days where we disregard a report solely because the source is a disgruntled employee. We must take every report very seriously. We must ensure our investigation and remediation are well-documented. In this litigious environment, “dotting the i’s and crossing the t’s” can truly make all the difference.</p><h2>How can internal audit and compliance best collaborate to address regulatory burdens?</h2><p>In our organization, audit and compliance staff work together to ensure regulatory compliance. For instance, in the course of a compliance audit, an IT auditor may mine the data looking for anomalies, and then the clinical compliance auditor would review the medical records selected in the data mining process for compliance with a given regulation. Likewise, in a compliance investigation, our audit staff will conduct interviews and perform data analytics. The compliance staff will do the research on applicable regulatory guidance and then audit selected records for compliance. </p>Staff0
What Does the New Year Hold for Internal Audit?https://iaonline.theiia.org/blogs/marks/2017/Pages/What-does-the-New-Year-hold-for-internal-audit.aspxWhat Does the New Year Hold for Internal Audit?<p>​Two pieces by Deloitte merit our attention.</p><p>The first is <a href="https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-deloitte-chief-audit-executives-trends.pdf" target="_blank">Chief Audit Executives: Ready for the Spotlight</a> (PDF).<br></p><p>It makes some interesting points.</p><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"><ul><li>Stop auditing the past. Instead focus on enabling the future (my words).<br></li><li>Convert the little pieces of information (perhaps individual audit reports) into big picture insights.<br></li></ul></blockquote><p><br> </p><p>This is good advice.</p><p>One of the valuable new pieces of guidance that came out of the project (with which I was involved) to develop The IIA's principles for effective internal auditing was the idea that internal audit:</p><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"><ul><li>Should be forward-looking, and<br></li><li>Provide insights and advice as well as assurance.<br></li></ul></blockquote><p><br> </p><p>CAEs in particular need to be willing to take more risks with their opinions, telling management and the board about the bigger issues (such as those I describe in my post on <a href="https://normanmarks.wordpress.com/2016/12/31/the-real-risks-the-ones-not-in-the-typical-list-of-top-risks/" target="_blank">The Real Risks: The Ones Not in the Typical List of Top Risks</a>). </p><p>Drilling down to the root cause of risk and control problems often leads to exposure of fundamental problems of leadership and so on.</p><p>The valuable CAE is the one who is brave enough to <a href="https://www.youtube.com/watch?v=QUQsqBqxoR4" target="_blank">tell (or sing) the story</a>.</p><p>With respect to "forward looking," we should remember why auditing controls adds value: when they know the controls are adequate in addressing risk, the board and management know they can rely on them now and tomorrow as they drive the organization to success.</p><p>We should assess controls in terms of their effect on today and tomorrow's operations, not on what might or might not have happened in the past. That is over.</p><p>The second Deloitte piece is <a href="https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-internal-audit-insights-high-impact-areas-2017.pdf" target="_blank">Internal Audit Insights: High-impact Areas of Focus - 2017</a> (PDF).<br></p><p>It starts with this honest but alarming point:</p><p><span class="ms-rteStyle-BQ">… ​only 28 percent of CAEs believe their functions have strong impact and influence within their organizations.</span></p><p>It goes on to list eleven areas of focus for internal audit:</p><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"><ul><li>Strategic planning.<br></li><li>Third-party management.<br></li><li>Internal audit analytics.<br></li><li>Integrated risk assurance/combined assurance.<br></li><li>Cyber.<br></li><li>Digitalization.<br></li><li>Risk culture.<br></li><li>Strategic and emerging risks.<br></li><li>Sustainability assurance.<br></li><li>Media auditsNew reporting methods.<br></li></ul></blockquote><p><br> </p><p>​The last is something I have been pressing for a while, with examples in my book (<em>Auditing that matters</em>). They seem to be quoting me (without attribution) when they say:</p><p><span class="ms-rteStyle-BQ">Tell stakeholders what they need to know, why they need to know it, and what they should do about it.</span></p><p>However, I don't condone their suggested use of heat maps (which fail to tell the true picture of risk) instead of using plain English!</p><p>Say what you mean to say (Bareilles). Honestly!</p><p>Instead of a <em>list</em> of areas to focus, let me suggest <em>one</em>. A simple one.</p><p>Aim to provide an opinion on the overall management (via controls) of the risks that matter to the success of the organization. Now, how can you get to that point? What work needs to be done? </p><p>OK, do it in 2017 and deliver the valuable information your board and executives need.</p><p>Your thoughts?</p><p><br> </p>Norman Marks0
