The Davies Report

Our take on the recent changes to the IIA Standards (free white paper)

Thu, 15 Nov 2012 23:09:00 GMT

Video: What you need to know about the changes in 90 seconds.

This month the Institute of Internal Auditors (IIA) released their latest revisions to their global standards.

These standards come into effect from 1 January 2013.

Much has been written about these changes, making it difficult to determine what's really important, if anything.

At first glance many of the changes may appear to be semantic, however there are six key changes that chief auditors and audit committees will want to be across.

As a service to our clients and subscribers, we have developed a free white paper that summarises what is required, what was intended, what audit committees should be asking for and what internal audit functions need to do for best effect.

This report aims to cut through the clutter to get to those aspects that matter, and those that can make a difference.

We recommend that clients assess these changes early and use these as an impetus to improve the effectiveness of their internal audit functions.

We hope you find this helpful, and as always, if you need assistance, give us a call.

White paper download (pdf, 695kB, registration required)

Doing More with Less

Sun, 30 Sep 2012 14:00:00 GMT

In this month's piece, we shift from our usual focus on risk and assurance effectiveness, to risk and assurance efficiency. In other words, how to do more with less.

**

Snapshot

Budget uncertainty and cost pressures remain widespread and are driving four common responses:

1. Cost cutting

2. Defending existing budgets

3. Reshaping the audit program

4. Doing things differently

In this article we explore how to use each of these responses for best effect.

**

Cost cutting (BAU less x%)

“In order to change, we must be sick and tired of being sick and tired.” (Unknown)

How a problem is framed can make all the difference in the world.

Consider the request – keep doing what you’re doing now, but cut 10% of your budget.

This problem is framed so that the cut is big enough to be painful, but not big enough to force major change. It also assumes that business as usual is desirable, and hence trimming around the edges is required instead of re-thinking how the function operates.

The standard response is often to cut discretionary costs. Training and consulting may get cut. Areas of the audit plan may get shaved. Vendors and travel might get squeezed. Headcount may get put on hold.

While short term cost savings may be gained, these dividends and can lead to the dreaded “death of 1,000 cuts”.

Our view is that this approach is not sustainable.

Doing things differently

The alternative is a clean sheet.

Let’s frame the problem differently.

If I was to start from scratch, with 50% of my current budget, or if my organisation was to double in size, what would I put in place to be successful?

Reframing can drive very different thinking. Indeed this order of change was the genesis of behind control self assessment and second line of defence concepts which continue to serve us well today.

Different framing allows a series of different questions to be asked:

• What can we do with technology?

• What could we do with smarter planning and methodology?

• How can we shave 20%+ out of key phases in every major activity?

• What could we achieve with different resources?

• How can we formalise 2nd line of defence activities to drive faster, cheaper assurance?

• What would happen if we stopped doing things the way we do them now?

Leading audit functions are asking these questions proactively before budget demands are made. The result is a virtuous circle of increased productivity with higher performing more relevant, rewarding work and engaged teams.

As one optimist one said, I don’t have a budget problem, I have a budget opportunity.

If you want to understand what's possible, when you "draw outside the lines", please give us a call.

Defending existing budgets

Like any other cost centre, risk and assurance is a budget area that can provide short term savings.

However, there is also is a strong argument to say that spending on risk and assurance needs to be countercyclical.

Leading CEOs invest more in audit and risk during restructuring, so they have the confidence to cut elsewhere.

We’ve worked with a number of organisations to make the business case for budget and for change.

If you need help on this, please give us a call.

Reshaping the program / zero-based budgeting

“Ask not what your company can do for you, ask what you can do for your company.” (Apologies to John F. Kennedy)

While using benchmarks and historical data for budgeting provides sound starting points, they’re not always fir for purpose.

A more productive discussion is on where assurance is required.

During times of cost cutting and restructuring, we always find it helpful to revisit an organisation’s heat maps, and use our favourite shade of yellow (custard).

The concept is simple. If you’ve got a significant change in people, roles or accountabilities, compliance will often drop rapidly. This is when things go wrong – when things go to custard – and when assurance is required.

A basic heat map that highlights this type of change is relatively simple, yet powerful to introduce, and generates a different conversation around audit plans.

If you’re not having this sort of discussion with your stakeholders and audit committee, we’d suggest “the custard chart” is a very good place to start.

Conclusion

Cost-cutting without changing to the way your assurance function works can be a vicious cycle.

As expectations keep expanding and budgets remain tight, there is a need to do things differently and work from a clean sheet.

We regularly run “possibilities workshops” with organisations to explore what’s possible.

If you’d like some help turning budget challenge into an opportunity to do things differently, we’d love to hear from you.

GRC – The Great Risk Con revisited

Thu, 22 Dec 2011 13:00:00 GMT

“Use caution with Forrester Waves and Gartner Magic Quadrants.” Leading GRC Analyst.

In 2008 I wrote a piece for Risk Management Magazine called GRC – The Great Risk Con.

The article went on to make a number of controversial comments ranging from an inference which suggested that anyone who uses the GRC term may not know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment.

I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine.

Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by acquisition and consolidation at all tiers. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years.

My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure.

The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything.

The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do.

One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than compromising with a one-size-fits-all solution.

At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. User bases are still fragmented. Systems are still being bought and junked regularly. It also explains why so many systems continue to be built in-house.

When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right.

For now, best of breed trumps best in class. WE suspect it will be this way for many years.

Todd Davies & Associates assists organisations with GRC systems strategy, design and selection. This article first appeared in the final edition for 2011 of Risk Management Magazine.

For information on how we can assist, please go to our Understanding GRC Software page.

End of year wrap

Thu, 22 Dec 2011 13:00:00 GMT

2011 was an amazing year for us and for our clients as we helped them get the most out of their risk and assurance functions.

We gave advice to leading companies on their governance practices. We helped them make the case for an approach to integrated assurance. We saw through a category strategy for internal audit services for a major listed company which ultimately led to one of world’s largest tenders for internal audit services. We spent time with executive teams scanning for material business risks and the elusive black swans. We helped a leading company transition to an in-house internal audit team. We advised on audit, risk, self assessment and issues tracking software. We gave advice on how to structure audit & risk functions. We went through a full year’s cycle with five audit & risk committees.

It was an amazing year for the TDA team. Ralph Crook, Timothy Ong, James Quick, Matthew Ralph, Anthony Holland and Marissa Zamora joined the team at our offices in Kent Street in Sydney. We worked with amazing people from our expert panel – Tim Leech, Michael Rasmussen, Michael Fogel, Larry Quick as well as the teams from Emergination and Emergent Form. Our pool of alliance partners continues to grow.

And while doing all of this we managed to continue to give back professionally with a regular column and cover stories in Risk Management Magazine, on the editorial panels of Risk Management Today and IIA Australia’s Technical Newsletter, as well as giving talks with Telesis, Lexis Nexis, and squeezing in the occasional blog for good measure on our website and also with the Institute of Internal Auditor’s global flagship publication.

With a solid team now in place in Sydney and our Melbourne-based work continuing to grow, Todd and family will be moving to Melbourne early in 2012. He will continue to service our clients nationally with particular focus on Sydney and Melbourne.

2012 will also see a new website and expanded thought leadership publications and media available for our clients and subscribers.

We’re proud to be associated with some amazing people – our clients, associates, staff, suppliers, supporters and followers.

On behalf of the entire TDA team, we give our deepest thanks for your support during 2011 and look forward to working closely with you next year.

