Time for a Change in Our Attitude Around Risk

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


This morning, I read a piece in ComputerWeekly that made me cheer.

Risk and audit professionals, as a rule, have never seen an (adverse) risk* they didn’t want to stamp on and kill.

When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly?

The same thing applies to information security personnel, so I was pleased when I read an article on “How the CISO must evolve to balance risk and business.”

Here are some excerpts that appeal:

“Business success increasingly depends on the ability to balance the demands of cyber threats and regulatory compliance with innovation and growth.”

“... communicate with the board and managers in various parts of the business; … run security as a business; … eliminate redundant controls; and … work with the business to enable innovation and growth”.

“More specifically, the CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator.”

“The CISO must move from being a technical risk expert who focuses on the risk of loss, to include risk as a more central part of the role by understanding business priorities while continuing to maintain the corporate moral fibre [sic].”

“This involves taking risks to meet business objectives, but this can only be done successfully with a thorough understanding of the risk appetite of the business involved.”

“… identify where the business is missing opportunities — either by being too risk-averse or through worrying too much about risks that were a real threat once, but can now be mitigated with relative ease.”

It’s this balance in thinking about risk, that if you don’t take risk the business will fail, that is missing for too many audit, risk, and security professionals.

I don’t believe it is acceptable to take the attitude that “our job is to identify a risk; it is management’s job to determine what to do about it,” and then complain when management decides to accept the risk.

Let’s take a risk and accept that some risks should be allowed to live.




*I define risk as the effect of uncertainty on objectives (ISO 31000:2009)


Posted on Feb 3, 2012 by Norman Marks

Share This Article:    

  1.  Let us take these two group separately. internal audit and risk. I agree with you on your comment essentially on internal auditors. But you and I both know this quite well, do we not? The question for you is not that the situation exists, but why my friend? Might I suggest that this situation exists because internal auditors by and large do not understand risk management and that is a reflection of a complete absence of training in this subject matter. Yes? if t hey did understand it and their internal audit plans were properly linked to the company's risk assessment, we would not have such a nonsensical approach

    As far as risk professionals are concerned, that is a different matter and will discuss it separately


  1.  Absolutely, but maybe not in the way I think you mean?

    I see my *risk* practitioners as simply reporting a frequency estimate and a magnitude estimate. *Perhaps* that’s tied to a scale somewhere, but that’s not as important as doing a good job with the formalization and communication of the F&M estimate.

    So there is no “attitude” the discussion is as bias-free as possible, and the control decision is left simply to the business itself.

    I know this is a stretch for some of the RiskIT crowd and the audit-centric traditional view of risk, but the modern approach to risk management nullifies the issues you raise, and makes the risk group purely consultative to the business owner.

  1. Alex, thanks for sharing - and I agree that risk officers should be advising or consultative to the business owner. But do even the best risk managers give enough attention to the upside, assessing both the positive and negative possible outcomes (and their likelihood) for a single decision? Some yes, but too few see and advise managers on the basket of outcomes from a single decision.

  1.  I agree with Norman on this last remark

  1. I've been an internal auditor for a number of companies over the last 15 years, and in my experience we've always accepted management's response that the risk is acceptable without mitigation.  You're absolutely right that some risk is needed for a business to grow -- what's important for the risk practitioner (whether the auditor, risk manager, CISO or outside consultant) is to ensure management knows what those risks are.  Only then can an informed decision be made.  Too many times, the decision is made without sufficient information, and as an auditor I feel it is my responsibility to verify that, for the significant risks anyway, the decision to accept it as-is remains valid over time.

  1. Is it a problem with risk attitude or an understanding of the true basics? Do you understand the direction and business or are you starting with generic low level risks and controls!

    If you want to kill a risk, its a sure sign you're starting at too low a level of detail.

    Objectives drive  strategy, strategy and risks thereon drive policies to meet the objectives and mitgate strategic risk, we then have our procedures, which then drive risks of non compliance which need to be then controlled.

    The problem I have seen numerous times is that generic risks and controls get thrown into the mix, without considering the key inputs from other macro processes before hand. What then happens is control after control is then thrown into the mix as a recommendation and creates additional bureaucracy and a lot of the time something that is not fit for purpose.

    Imagine a local swimming pool, the objective is to ensure that the customers are safe and that the employees (lifeguards) are safe. Taking the lifeguards,  the policies in place we train them, ensure that they are able to swim for x miles, can tread in water for x hours, have been properly trained in lifesaving by a very reputable body and there are periodic retesting to ensure they are up to the job.  Ensuring we perform and retest on a periodic basis and monitoring this, means that safety in the water we have brought this risk to an acceptable level.

    If you started with a generic risk that an employee  or customer could drown the simplest solution is to mandate that all of your lifeguards and customers wear both arm bands and a rubber boyancy ring. The problem, you haven't understood or reviewed the fact that the guys have been trained and are retested.

    How many times has the arm band and rubber boyancy ring  solution been recommended and implemented?

  1.  @norm 

    Thats kind of my point.  As long as you have an audit-based "where is the risk" view, you cannot change your mindset.  You'll be enslaved by your deliverables, the outputs of your traditional risk and controls assessment.

Leave a Reply