​The Decision-maker's View of Riskhttps://iaonline.theiia.org/blogs/marks/2016/Pages/The-decision-maker’s-view-of-risk.aspx​The Decision-maker's View of Risk<p>​I recently had the privilege of speaking after and then moderating a panel that included <a href="http://www.fairinstitute.org/chairmans-welcome" target="_blank">Jack Jones</a>. Jack is the creator and evangelist for the FAIR methodology, about which he wrote <a href="https://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314" target="_blank"><em>Measuring and Managing Information Risk: A FAIR Approach</em></a>. A number of people have found this very useful and have recommended it to me. I think it is worth considering.</p><p><a href="http://www.fairinstitute.org/blog/a-different-definition-of-risk-management" target="_blank">Jack has written a blog post about our meeting</a> with his reflections on the 95 percent agreement we have on risk management and his perspective on the other 5 percent.</p><p>Please read his post as my comments will be in response.</p><p>I enjoyed the MISTI conference where this meeting took place, but I have to admit meeting Jack was very much the highlight. It's always great to have a constructive conversation with somebody who has spent at least as much time thinking about a topic as you yet has different ideas. It's a learning opportunity.</p><p>I respect Jack's view. It is difficult for an individual who has grown up with the idea that "risk" is something bad, and the role of the risk practitioner is to help decision-makers assess and respond to "What could go wrong," to believe they should use the same analytical process to assess what would go well. Several who have commented on my posts on this topic make that valid point.</p><p>Recognition is given to the facts that a) decisions have multiple potential consequences (more often than not there is a <strong><em>combination</em></strong> of positive and negative) and b) people need to make intelligent decisions based on the best available information considering <strong><em>all</em></strong> the potential effects. The question is whether it is the responsibility of the risk practitioner to help with all sides of the coin.</p><p>I would like to shift our perspective from the risk practitioner to the decision-maker: the individual we are trying to help.</p><p>Let's put ourselves in their shoes.</p><p>As he or she works towards his or her objective, decisions will have to be made.</p><p>The decision-maker needs to weigh all the potential effects, everything that might happen, if he or she goes ahead. All options need to be assessed.</p><p>For example, imagine you are a senior vice president and you have to decide whether and when to go ahead with a new product launch.</p><p>The risk officer is there to help. With her assistance, you have an assessment of the potential harms that might result from going to market too early. These include the possibility that the product needs additional testing to ensure it functions reliably as desired; the effect on the launch could be catastrophic, resulting in lost sales and customers, reputation damage, and additional costs to repair or replace units sold and then re-launch at a later time. In addition, the marketing, sales, and the product help desk teams might not be ready, such that the launch fails to meet desired sales targets. So going to market early is rated by her as "high risk."</p><p>One alternative is to delay the launch by a month. The risk officer has worked with you to assess this scenario as well. The potential for each of the harms rated high for the early launch is lower, and the two of you have agreed to rate a delayed launch as "moderate risk."</p><p>The third and final option you are considering is to delay for two months. This will allow for thorough testing of the new product and preparation by all the support teams. This option is rated as "low risk."</p><p>But there are advantages to an early product launch. They could be significant.