We wish you a safe and happy festive season for you and your families.

Festive greetings,

Todd, Sue, Dominic, Ralph, Tim, Matt, Anthony, Marissa and the extended TDA team

Failing to keep pace with change — the biggest risk of all

Mon, 05 Dec 2011 13:00:00 GMT

If you compare today’s stock exchange list with the same list from 10 years ago, you’ll see some big players missing. Some collapsed. Some lost relevance. Some lost value, and were gobbled up before their market value could be regained.

The single thread in nearly all of these cases is simple — the conditions changed and the organisation failed to keep pace with that change.

When thinking about the most significant business risks facing an organisation, failing to keep pace with change is the biggest. It outstrips anything on your risk register. It is a death sentence waiting to happen. In some cases the decline will be rapid, but in many cases, without a big intervention it will be slow and painful. Other risks will hurt; they may cause embarrassment, legal recourse, short-term financial loss, or the loss of a few executives, but they probably won’t kill the organisation.

The most recent analysis from the ASX Corporate Governance Council tells us that 95% of the ASX 200 companies believe they have the systems in place for their boards and management to be across their most material business risks.

In reviewing the risk reports from of a range of organisations, we see that some of the most material business risks — the risks arising from external change — are often not explicitly stated or well understood.

In part, this is due to narrow time horizons used in framing their risk assessments. In part, this arises from being unable to distinguish weak from strong signals. In many cases, it’s an inability to think beyond business as usual.

Often, the only way to tackle a strategic risk is to take a big risk and change course. Many organisations shy away from this and, in doing so, will end up on the scrap heap.

While it is risky to change and adapt, not hedging your bets is even riskier.

Ironically, for many organisations, a conservative approach to risk in the short term is likely to be the greatest risk of all.

**

Three questions you should ask:

1. What could cause our business model to be defunct or no longer viable?

2. What weak signals do we need to be paying attention to today?

3. What risks are apparent now which could take several years to unfold?

This article first appeared in the December 2011 edition of Risk Management Today.

Part two of this article linked below.

2012 Prophecy - The death of that great Ponzi scheme - the industrial age.

2012 Prophecy - The death of that great ponzi scheme - the industrial age

Mon, 05 Dec 2011 13:00:00 GMT

2012 is a year which comes up in a range of mythology as a period of great change. It seems everyone from the Mayans to the Mesoamericans and even Vishnu herself allude to a period of transition and renewal.

Given my comments on black swans in the 2010 Christmas edition of this bulletin, I figured I’d better make a prophecy of my own about 2012 before it arrives. So here it is.

I hereby pronounce 2012 as the death of the industrial age.

Lets face it, it’s time to recognise that the industrial age was the greatest ponzi scheme of all time.

It was an age where resources and growth were abundant and limitless. It was an age powered by fossil fuels, which helped us tap into the earth’s natural capital.

It was an amazing era, where average human beings could do things which the gods themselves would have been amazed by. We could eat strawberries in winter. We could control the climates of our homes. We could heal the sick and travel from Sydney to Melbourne in just over an hour.

We could do this all by digging up old dinosaur remains and converting them into fuel. These are all nifty tricks. The gods, magicians and alchemists would have all been impressed.

Of course, all good things come to an end, and we are now hitting natural limits.

In the early industrial days the planet could heal itself quicker than we could damage it, and damage was localised rather than systemic.

This is no longer the case.

In 2012, the world’s population will be seven billion and climbing.

Peak oil will have arrived.

Ocean, ecosystem and atmospheric governance are fractured and ineffective. By a series of measures, we currently need 1.4 planets to sustain us all. And that’s before economic growth or the industrialisation of developing countries is factored in.

All good ponzi schemes pay great dividends to those who get in early. It’s a pea and thimble trick which distributes future capital within that system and pretends it is income.

And this is what the industrial age was. Economic growth was driven by consumption of the planet’s resources and our reserves of natural capital, consuming capital faster than it could be replenished. Clearly, this can’t go on and the myriad of emerging risks is enormous.

Converting risk into opportunity

Having said that, I never met a risk that wasn’t someone else’s opportunity. The trick will be getting in early enough to make those opportunities yours.

There are many weak and strong signals on what the post-industrial era will look like, and there’s still time to get on the ground floor.

I like the idea of renewal. It sounds so much better than change or Armageddon. I look forward to joining you for a bit of renewal in 2012.

This article first appeared in the December 2011 edition of Risk Management Today.

Risk management – part of the problem or part of the solution?

Wed, 31 Aug 2011 14:00:00 GMT

Todd Davies asks if a changing environment is a new norm – and explains how risk professionals can cope.

Change is happening at a greater scale than ever before. We see it every day. This creates great uncertainty for the organisations that we serve, and should be a boon for us as risk professionals. After all, we’re in the business of managing uncertainty, or at least that’s what ISO 31000 tells us.

But the reality is that most people in the audit, risk and compliance fields aren’t dealing with uncertainties at all. We know that most of the risks that we anticipate are going to happen at some point in some sort of predicable manner. The only thing we don’t know is when or on what scale.

So as we merrily trundle along addressing these known-risks with known methods we add checks and balances. We add layers of approval. We write policies and procedures.

This is all great stuff in a steady-state environment. The only problem is that a steady-state environment isn’t the norm any more. In fact it hasn’t been for some time. Maybe you’ve noticed.

And in a non-steady state environment, the best risk response is the ability to adapt at short notice. This means scaling up capability quickly and dismantling it even faster. It also means the ability to innovate, scale and adapt could become more important sources of competitive advantage than existing assets and infrastructure. A truly frightening idea for most of us.

Heresy you may say. But have a look at the top 50 list from any stock exchange from 20 years ago and compare it to today. You won’t recognise much. A lot of change can happen in a very short time.

So back to today. With all of this change this in mind, does adding checks and balances add agility, or reduce it? How about layers of approval, or layers of policies and procedures? Or are we calcifying our organisations and making them less able to adapt?

Risk management is about allowing for success under multiple scenarios. In everything we do we must remember that steady-state is only one scenario, and possibly an unlikely one at that.

Charles Darwin said ‘It is not the strongest of the species that survive, nor the most interesting, but the ones most responsive to change’.

When we can manage risk by creating greater agility then risk management will stop being part of the problem and start becoming part of the solution.

This article appeared as a cover story in the inaugural web-based version of Risk Management Magazine.

Could internal audit have prevented the News Corp Scandal?

Sun, 31 Jul 2011 14:00:00 GMT

Viewpoint

Could the internal audit team at News Corp have identified and clamped down on the illegal activities of their journalists? Todd Davies doesn’t think so.

The News of the World scandal is causing ripple effects around the world, with commentators in Australia and abroad beginning to ask questions about News Corp’s corporate governance. They are also starting to ask questions on the role of independent directors, audit committees, risk management and internal audit which could have broader implications outside the media sector.

Challenges with News Corp’s corporate governance

It’s no secret in Australia that News Corp’s governance has been controversial for some time, although usually for the likes of poison pills rather than risk and assurance.

However, now in light of the phone hacking scandal, international commentators are beginning to ask about News Corp’s audit committee, the composition of it and whether internal audit was truly independent of management. While these are all important issues for any director to consider, in our view, the focus needs to be on the newsroom itself.

How do you audit a newsroom?

People might be surprised to hear this – in fact, I’m surprised to hear myself saying it – but I’m standing behind News Corp on this. Well, I’m standing behind their internal audit team anyway. I’ve met many of their people. I like them all. I trust them and respect them and a lot of what they do. Many of their practices are upper quartile and are an exemplar of modern practice. So the reality is, if they’ve got problems, we’ve probably all got problems.

The bigger issue is how you audit a newsroom. It’s very different to the usual audit procedures. We can audit back office functions – accounts payable, accounts receivable, treasury. We can chase the money trails and see where they lead. We can audit logistics, distribution and supply chain. We can audit IT systems, business continuity and the like. But auditing a newsroom is hard.

The challenge with newsrooms is that journalists need to protect their sources, in the same way that auditors need to protect their whistle blowers. They have a long-established culture, a code of ethics that looks very much like the code of ethics of an accountant – and a barrage of case law to support it.

There’s been no shortage of controversial cases on this in Australia where media companies have stood side by side to allow journalists to protect their sources. It’s a place where confidentiality is everything. As such, it’s really hard to get to the heart of the matter as an outsider. Or even as the editor.

You may be able to get a sense of the culture by spending time in the newsrooms. Some titles are methodical and measured. Some are like lunatic asylums with people hanging from the rafters. You might be able to let the people upstairs know that you don’t like the culture in the lunatic asylum and that the editor of a certain title may need some coaching in management 101. We’ve all done this.

The reality is that in a newsroom you end up auditing their payroll, overtime and contributors. You also go through their expenses so that they know someone is watching. You check a sample of them, ask a few probing questions, make sure they were authorised by the right people. The reality however this is about as effective as having the occasional patrol car drive down a troubled street. It’s a deterrent at best, but unlikely to find much.

In other words you do the normal stuff and if there was a scandal like this happening, it’s almost impossible to know unless you already suspect something and go looking for it specifically. No doubt all media companies will go looking for this specific circumstance now, but it will be after the fact. If anything was an issue you can almost guarantee it’s now been shut down.

How do you audit your newsroom?

So, the big issue in a lot of organisations is that while internal audit capabilities keep on evolving, their capabilities are still focused on back office functions. While they understand the core business, they struggle to get at the heart of it.

Internal audit functions in news organisations spend a lot of time auditing in the newsrooms, but they don’t always get to the heart of what’s happening in those newsrooms. Internal audit functions in health organisations spend a lot of time auditing in hospitals and wards, but they don’t get to the heart of what’s happening in clinical governance, in patient care or the culture in those wards. Internal audit functions in manufacturing companies spend a lot of time auditing at mine sites, but it’s hard to get to the heart of what’s happening in the culture of what’s happening on the shop floor. In short, even being on the floor most of the time, things pass right by us.

These are not isolated examples. Every company has it’s equivalent of a newsroom – something we audit, but only scratch the surface. From my perspective the big question for audit committees and heads of internal audit coming out of the News Corp scandal is around the scope and capabilities of the internal audit activity and whether they’re getting to the heart of matters or just doing a superficial patrol.

This article first appeared in Issue 87 of Risk Magazine, August 2011. Todd Davies was formerly head of audit and risk of Fairfax Media – Newscorp’s main newspaper rival in Australia – and a member of the ASX Corporate Governance Council. A summary of the News Corp scandal can be found here.

Strategic Risk Management?

Thu, 30 Jun 2011 14:00:00 GMT

Opinion

I’ve been deleting the word strategic from a lot of documents lately.

And it’s assisting immensely.

You see I’ve got this idea that the more times a person uses the word strategic, the more likely it is that the person is puffing or bluffing.

In the risk and assurance space using the word strategic usually does little to aid understanding. In most cases it’s just misleading.

Take the term ‘strategic risk management’ (SRM) which is cropping up everywhere these days.

Somehow SRM has ended up in the accountabilities template for NSW Government agencies. Apparently they’re now supposed to be responsible for strategic risk management as opposed to good old fashioned risk management. Now this would be fine if anyone knows what SRM is. I know what risk management is, I even know what enterprise risk management is, but strategic risk management? Is it the management of strategic risks perhaps? Or something other than tactical risk management?

The Risk Management Society in New York had a go recently at defining SRM. They’ve got a discussion document out on it in fact. The discussion document is useful. It says that SRM is an evolving discipline – in other words, they don’t know what it is either.

And then take the term ‘strategic audit plan’ which I still see regularly.

These documents are usually a standard audit universe spread over three years. They tend to ignore external conditions or do other things that strategic documents are supposed to do. But because their focus is on more than this financial year, the documents must be strategic. The reality is that it’s often anything but.

So when I see the term strategic appear in a charter, article, brochure or job title I get wary.

So the simple solution, delete the word strategic. I do. It adds amazing clarity.

Better still add the letters ‘un’ to the front – ‘unstrategic’, or delete and put ‘tactical, and add 'with a time horizon of slightly longer than 12 months but not longer than my current tenure or bonus time frame’ in front of it.

I think you’ll find this clarifies many things immensely.

***

This opinion piece was one of the cover stories in Issue 86 of Risk Magazine, July 2011. Todd Davies has been championing a better understanding on strategic risk for many years and taught the IIA’s first courses on this topic.

He contends that strategic risk is a class of risk in it’s own right and needs a dedicated identification process involving external viewpoints.

For more on Strategic Risk Management, click here.

Two Steps Forward, One Step Back

Sat, 30 Apr 2011 14:00:00 GMT

Why internal audit practice always lags and GRC snakeoil salesmen are alive and well

I turned 40 recently. And my work is making me feel old.

You see I’ve become that guy who says things like “back in the mid-90’s when we were rolling out CSA, we used to produce these great assurance maps…” or “that way of dealing with strategic risk is so late-90’s, it’s okay in theory, but you’ll find that…”.

Sure, I was working at the vanguard of audit practice at the time, but with a little over 15 years in the game I find myself as “old man audit” - a source of institutional knowledge on assurance and risk practices.

There is some wonderful knowledge that’s been lost – what works and doesn’t in CSA programs, how to use internal audit to drive re-engineering outcomes, why CoCo is easier to embed than COSO etc.

And without this knowledge we’re not sophisticated buyers. The snake oil salesmen are alive and well and the old-rope is sounding pretty good with its new names and marketing narrative.

In part this stems from changes in sponsorship and restructuring in the organisations we serve, but a lot of it is also self-inflicted as a result of how we resource ourselves.

Internal audit is a transitory game. It draws on people from all walks of life, many who haven’t dabbled in internal audit much before. For many it’s a stepping-stone of 2-4 years, moving onto something else before mastering their craft. The resulting loss of institutional knowledge, and difficulty in moving forward is enormous.

Indeed, in 2011 I see companies implementing 90’s ideas or discovering them for the first time. Worse still, I see some companies reinventing the wheel or going down the wrong paths with ideas that have been tested extensively in years gone by. The level of inherent atrophy and wasted investment is enormous.

While this is a great platform for a business like mine it does raise a big issue for the internal audit profession. We really should be a lot further ahead than where we are today.

Until we find ways to capture and build on institutional knowledge the profession will continue to spin its wheels. Its aspirations will continue to be for a base level of consistency rather than excellence. And we will struggle to keep pace with the needs of our stakeholders.

Until we become proficient in institutionalising this knowledge, we will keep on taking two steps forward, one step back.

This article first appeared in the May edition of Risk Management Magazine.

Time to Mandate Internal Audit?