</p><p>Releasing the product quickly is being urged by the marketing and sales team as desirable because of the potential to be first to market the new generation of product. They say that an early launch is far more likely to seize a considerable market share and pricing can be optimized when there is little competition.</p><p>The support teams are pushing hard. They have told you and senior management that any delay, even for a month, is likely to give your competitors time to bring their comparable products to market. They are predicting that sales will be as much as 20 percent less if there is a one month delay and 35 percent less if the delay is two months.</p><p>Which is the best decision for the company?</p><p>The potential harms have been subject to a disciplined assessment process, but the potential rewards are based on the "experience" of the marketing and sales staff.</p><p>Even if a disciplined process was followed, are the results comparable to the assessment of harms?</p><p>Would a comparison of the harm assessment and the reward assessment be like comparing apples and oranges? Are they equally objective and credible?</p><p>My point is that the optimum situation is where all the potential consequences of each option are assessed the same way. How else can the senior vice president be comfortable that she is making an informed, intelligent decision — selecting the option that is best for the company?</p><p>Maybe, as Jack says, as risk practitioners we have boxed ourselves in by calling ourselves "risk" officers. Maybe we should try another term that doesn't limit our own image as well as that of our stakeholders to assessing the downside.</p><p>Isn't it all about helping the company and its decision-makers succeed?</p><p>I welcome your thoughts.​</p><p><br></p>Norman Marks0
​How Much Cyberrisk Should We Take?https://iaonline.theiia.org/blogs/marks/2016/Pages/How-much-cyber-risk-should-we-take.aspx​How Much Cyberrisk Should We Take?<p>​I recently presented on this topic at an MISTI conference for IT auditors.</p><p>My theme started with the fact that it is impossible to eliminate cyberrisk — the potential for a breach of our corporate network to harm us in some way. (I should say that we should be talking about "cyber-related business risk.")</p><p>While spending money to shore up our defenses will hopefully reduce the number and frequency of intrusions, the hackers' tools and techniques continue to develop, and we are constantly adding potential points of weakness as our use of technology grows. A recent survey said that the great majority of organizations don't have a good handle on how many addressable devices (Internet of Things) are now attached to their corporate network.</p><p>We can mitigate the effect of an intrusion with a combination of timely detection (the average time to detect is an appalling 9 months or so), incident response, encryption and other safeguards, and contingency planning.</p><p>But investments in cyber will not eliminate the risk.</p><p>So how much should we invest?</p><p>How much cyberrisk should we be willing to take?</p><p>I suggested that we need to understand and assess the risk.</p><p>But it is the risk to the objectives of the enterprise we should be assessing, not some measure of threat to IT assets or services. In other words, what is the cyber-related business risk.</p><p>How could a breach affect our business and the achievement of corporate goals?</p><p>How could it affect revenue, market share, earnings, and reputation?</p><p>What is the level of risk — to the enterprise?</p><p>If we can assess the level of risk, we can start to consider alternative ways to address the risk.</p><p>If we invest x dollars (whether in people, tools, or services), will that reduce the risk by more than the investment?</p><p>Can we tolerate the risk? Can we tolerate the cost of a breach?</p><p>According to one survey I read, the average cost of a breach is "only" US$208,432. <a href="http://www-03.ibm.com/security/data-breach/" target="_blank">IBM and the Ponemon Institute</a> disagreed, saying it was US$4 million. Rand pointedly said that was incorrect, that the cost is less than US$200,000.</p><p>Whichever number is correct, the average cost of a breach is not as alarming as many if not most might believe.</p><p>According to <a href="http://www.darkreading.com/attacks-breaches/rand-study-average-data-breach-costs-$200k-not-millions/d/d-id/1326962" target="_blank">Rand</a>, "cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%)."</p><p>I am not saying that we should accept cyberrisk as a cost of doing business.</p><p>I am saying that we should invest in cyber defense, detection, and response commensurate with the risk.</p><p>We have other uses for the funds and resources!