Fri, 01 Apr 2011 13:00:00 GMT

Comment

The Institute of Internal Auditors (IIA) has been campaigning for regulatory change in Australia for more than 10 years. Much of what they’ve been saying has fallen on deaf ears.

Australia has one of the highest public exposures to listed shares as a result of mandatory superannuation. While prudent fund managers should be underweight in poorly governed companies, this doesn’t happen in practice. If a company share price spikes and the company hits the ASX/S&P200, your super fund just bought the stock, even if governance is shocking.

Australian regulation has fallen behind in some respects, resulting in laggards in the ASX/S&P lists, and owned by your super funds.

To be fair, there are some areas where Australian regulation leads. Having internal audit report to independent board audit committees gave the internal audit profession such a kick up the backside that it caused generational change in the entire profession. Other countries would benefit form this.

Similarly the requirements for boards and management to focus on whether the organisation really understands the material business risks they face, rather than just saying that they comply with the relevant risk standards has been a great thing for Australia’s competitiveness internationally.

But alas, these are suggestions only. They are not mandatory. Companies can weasel out of them or ignore them entirely. Even worse, some of the fundamentals have been skipped over, particularly internal audit which is a cornerstone of most governance frameworks elsewhere.

While internal audit is mandated for listed companies in the United States and throughout Asia, in Australia it is not. Similarly while the UK and South Africa have disclosure triggers on internal audit, Australian companies have nothing. This results in many companies outside the ASX/S&P 50 not having an internal audit function let alone one which is effective or risk-focused.

IIA has put together a policy agenda for reform. It contains five principles, two of which are yet to be pushed by the ASX or ASX Corporate Governance Council.

Internal audit is fundamental to good governance
Internal audit should operate at a consistently high standard

IIA Australia’s policy principles and recommendations are helpful for most mid-cap companies but many have not implemented them. They do this at their peril. Lagging performance on risk and assurance will force regulators to step in. Indeed if they had done so sooner your superannuation balances would be looking a lot healthier, as would mine.

This article first appeared in the April 2011 edition of Risk Management Magazine.

Download the IIA's Policy Agenda (Australia)

Reform required to ASX’s Principle 7?

Mon, 28 Feb 2011 13:00:00 GMT

Comment

As the Australian Securities Exchange (ASX) Corporate Governance Council starts its regular review of the Principles and Recommendations, the Institute of Internal Auditors (IIA) has fired an early salvo on the need for change.

Although we’ve learned a lot from the global financial crisis and the destruction of value, the reality is that when it comes to regulation and preparing for the next big shock, how prepared are we?

ASX Principle 7 – Recognise and Manage Risk is regarded as world-leading in its requirement for CEOs to inform the board of the material business risks facing the organisation and the status of these risks. Changes made to Principle 7, (Recommendation 7.2) in 2007, stated: “The board should require management to design and implement the risk management and internal control system to manage the company's material business risks and report to it on whether those risks are being managed effectively”.

In other jurisdictions, the regulatory focus is still on the risk process being in place, rather than on ensuring there is a comprehensive reporting process on risks. This is an important distinction from the 2007 changes that seems to have been missed by many.

The challenge is that no one is charged with checking the veracity of the risk reporting which management provides to the board. The IIA has taken the view that this needs to be done independently, and that internal auditors are best placed to perform this function.

As a non-executive director, I agree that independent assurance on the risk function is required. Indeed, this has been the first thing I’ve asked for at the audit and risk committees that I’m on, and it’s a great relief that to get this. It either gives us comfort that things are okay, or gives us a plan to get it right. Internal audit is well placed to lead this type of review, or buy in the skills to do so.

However, whether internal auditors have the capability to assess the veracity of the risk reporting provided by management, and whether all material risks are identified and reported to the board, is another question, particularly in the area of strategic risk and emerging macro risk. Assessing the veracity of risk reporting to the board of material risks is a specialised capability that often doesn’t lie in house or within the normal risk and assurance skillsets and talent pools, including the professional service firms.

Assurance over whether material risks are reported in full will be a challenge for all. Few companies do this well. If you find one, buy their shares!

But while we’re all feeling our way in this space, internal audit does have an important role in letting boards know if the material risk reporting is incomplete or unreliable. This is an important role that internal auditors have played in the past. To this end, the IIA’s shot across the bow is both timely and necessary. The challenge for internal auditors, however, will be getting the skills in place to keep pace with the change that their professional body is demanding. I wish them well in this charge.

Why it’s time to mandate

An if-not, why-not regime works fine if you have the ability to sell your shares.

The reality, however, is that most superannuation funds hug the ASX 300 / 500 index, so if a company share price starts to rocket, you end up owning that stock, even if governance is poor.

This has not gone unrecognised, which is why internal control signoffs on financial statements and audit committee composition started off as corporate governance recommendations, but ended up as law and listing rules respectively.

Arguably, risk management and internal audit are as important as these requirements — if not more so, and have been made law and/or listing rules elsewhere for this reason.

When you think of corporate collapses within the ASX 500 in recent years, or the estimated 20% of the ASX 200 which don’t have an internal audit function, there’s a good argument to say that there are these things which should not be optional.

This article first appeared in the March edition of Risk Management Today. Todd Davies is the former Technical & Policy Director of IIA Australia.

All Gone to Custard – Another take on Assurance Maps

Mon, 28 Feb 2011 13:00:00 GMT

A recent survey by the Economic Intelligence Unit indicated that 67% of companies believed they had overlapping coverage in two or more risk functions. 50% suggested there were gaps in coverage between their risk functions, and 62% believed they could get better coverage with less spend. Assurance mapping can be a useful tool for getting better bang for buck and avoiding assurance gaps.

Assurance maps are not a new thing. I saw my first ones in the mid-90s when control self assessment (CSA) and control risk self assessment (CRSA) were the next big things. They produced lovely heat maps. Sagely souls who were in the internal audit profession will tell me assurance maps are just a version of the audit universe with a bit of marketing flair. To a large degree they’re right – nothing much new under the sun it seems.

The problem of course with a transient profession like internal audit is that we lose a lot of corporate knowledge and finesse and once people move on everything old is new again. CAATs are now data analytics, CSA and risk software are now GRC and the audit universe is now an assurance map. This is great for ‘old timers’ like myself who are very familiar with ‘old rope’ and can show others what to do with it and how not to get tied up in it as we all did back in the day. It also helps us distinguish between marketing spin and genuine innovation.

Assurance maps have gained currency again, and this can only be a good thing. They were reintroduced as a recommendation in the King Report in South Africa in 2009, IIA HQ followed with strongly recommended guidance on them and this month IIA Australia has put out a useful example for their Insights ‘audit in a box’.

Assurance maps are not leading practice. They should be an industry norm, but in my travels I’m still surprised at how many audit shops (including outsourced ones) don’t have these in place. Assurance maps help the Chief Auditor and Audit Committee answer the question ‘have we missed anything important?’. In my mind I’m not sure how those officers can answer this question without some sort of assurance map. In short, if you don’t have an assurance map, you need one.

Taking assurance maps to the next level

IIA Australia’s ‘audit in a box‘ gives a useful example of what most people would understand an audit universe or assurance map to be. On the vertical axis it shows the list of key processes where assurance may be sought, and on the horizontal axis it lists the business units where coverage may be sought. This is a very practical first step, and something I would suggest should be an appendix to any audit plan being submitted for approval.

If you read The King Report and IIA’s Practice Advisory closely though, there is a suggestion of taking this a step further, with assurance on key risks rather than just on key processes. This is a more complex exercise and one likely to cause confusion if you haven’t dealt with the audit universe first and don’t have a mature risk function. I spent several years of my life developing methodologies for the big 4 to do this and my view from this work is that it’s difficult to simplify these risk assurance maps to a page at a glance, and if you’re doing to do these types of assurance maps, you still need to do the audit universe. Of course your ability to do this will depend on how mature your risk function is. Alas many risk functions are not mature enough or well enough integrated with internal audit to do this.

Taking it further – the custard chart

Ever heard that saying – “it’s all gone to custard?”.

From an assurance standpoint, process variations, system failures and control breakdowns tend to happen for a range of reasons which may or may not appear on the businesses risk radar on a timely basis, or potentially at all.

From my perspective, these sorts of risks – the risks that internal audit is normally concerned with arise from the following:

New processes (re-engineering or new areas of business)
New IT systems
Changed accountability (changes in organisaton structure or changing out of key management personnel)
Staff turnover beyond say 20% (due to growth, churn or both)

In these cases, any assurance you’ve had in the past is null and void, and this is when greater assurance is likely required. Typically I used to highlight these in yellow (custard) as set out below.

I’m a big fan of using charts to convey a message. During a reorganisation it can be a very effective way of getting people’s attention by highlighting the areas under change in yellow with a message of “chances are, its all going to custard, you need assurance”, or being able to visually give the all clear.

An assurance heat map highlights hot spots in the business where these changes are happening. It enables recalibration of the audit plan to identify when support is needed and avoids ‘bayoneting the wounded’ after things have gone off the rails. By comparison:

an audit universe is static – it shows what you’ve looked at in the past without a sense of whether that assurance is still valid.
A risk coverage map by it’s nature is hard to update and represent in real time, particularly if your risk framework is immature.

Our view

IIA Standards set the minimum acceptable standards for internal audit and tend to be lagging by nature. By definition our maturity model tends to rate anything in International Professional Practices Framework as a 3 out of 5 at best. If you regularly find things in the IPPF that you’re not doing yet, you are lagging and probably need to lift your game.

Our thoughts on assurance mapping:

Level 2 or below

No assurance mapping as yet – you are unlikely to be meeting your professional responsibilities or enabling your stakeholders to meet theirs. Start working on your audit universe in the format provided by IIA Australia in time for the next audit plan.

Level 3

Audit universe (processes by business unit) in place and updated periodically – you are operating at the required industry standard. Your challenge will be to present this in a way to your stakeholders that they can take in. You are now ready to implement the assurance heat map which will help you become more proactive in a measured way.

Level 4 and above

Risk assurance map – you are probably in the upper quartile of organisations and your peers would benefit from hearing about what you’re doing and how it works. We suggest also maintaining the audit universe type map so you don’t inadvertently stray too far from your core areas and some sort of assurance heat map to make sure your view of audit risk is up to date.

Assurance heat map (Custard chart) – you are leading practice. Your audit plan probably changes quarterly and your stakeholders are delighted at how you’re able to anticipate their needs before they even realise they need help. Again, your peers would benefit from hearing about what you’re doing and how.

About TDA

Todd Davies & Associates is a boutique firm specialising in leading practices in internal audit, risk and assurance. We work with organisations to help them define and achieve leading practice. What could you achieve with TDA on your team?

A look back, top 10 risks for 2010

Mon, 31 Jan 2011 13:00:00 GMT

About 12 months ago I wrote the feature article for the Institute of Internal Auditors’ global e-zine on the top 10 risks for 2010.

I received an email this week about the article which prompted me to have a look back at what I’d said, and also some of the comments which had been made in response.

My focus at the time was on ‘strategic risks’ a risk category which is often not focused on because they are hard to pin down. These risks tend to move from inconceivable to possible and probable moving quickly on your risk matrix over time and with increasing consequence. And as these things are often unprecedented, its often not clear how these will manifest themselves. As such, some of my top themes tended to be underlying drivers rather than specific risks which can be put in clear focus.

I’ve been talking and writing about this area – strategic risk, black swans, emerging risk, risk foresight and unknown unknowns for a few years now. This has led me down a range of paths including working with futurists, former futurists, board members, CRO’s, CAE’s, and even being on a debating team with people from the WEF’s global risk team. The results of this work can be confronting, particularly as it often challenges fundamentals and norms that we’ve taken for granted during the latter phases of industrialisation.

The human response

What has become more interesting and evident to me over time hasn’t just been the risks specifically but the usual responses I normally get when pointing out some of the big strategic risks as I see them:

These risks are not present today, and I’ve got bigger things to deal with in the near term, so please don’t waste my time with this lala land stuff (fair enough, but risk is a business of uncertainty rather than certainty)
I don’t believe these risks are going to manifest during my tenure, and they’re not in my role description or KPIs, so they’re not my problem (fair enough, this is not easy stuff to deal with, but raises some issues)
You’re right, there are some blind spots, and thanks for pointing some new ones out so I can find out more. (Ureka!)
Yes, I agree, and here’s some YOU’VE missed. (Very exciting, let’s talk)

My work is deliberately focused working with people in category 4 and sharing what I learn with those in category 3. In my view, these are the people who will avert massive destruction in shareholder value and create competitive advantage and possibly even market strength as a by product.

Where does strategic risk capability lie? Where should it lie?

Thematically with some notable exceptions, the greatest capability in being across strategic risks seems to lie at the board. Management, risk management and internal audit are mostly focused in the day to day. Their tenures often don’t align with the unfolding nature of these risks over time, whereas ultimately these will come home to roost with the board. This means a good board, and a diverse and well networked board with varied experiences and world views is key, and has been the basis of my arguments for board diversity including but beyond gender.

The challenge is when risks emerge which are not within the experience of the board, possibly because these risks are unprecedented. This is when risk forecasting capabilities are essential to avoid blind spots, which has been the crux of my argument since the GFC. Simply if organisations don’t have this capability in house, boards need to get someone in occasionally to challenge the organisation’s thinking on strategic risks and risks which will manifest themselves beyond the CEO’s tenure.

So how did the crystal ball go?

It is worth looking back to see how the top 5 themes list fared 12 months later with the benefit of hindsight, some of which were refuted by some who commented on the article. Here’s a few thoughts.

Energy prices. Forecasters are saying we’re still 12 months away from $100/barrel, but this week world leaders are leaning on OPEC to increase supply to try and postpone the rise. Coal prices are increasing quickly. Governments are strategically positioning around energy security as they understand the consequences to be catastrophic. This continues to be one to watch.
Industrialised world atrophies while the emerging economies grow. There are clear signs of this. Have a look at the Europe vs China story.
Population pressures and constraints on commodities. Notice that the resource companies are the ones driving economic growth in the developed world over the past 12 months? Seen what’s happening with food prices lately, and why Canada and Australia are now economies and currencies of preference in the developed world?
Structural currency rebalancing? Yes, many were in denial on this one, but I’m very happy that I advised my clients to unwind their exposures to certain currencies. The consequences for them would have been more than material and in some cases catastrophic leading to a crisis of confidence in management and the board, with potential knock on effects into the broader community.
Climate change. Sure, I’ll agree, not a risk in itself, but on at least half of the boards and audit and risk committees I sit on, it’s a key driver which those organisations will need to deal with creatively if they are to keep achieving at the rate they’re used to. And although not yet mainstream, there are some disruptive innovators doing some things in carbon markets which previously were unheard of.