</p><p>I am also saying that if we are to adopt the new and disruptive technology that will drive the business forward, we should be willing to accept some reasonable level of cyberrisk.</p><p>Some in the audience vocally and loudly disagreed. They said that reducing security weakness and other IT-related risks to dollars and cents, allowing management to say remediation costs were more than the risk justified, would send the wrong message. It would say that some IT-related risks should be accepted.</p><p>Sorry, but that is the right message.</p><p>Every organization's assessment of cyber-related business risk (or any risk, for that matter) will be different. It will vary depending on their business and how they conduct it, their public image, how they value their reputation, and so on. It will also be affected by regulatory guidance and oversight.</p><p>Every organization's investment in addressing cyberrisk should be tailored to its level of risk — recognizing that the level of risk is likely to change.</p><p>Where does that leave me?</p><p>That there are greater risks than cyber.</p><p>The risk of being left behind by our competitors when it comes to leveraging new and disruptive technology is typically far greater. </p><p>The cost of a delay in or even the failure of a major systems enterprise resource planning implementation will probably be several times the cost of a breach.</p><p>So let's make intelligent decisions about investing in the management of cyberrisk.</p><p>Let's not cry out that the cyber sky is falling.</p><p>I welcome your thoughts.</p><p> </p><p>PS – <a href="http://corporatecomplianceinsights.com/bank-regulators-issue-proposed-rules-cybersecurity-controls/?utm_campaign=2016+Newslettters&utm_source=hs_email&utm_medium=email&utm_content=38923203&_hsenc=p2ANqtz--xWl4DIJp8oVy1GfMf_LpSbfTzl3K-9vwJyPQbXPnibLjSbSM_G21leAzUcmQALI7O6ljevbRSzSooHhQZ_pxcElZ5wg&_hsmi=38923203" target="_blank">see here for an article on cyberrisk regulations</a> proposed for U.S. banks. Note that they are also risk-based.</p><p><br></p>Norman Marks0
​Do We Know How to Audit Technology-related Risks?https://iaonline.theiia.org/blogs/marks/2016/Pages/Do-we-know-how-to-audit-technology-related-risks.aspx​Do We Know How to Audit Technology-related Risks?<p>​I just read through the latest ISACA/Protiviti survey, <a href="https://www.protiviti.com/US-en/insights/it-audit-benchmarking-survey" target="_blank">A Global Look at IT Audit Best Practices</a>.</p><p>It has a wealth of generally useful information and I recommend it to all internal audit leaders but not to board members — the level of detail is too much for their use. The executive summary is the most I would have a director read. But it would be better to have the CAE summarize the report for them, focusing on what lessons should be learned for their particular organization.</p><p>Some things surprised and others disappointed me.</p><p>My most important issue is that we need to stop talking about IT audit.</p><p>We should be talking about auditing risks relating to technology!</p><p>In the days of yore, the IT department owned and ran all the technology — with the exception of minor pieces of so-called user-managed software.</p><p>But not in 2016.</p><p>A good friend of mine, Gene Kim, is co-author of <a href="http://itrevolution.com/books/phoenix-project-devops-book/" target="_blank"><em>The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win</em></a>. I recommend it to anybody interested in technology and today's approach to running the IT function.</p><p>Recently, I read <a href="https://www.linkedin.com/pulse/5-aha-moments-while-reading-phoenix-project-sara-hruska" target="_blank">a review of <em>The Phoenix Project</em> by Sara Hruska</a>. She makes a few pertinent points:</p><ul><li>Pretty much every business is so dependent on technology that the distinction between leading the IT function and the CEO/chief operating officer role is diminishing.</li><li>The success of any organization can be dependent on the ability of the IT function to deliver at speed technology solutions that will drive the business.</li></ul><p><br></p><p>So, my first point is that the topic should no longer be the IT function, but the development, maintenance, and use of technology across the extended enterprise.</p><p>Let's talk about <em>technology</em> auditing.</p><p>Then there's my constant drumbeat comment that there is no such thing as IT risk.</p><p>It's technology-related <em>business </em>risk.</p><p>What could go wrong when it comes to the development, maintenance, or use of technology that would significantly affect the achievement of <em>business</em> objectives?