So in some of these risks resulted in a material impact for some organisations, industries and countries. Some did not. But it’s fair to say that all five themes did drive changes in the risk profile, and are increasing in likelihood and impact.

Final thoughts

I guess all of this raises a philosophical question about who should be responsible for keeping an eye on strategic risk. In my experience the board and independent risk committee tends to do okay at it, but management is very much immersed in delivering this year’s plan. Taking your eye off these can be devastating. We’ve seen too much of this as I’ve written and spoken about many times.

At the time of the article, the internal audit profession was positioning itself to provide assurance over the risk frameworks and risk reporting of organisations. This article introduced a few ideas on what this actually means, including the provisions of Principle 7 of the ASX Corporate Governance Principles in relation to material business risk. For me, internal audit’s role is to see whether this emerging risk capability is in place and working well. If it isn’t internal audit has an obligation to let the most senior people in their organisation know, including the board.

I hope this has stimulated debate, including people who don’t agree with me, and if it has, then this has been very worthwhile. I’d love to to rekindle the debate, including from those who believe these risks are right, and those who still think it’s all a bit fluffy.

The original article and space for comment can be found IIA's Global website.

For those who are keen to find out more, I’d also welcome people to trawl my archives of articles, papers, presentations and video on the topic and join the mailing list for future updates. Where available, these are on this site free of charge.

Black Swans, Turkeys, Ostriches and other Christmas Poultry – a tale of Strategic Risk

Mon, 29 Nov 2010 13:00:00 GMT

A festive story about a quest to find the elusive black swans

As the global financial crisis (GFC) was starting to stabilise in Australia I talked to some of my peers to find out what was going through the minds of Australia’s prominent directors and what questions were coming up in their audit and risk committees. Thematically and consistently, directors at the big end of town were asking about black swans.

A black swan is a euphemism coined by Nicholas Taleb for a significant disruptive event that wasn’t foreseen at the time. The GFC was the most prominent example cited in the book.

Since the GFC there have been many significant disruptions causing material downgrades in company balance sheets and their earnings forecasts. And while many of these adjustments related to the GFC, many also did not.

Across the board adjustments to earnings forecasts were accompanied by a public statement that “no one could have reasonably foreseen these circumstances”. This always seemed to me to be an odd statement to make.

As I watched the value of my Australian shares plummet in some of these companies I wondered if this was because they don’t have good foresight capabilities? Some of these risks were highlighted in the top 10 risks by the World Economic Forum years ago, and indeed I’d been covering these on the speaking circuit for some time.

So clearly someone in these companies should have seen these coming. Or were they trying to use the plausible deniability defence? Cause for great concern. I have put a lot of stocks on my “avoid list” never to return as the “didn’t see it coming” excuse rings alarm bells. Very big ones. The good news is my portfolio is now skewed to companies who seek out black swans rather than those which blandly tell me that “stuff happens”. Well, as far as I know anyway.

What has happened to all the investment in risk management?

This situation does beg the question about all of this investment in risk management and whether there is an endemic problem in the way we try assess and manage risk. Indeed, prior to the GFC, the Australian Securities Exchange Corporate Governance Council was concerned that boards were swamped by process, being pulled into the minutia of things within business units and aggregation of data rather than having their most material business risks firmly understood and in focus.

It seems that in a post-GFC world, The Corporate Governance Council’s concerns were proved right. Many of these companies declared in their annual reports that they were in compliance with the updated version of Principle 7 (which requires management to brief the board on the material risks facing the organisation). But if there was compliance with this statement then the “reasonably foreseeable” defence (about not anticipating a change in conditions) should no longer be required, or indeed, available in most cases.

There is a huge disconnect between going through the motions and what Principle 7 declarations actually say and I’m surprised that there hasn’t been a class action in this area. Indeed, as I saw a lot of my retirement funds evaporate with the “didn’t see it coming” excuse, I was tempted to turn expert witness or launch a class action myself. Fortunately, a savvy class action lawyer from New York encouraged me to be part of the solution rather than amplifying the problem, so I’ve got back to my quest to find out more about black swans.

So let’s get back to black swans. Actually most of whom these are actually black (unforseen), as they’re usually a whitish-grey (reasonably foreseeable).

My journey to find the black swans, and what I found along the way.

Cast your mind back to late 2002. The American economy had bounced back from the September 11 attacks. In late 2001 US companies had used the attacks as an excuse to do write offs and lay off staff. Although the reasons for the write offs and layoffs had little to do with the attacks it was a convenient excuse to remove some of the padding in the balance sheet and set a new baseline. A new cycle of growth was starting and we were getting back to business as usual. Life was starting to look pretty good.

Around the time I was chatting with a colleague who was working in the United States. I’ll call him ‘The Futurist’ because he emphatically denies being one.

Our conversation at the time went a little like this.

Todd : What are you working on?

The Futurist: Community workshops on how to prepare for sub-prime.

Todd: What’s sub-prime?

The Futurist: Something, complexity, something, predatory lending at scale, something, systems effects, something, CDOs, something community resilience, something, economic meltdown, something, hitting the poorest hardest, people really need to pay attention, this will have systemic effects.

Todd: Fair enough. How’s that working out for you?

The Futurist: People tend to tune out and change the subject.

Todd: Uh huh, how’s your wife?

And hence, I found myself guilty of ostrich behaviour. I tuned out something I wasn’t able to process at the time and stuck my head in the sand. In the process, I ignored an important signal of an emerging change in the status quo. And of course, like most of us, this was not the first time I had done this.

Why a lot of what we do in risk management misses the point

This highlights the essence of what’s wrong with risk management, and why a lot of what we do in risk management misses the point.

Our risk assessment processes have an incredibly strong bias towards what we already know and have experienced in our lifetimes, rather than having a strong eye on the future.

And even worse, we have a bias towards what’s happened in recent memory, which are the often things which are already top of mind and being managed in some way outside a formal risk management system. As Al Gore said when he was last in town, “We have a habit of confusing the unprecedented with the unlikely”, which I suspect is also the point that Taleb was trying to make when he coined the “black swans” phrase.
Rob Kay pointed out in Risk Management Today (Issues 2 & 3, June–July 2010) that risk management is the business of dealing with uncertainty, but we often focus on things that are certain rather than those things that are fuzzy. This is of course where the black swans spend most of their time.

As part of my journey to go looking for black swans, I’ve spent much of the last few years trying to understand some of the models used by futurists (and people who deny they are futurists, but seem to be more insightful than futurists). I’ve explored systems theory, systemic risk, complex adaptive system, ecosystems resilience, systems limits and complexity theory. And all of a sudden, there they were — black swans as far as the eye could see.

I’m not sure I’d recommend the path I’ve taken to find these black swans. The dangers of immersing in systems thinking is that perverse things happen, like quitting your day job, getting wrapped up in community resilience projects, doing a permaculture course, ending up on the board of a conservation organisation or an environmental markets company and changing your views what to go long on. But I now understand why this work reminds me of a Douglas Adams character, Dirk Gently’s Holistic Detective Agency.

Other strange things happen as end up on a speaking tour in the United States to highlight “The seven things bigger than sub-prime” and all the three newspapers in the room report is “In Australia they have black swans.” Sigh, yes, I think all they heard was “something something, black swans, something something”. I think I now know how The Futurist feels.

Anyway enough about the journey. More importantly, what are these black swans, and where are they? And do you have great big gaps in your risk profile?

The problem with most risk assessment at the operational, financial and compliance level is that starts with an inherent premise — all things remaining more or less equal, what are our risks?

Well of course, the biggest risks — the strategic risks, are that all things don’t remain equal ie, underlying conditions change. If you look for the changes in underlying commissions at a global, regional and local scale, the black swans become easier to see.

Some black swans to think about

Here are a few changes on the horizon to think about, which in turn generate new strategic risks.

peak oil:
peak soil:
climatic temperature limits:
peak debt:
peak workforce:
biodiversity loss:
food and water scarcity:
peak phosphorous:
reverse globalisation:
industrialisation of China to the point of economic self-reliance: and
the end of the commodities boom before the end of the decade.

Have you ever wondered

Why sovereign wealth funds are rapidly buying up agricultural land, water and energy resources around the world, but not necessarily hard commodities?
Why are they doing this at accelerated rates and prices?
Why does Australia’s national security strategy focus on food security and climate refugees instead of traditional warfare methods in areas of existing conflict?
Why are large oil spills off our coast and in the Gulf of Mexico are increasing in frequency and severity?
Why does the peak body on global risks rate food security and biodiversity loss among its greatest risks to global economic growth?
Why is China investing in cleantech and greentech faster than most of the developed world (especially Australia).

The clues to these questions lie in the changes in conditions set out above. The strategic landscape is changing, and along with it your strategic risk profile.

Put simply, if your risk profile isn’t considering these sort of effects, there’s a good chance there’s a big black swan sitting in your organisation, industry, country, economy or world view. The same applies if your strategy and risk processes aren’t talking to each other, or you’re using a 1990’s strategy process at your organisation. Red flags indeed.

What’s the best way to deal with black swans?

At this time of year a good bit of contemplation and reflection is in order. I’d recommend getting up to speed on these issues with an enjoyable read or two over the festive season.

Read anything by Ian Lowe, particularly if it talks about cricket. Or anything by Kurt Vonnegut for that matter. Or if you really want some fun, Dirk Gently’s Holistic Detective Agency is also great stocking filler. All will prepare you for well for strategic risk thinking and some of our articles in the New Year.

So with that its time for some good wishes for the festive season.

May we all be less like ostriches.
May our turkeys end up on our dinner tables and stop gambling with our retirement funds.
And may your black swans become visible to all so we can come together to face the challenges of our times.

Have a safe and festive holiday season and I look forward to taking you through some specific strategic risks in the New Year.

This article first appeared in the December 2010 issue of Risk Management Today.

Is your risk framework adequate? Questions Directors, Investors and the C-Suite should ask.

Sun, 30 May 2010 14:00:00 GMT

Key points

Despite significant investment in risk management, it still falls short in dealing with disruptive change
Regulatory changes seem unlikely to get to the heart of what really matters in avoiding significant destruction of shareholder value in the future
In looking through the standard disclosures on risk management, there are seven areas investors, boards and the C-Suite should be looking for

In the months leading up to the global financial crisis I was having a casual conversation with the head of audit and risk for a large listed organisation about life, the universe and everything. We discussed the usual topics – Were we making a difference? Were we fulfilling our duties and responsibilities? Were our organisations engaged?

Every now and again there’s a pregnant pause, and someone says something that needs to be said. This conversation had one of these. “I know this sounds terrible but... sometimes I find myself hoping for a near miss or a minor catastrophe. There’s some complacency setting in at all levels of the organisation, nothing short of a shock will snap them out of it.”

Well as the old saying goes, be careful what you wish for. Twelve months on from the collapse of Lehman and the global credit crunch, we’re through our darkest hours, back to business as usual and investing in risk management again. The newspapers tell us that “risk is the new black”, and at the same time we’re bracing ourselves for the next wave of regulatory reforms, and trying to anticipate what they might be.

I’ve been lucky enough to participate in some of the discussions and consultations in Australia and abroad on what could and should be done in the regulatory reform process, particularly with regard to risk management and the lessons out of the GFC.

On the one hand, increasingly there’s an understanding that overly specific regulatory responses can create bigger problems than those they are attempting to solve This is particularly the case when different jurisdictions put different solutions in place as it can create needless complexity or encourage “regulatory arbitrage” between jurisdictions. As a result, deep thinking is required, and meaningful progress is slow, particularly when multiple jurisdictions are involved.

On the other hand, there is a need to move forward, take action and deal with the local political environment. And we have seen some activity in this space in Australia and abroad. Unfortunately, what we’ve seen so far looks more like tinkering at the edges and dealing with peripheral issues rather than getting to the heart of things. My personal view is that most of these solutions would have done little to prevent the enormous value destruction we’ve just experienced, let alone the next round.

Let’s be frank, around the world organisations had invested in risk management, had assured investors and stakeholders that their risk management systems were effective, only to make significant earnings downgrades or discover more significant issues which shot to the core of their future viability. When quizzed on this, the standard line from Chairmen and CEOs was that “no one could have reasonably foreseen these circumstances”. A sad indictment indeed – damning of their investment in risk management and a response which is unacceptable to stakeholders and shareholders. It’s no coincidence that we’ve just been through an abnormally high turnover in CEO ranks.

A number of taskforces I’ve been involved with are asking the question – how do we know that a company’s risk framework is delivering the right outcomes, and is not just bureaucracy gone mad? Here’s some views drawing on the collective wisdom of institutional investors, directors, internal auditors and professional advisors on what directors, managers and investors should be looking for to move beyond compliance and deliver risk approaches that we can really rely on.

1. Wood for the trees

Do you ever get the feeling that despite being assured that best practices are being implemented, the risk reporting you are receiving is missing the point? Chances are you’re right.

Risk management approaches are often an aggregation of data from individual business units, with the aim of providing overall picture of the whole. If you’ve invested in a risk system or enterprise risk management, and implemented the latest standards, there’s a good chance you are swimming in “aggregated minutia”.

While there is enormous and often untapped power in “wisdom of crowds”, the reality is that if people don’t understand the big picture, they don’t have the context to comment on it. You could be getting great information on what’s happening with the deckchairs on the ship, but not know whether the ship is heading for any icebergs.

As the ASX Corporate Governance Council rightly said, the focus must be on understanding the material business risks rather than an enterprise-wide risk management approach which is bottom-up only.

2. Foresight

When Al Gore was last in Australia he made the following statement, “We have a habit of confusing the unprecedented with the unlikely.”

This statement is particularly relevant in risk management and points out one of the big challenges for risk management.

Risk process and risk participants tend to be very good at hindsight. If something is happening now, or has happened in recent history there’s a good chance it will feature prominently in your risk profile. If it’s been a while since something has happened, corporate memory should hopefully also pick things up.

Where risk processes and participants tend to fall down is in identifying situations that haven’t been experienced before. And while staff retention and drawing on experience can help us reflect back over multiple economic cycles to give us greater hindsight over a longer period, if events are unprecedented, or manifest themselves in new ways, they’re unlikely to be flagged or considered seriously.

Life evolves. Conditions change. The risks we face today are different from those in the past. Similarly, the risks we face in the future will be different and will manifest themselves in different ways from those faced in the past. If your risk processes are not informed by a range of sources including futurists, whole-systems thinkers and emerging conditions to give you true foresight, at worst you’ve driving forwards through the rear view mirror, and at best you’ve probably got material blind spots.

3. Understanding disruptive change

Strategic risk is a specific class of risk which ultimately results in not being able to continue the current business or operating model.