</p><p>For that reason, there should not be a separate IT audit plan. It should, as Protiviti reports is more often than not the case, part of an integrated audit plan that is updated as often as risks change.</p><p>According to Protiviti, about half the respondents only update their (IT) audit plan annually.</p><p>That simply won't do in an era of dynamic change, especially around technology and its use.</p><p>I find it curious that despite the point made by Sara Hruska, the ability to identify the potential for disruptive technology to drive the organization forward is not among the top technology challenges in the Protiviti report. Perhaps it is because that was not an option Protiviti allowed respondents to select. More likely, though, it is because practitioners simply don't pay enough attention to the problem.</p><p>Is that correct?</p><p>Maybe Protiviti thought that their question about auditing IT governance would cover it. But, IMHO, a single audit of IT governance is not recommended. The topic is broad and practitioners should assess only those aspects of IT governance that are more critical to their business.</p><p>Other points of interest in the survey results:</p><ul><li>Nearly half believe their IT department is not aware of all of their organization's connected devices (e.g., connected thermostats, TVs, fire alarms, cars).</li><li>83 percent of respondents say cyberattacks are among the top three threats facing organizations today, and only 38 percent say they are prepared to experience one. — Comment, I wonder if they have assessed the <em>business</em> risk of a breach.</li><li>The study also found that only 29 percent of the respondents are very confident in their enterprise's ability to ensure the privacy of its sensitive data.</li><li>Only 65 percent said their CAE has sufficient knowledge to discuss IT audit matters with the audit committee. — Comment, that is dreadful.</li><li>Half or less than half of companies have their CAE or IT audit lead meet regularly with the chief information officer!</li><li>Where there is a corporate ERM framework, less than half the IT audit work is integrated with it.</li><li>Only about half are doing a significant or even a moderate amount of work on new technology initiatives.</li></ul><p></p><p>This is a disappointing state of affairs. I was an IT auditor for many years before becoming a CAE and always made sure my team was involved in every major technology initiative. The IT audit staff was generally about a third of the team — and I am talking about from 1990 to 2012!</p><p>Today, technology-related risk is huge and merits a lot more attention that it appears, from the study, it is getting.</p><p>What do you think?</p><p>What jumps out at you from the survey?​</p><p><br></p>Norman Marks0
What's Your Cyber Risk Appetite?https://iaonline.theiia.org/2016/Pages/Whats-Your-Cyber-Risk-Appetite.aspxWhat's Your Cyber Risk Appetite?<p>​In drafting the report for a client on a recent information security audit, there was nothing unexpected in the findings. The usual suspects lined up: access control, physical security, and network security. But there was something missing, the elephant in the room. There was no defined or formalized statement of the client's information security risk appetite.</p><p>Typically, organizations do not formally consider and document their information security risk appetite. Although most organizations have an information security policy framework and supporting processes and procedures, many of those policies seem to have been written without an end goal in mind. Specifically, they don't state that the policy is based on an information security risk appetite position or statement. Organizations spend significant resources on information security, but if they do not know what systems and data are to be secured, and to what extent, how do they go about securing them?</p><p>A first step toward drafting a risk appetite statement should be undertaking an internal information security risk assessment to determine where the organization is and where it needs to be. This assessment will involve facing some truths that may not be palatable to senior management, but it will help identify the organization's unique risks and what it needs to do to address them.</p><h3 style="letter-spacing:normal;">Work​ up an Appetite </h3><p>The Committee of Sponsoring Organizations of the Treadway Commission's <em>Enterprise Risk Management–Integrated Framework</em> defines <em>risk appetite</em> as "The degree of risk on a broad-based level that a company or another entity is willing to accept in pursuit of its goals." A June 2009 study by insurance and risk company Marsh and the University of Nottingham, Research Into the Definition and Application of the Concept of Risk Appetite, breaks risk appetite into five categories:</p><ol><li>A limit or boundary set on the risk heat map (usually the top right-hand column).