Human nature is to operate within a business as usual mindset. In mature organisations, budgets and targets are usually set up to deliver single digit performance growth year on year. Success is predicated on narrow ranges of variability and people don’t dare think about disruptions which could change the fundamental assumptions in their business models. True strategic risk is thinking about exactly that.

While many are quick to add the word “strategic” in front of “risk management” to make their work sound more interesting, the reality is that strategic risk as a class is not well addressed. While there are notable exceptions, most risk assessments I see are well and truly grounded in business as usual, even when disruptive change is very foreseeable.

Look out for organisations who anticipate, understand and seek out disruptive change. Watch out for organisations who are consistently on the back foot and claiming the “reasonably foreseeable” defence. No one actually believes that one anyway.

4. Beware of projections using historical data

The great thing about historical data is that if all things remaining equal, it’s a great predictor of the future. The downside of course is that few things actually do remain equal.

Think about the major changes you’ve experienced in recent years. Were these predictable based on past trends? Perhaps, but the reality is that change often happens in an exponential rather than linear fashion. The GFC, climate change, resource and technology changes mean that a 1 in 100 year event yesterday might be a 1 in 5 year event today. Of course this poses real challenges for actuarial and financial models which draw on historical data to project forward with some sense of certainty.

Data models are incredibly useful, but we need to be careful about relying on projections without testing if the underlying assumptions have changed or understanding the environment which these assumptions actually operate in.

5. CEO driven and learning from risk events and near misses

My personal view is that accountability for risk management has to lie with the Chief Executive, and there is no realistic alternative to this.

While the notion of a Chief Risk Officer is gaining prominence particularly in Europe and in financial services, ultimately the CEO has to drive risk in the organisation. If the CEO isn’t driving it personally, get out of the stock.

Risk events and near misses provide real test of the risk framework and to ask some fundamental questions.

Were these risks previously identified and considered at the right level in the organisation? And if not, why not?

A steely gaze from the CEO asking “Is this because you were attempting to keep things from me, or because you don’t understand your business?” is not easily brushed away, and is a great way to sharpen the minds of executives.

Similarly in testing why response plans didn’t stand up, was it because the executive didn’t take risk management seriously, or were the plans half-baked?An annual signoff from the CEO to the board that the risk management system is effective and that the status of all material risks have been reported certainly sharpens the mind.

6. Beware of a good news culture

Any risk system and process is only as good as the information which flows.

In a large proportion of cases where the board was blindsided by risks to the point of organisation failure or a “near death experience”, there was a “good news culture” whereby good news flowed up the line and bad news was spun into good news or didn’t flow at all.

While a dominant CEO or board can drive results, a culture where people are afraid to communicate bad news is a dangerous place to be.

Reward people for telling it as it is, and taking actions to respond. And again, look out if you see a CEO who’s dominant to the point of creating a good news (yes men) culture. Again, a signoff that all material risks have been considered at an appropriate level in the organisation is a great way to drive focus, and face up to reality.

7. Independent review / assurance

If you’re on the board or in the C-suite and not a specialist in risk management, how do you know whether risk management is working well in your organisation?

The ASX Corporate Governance Council suggests that boards should get independent assurance over the risk management framework in a holistic sense, and that one of the best functions to provide this is internal audit. For mine, this is great advice, and a smart move by any board.

Of course, to make sure that internal audit is truly independent and not “in the pocket”, you’d do well to make sure you’re covering all the points in the IIA’s policy agenda (covered elsewhere in this edition).

In summary, it’s possible for organisations to invest heavily in risk management, tick all the boxes and produce all the standard verbiage in the annual report. But risk management has to drive into the organisation’s culture – it needs to just be part of how they do business.

This article first appeared in the inaugural issue of Risk Management Today in May 2010.

Governance Risk and Compliance (GRC) – The Great Risk Con

Fri, 30 May 2008 14:00:00 GMT

Key points:

GRC is a software category, not a way of life. We need to get strategy to the table.
Make sure you understand what software you’re buying and why - some niche needs are best served by niche products.
Emerging risk analysis is vital to understanding your material risks and developing good strategy.
Bottom-up analysis won’t necessarily identify your most material business risks or allow you to sign off on the revised ASX Corporate Governance Council Principles & Recommendations.

What is this GRC thing? Where did it come from? Why should I care?

GRC as a term is popping up everywhere. It seems that all companies that used to sell audit software are now “GRC companies”, recruiting firms that used to hire auditors and company secretaries now have a “GRC practice” and GRC conferences are popping up all over the place. So what is GRC? Is it something new that we need to be across? Or is it the latest bit of marketing spin used by software companies to lure new buyers?

I've spent most of my working life trying to move the internal audit profession up the food chain - from being perceived as low value compliance checkers to trusted Board advisors. After a decade of upskilling and embracing risk-based techniques, this goal has been largely achieved. Seasoned Directors now know that internal audit is about much more than ticking and flicking. But all of a sudden this term GRC popped up confusing the market. What happened? What’s this GRC thing? Who put compliance in my brand? Who’s driving this GRC agenda?

GRC is closely tied to the introduction of Sarbanes-Oxley (SOX). SOX was big news and the IT analysts needed a category to put audit and compliance software in. And so the term GRC was coined. It has been pushed by this group ever since. It’s no surprise that the Wikipedia article on GRC is dominated by IT analysts and software companies. Interestingly Wikipedia warns that the article on GRC lacks credibility possibly for this reason.

GRC is a consolidation play

The number of software offerings in this space has increased, making decisions increasingly difficult for buyers. The offerings, user base and support groups are fragmented, so on face value a bit of industry consolidation could be a good thing.

Having said that there are a number of really nice niche products that perform specialised tasks at a reasonable price and it would be a great shame to lose this diversity. What will these GRC modules do anyway? Continuous control monitoring? Computer-assisted audit techniques? Control self-assessment? SOX compliance? Risk registers? Legislative compliance? Legislative training? A little bit of each?

Make no mistake, ERP players see this as an opportunity to own the GRC space and everything in it. They want to own SOX and have their eyes on ERM. As buyers it is important we think strategically about this. If we let things run their course, these systems could shape our professions instead of us shaping them. Remember that these are US-led developments in SOX and ERM are not necessarily considered best practice internationally.

The next phase - Strategy, Risk, Governance and Assurance (SRGA)

It is any wonder our boards are complaining about spending too much time on compliance and not enough on strategy?

These are turbulent times. Even if climate change doesn’t hit us badly, permanent shifts in the prices of energy, water, fuel, food and carbon will feed into each other creating opportunities for some, and value destruction for others.

No matter what organisation you are in, you need to think beyond compliance and business as usual style risk assessments. Your business model is changing and focus solely on GRC as defined by the IT companies is akin to shifting deck chairs on the Titanic.

Risk, governance and assurance are already connected but strategy is notably absent from the table. I contend that these secular emerging risks are the burning platform to bring us together. It is time to invite strategy to the discussion and develop a common understanding of these material shifts. Will your company be the next horse and cart company that didn’t become Ford Motor Company? Will your efforts be focused on compliance with equine regulations when it happens?

Through strategic risk intelligence our boards and executives will be better informed and better able to govern during turbulent times. And our organisations will do more than manage risk and compliance, they will prosper.

This article first appeared in Risk Management Magazine in May 2008.

For information on how we can assist, please go to our Understanding GRC Software page.

A subsequent article, The Great Risk Con Revisited is also available which reflects back on three years since the article was first written and what's changed since then.