</li><li>Economic measures (including capital changes/impact, profit or loss, and tolerable levels).</li><li>Changes in credit ratings.</li><li>Changes in targets or thresholds of key indicators.</li><li>Qualitative statements (e.g., zero tolerance for license breaches or loss of life).</li></ol><p>The appetite for security risk should be based on the organization's overall risk appetite. The consequence and likelihood of the risk occurring should determine the level of acceptable risk. For example, the impact of not conducting periodic user access reviews on applications may be rated as "medium," which is within the the organization's defined risk appetite. Consequently, management can prioritize resources for taking action based on the appetite it has set. In contrast, a denial of service risk may have the capacity to bring the organization's website down, so the rating of this risk may be outside the acceptable tolerable levels and require appropriate emergency action. </p><p>The organization needs to articulate its risk thresholds and then obtain sign-off from management. A risk mature organization may have multiple levels of risk appetite statements across platforms and technologies. The key to success is aligning these area-specific risk statements with the overall information security risk appetite and the organization's risk appetite statement. </p><p>Some areas where risk appetite may be considered include:</p><ul><li>Asset management.</li><li>Access control.</li><li>Cryptography.</li><li>Physical and environmental security.</li><li>Operations security.</li><li>Communications security.</li><li>System acquisition development and maintenance.</li><li>Supplier relationships.</li><li>Information security incident management.</li><li>Business continuity management.​</li></ul><h3 style="letter-spacing:normal;">Mak​e a Statement</h3><p>The organization's information security risk statement should be based on its overall risk statement. For example, a financial institution's information security risk appetite statement may be pitched and agreed to at a high level of detail prescribed by regulatory authorities, while a start-up company may provide less detail. Factors influencing the standard could be the number of customers, financial impact, and level of risk senior management and the board are willing to accept. </p><p>An example of an organization's overall risk appetite statement is:​</p><p><span class="ms-rteStyle-BQ"><em>The organization has a tolerance for risk that will allow it to achieve its business objectives in a manner that is compliant with the laws and regulations in the jurisdiction in​ which it operates. We specifically will not tolerate any negative impact on employee and customer health and well-being.</em><em>  </em></span></p><p>Based on this overall risk appetite statement, the organization's information security risk appetite statement could be: ​</p><p><em class="ms-rteStyle-BQ">The organization has a low risk appetite for the loss of its business and customer data. </em></p><p>Moreover, information security risk appetite statements for specific areas could include:</p><ul><li>Asset Management: The organization has a medium risk appetite for physical information security assets and will track assets greater than US$2,000. Information assets will be protected per the organization's data classification framework.<br></li><li>Access Control: The organization has a high risk appetite for access controls.  All access to the organization's mission-critical systems will be controlled via biometric authentication. <br></li></ul><h3 style="letter-spacing:normal;">Defining Acc​eptable Risk </h3><p>Having an information security risk appetite statement ensures the organization has defined what it considers an acceptable level of risk. Without such a statement, the organization is saying either that all information is important and will be protected, or that no information is important and therefore will be freely available. Both of these scenarios could be a survival risk for the organization in the long term.​</p><p>Information security risk appetite is the next step in an organization's maturing and understanding of risk management. By giving information security special attention, the organization is acknowledging that this area needs to be addressed specifically.</p>Shannon Buckley0

  • TeamMate_Jan2017_Prem 1
  • IIA TeamDevelopment_Jan2017_Prem 2
  • IIA PerformanceAuditing_Jan2017_Prem 3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z