Marks on Governance

Phil House

Thu, 09 May 2013 23:27:37 GMT

I hear what you are saying and agree but the question still remains when only 20% of boards are hiring and 45% are not spending enough time on the subject then you would say we still have a long way to. I believe that when the new generation moves to board level movement will happen fast, the current mangement are still held back by fear of out dated staff who are very entrenched in their ways.

Phil

Doug Hileman

Wed, 08 May 2013 19:02:47 GMT

Norman - Good, astute points. "Risk" carries overwhelmingly negative connotations - it's something to be avoided at all costs. However, the Wright Brothers took a risk. So did Columbus, Rosa Parks, and Steve Jobs. Without taking risks, the world would be a dull place. An organization with a well-developed risk culture, people have a sense of what/ where/ how much risk to take. And there are governance mechanisms to check in if you're not sure. As for the downsides, there can (should?) be different risk tolerance for different aspects of a company's footprint. The risk management practices a utility uses to keep the power on shouldn't be the same as stocking office supplies. It's OK if someone runs out of staples at their desk - there are more elsewhere in the building.

Tim Leech

Mon, 06 May 2013 14:05:02 GMT

Norman;

Thanks for the reference to the Deloitte white paper. I think as a general statement it makes many excellent points. I don't share your concerns noted above regarding "mistakes", but do see another area where the white paper is silent and could/should be improved.

What I find interesting is the report sees very little role for internal audit helping boards discharge the responsibilities they list in the guidance, including the ability of traditional direct report internal audit methods that provide subjective opinions on control "effectiveness" to help boards oversee risk appetite and tolerance. Deloitte, like all of the major public accounting firms is still required by U.S. SEC regulation as external auditors to provide subjective opinions on whether they believe controls over financial reporting are, or are not, "effective" in accordance with COSO 1992. Soon they will have to form views whether the company manifests enough of the control criteria in COSO 2013 to get a binary "effective" rating. In cases where Deloitte provides contact Internal Audit services I suspect they still take a fairly traditional approach and opine whether they think controls are "effective". They certainly took this approach in a client I am currently working for. This doesn't provide what it could to help boards better understand the areas of the financial disclosures that have the highest composite uncertainty and the other areas, including key strategic objectives, that have high residual/retained risk positions.

David Newsum

Thu, 02 May 2013 17:21:57 GMT

It surely is a great list, and I cant argue with it. I love lists. So what it needs now is the preventative action points or 'golden rules' - I might suggest 5 for each point, so that then becomes 50 top tips!!! Who is going to write it first?

frank engelbert

Sun, 28 Apr 2013 07:36:38 GMT

Dear Norman, i find your list of the highest quality & relevance, and congratulate you on its analytical rigor & practical language. best regards, frank

Todd Davies

Sat, 27 Apr 2013 11:41:56 GMT

Hi Norman

The thing I like about your list is it transcends time and trend. Glad to see #2 in there, it's a biggie, particularly for anyone doing work as a CRMA.

My analysis of Australian companies experiencing double digit percentage share price decline, is most arose from strategic risk (#2). How I interpret this is that organisations are better at managing operational risk than they are at managing or adapting to strategic risk.

I've attached a link to a 2010 article I wrote for IA Magazine which looked at a number of top 10 lists. Just click on my name at the top of this post.

@todddavies

Greg Suddards

Fri, 26 Apr 2013 08:00:38 GMT

Hi Norman. I cannot dispute the list of items above which you have been able to compile based on your considerable experience. They would seem to reduce to the folllowing:

poor skills of board members /poor knowlrdge of their roles (failure to use info, no consideration of risk, ineffectiveness, )

poor skills of executives (no use of info, no consideration of risk, no communication of strategy, no risk monitoring)

culture of short term focus (costs rule. conflicts of interest)

deficcient systems and processes.

I would prefer not to class these as risks, however, but as drivers of risk. Risks result from these such as the risks of fines and damages or loss of reputation or claims for aggressive selling practices or defective products, pursuing inappropriate market segments, relying on obsolete delivery structures etc..

In a word, they are not events of loss or the quantums of such losses but they are very definitely the sources of loss events. In fact, drivers of risk are far more important to understan than the loss events themselves because it is by manipulating the drivers that risks are controlled. Only if one is unable to influence the drivers or react to them does one resort to treating the ailma\ent (ie acquire insurance or provide a capital reserve).

Ken Xu

Thu, 25 Apr 2013 05:27:40 GMT

Hi Everyone,

I’m an auditor from China and I’m really glad to come across this insightful post with its thought provoking discussions:

If I may share my view here, it appears to me firstly there is a lack of consensus regarding the definition of the key term, 'value added’. If we go back to the original meaning of the term, it might probably blow the mist away in the most efficient manner:

Wikipedia definition: Outside of economics, value added refers to "extra" feature(s) of an item of interest (product, service, person etc.) that go beyond the standard expectations and provide something "more" while adding little or nothing to its cost.See http://en.wikipedia.org/wiki/Value_added,

So there is an obvious difference between the “primarily value” and the ‘value added’, or in other word, a difference between standard expectations and extra features. Also, maybe one thing we should agree on is, ‘valued added’ is wider than just a monetary concept.

Gerard Blokdijk

Sat, 20 Apr 2013 00:24:41 GMT

Recently The Art of Service released the IT Governance Complete Certification Kit here:

http://store.theartofservice.com/it-governance-complete-certification-kit.html

Rose (student)

Thu, 18 Apr 2013 17:39:50 GMT

This is Resourceful, though i need guidance on this question. i have a problem with question interpretation, will i be able to pass my paper?

free insurance quotes

Wed, 17 Apr 2013 10:02:20 GMT

Excellent Info! I really thankful to discussing here on the topic "How the internal audit process is managed is a key factor to ensuring the effectiveness of a quality management system." http://www.zipquote.com/

Tim O'Brien

Mon, 15 Apr 2013 14:40:05 GMT

Norman, thank you for introducing some common sense into the debate. Most of the time GRC is defined in such a broad way that it amounts to "everything that management does" (this includes the OECG definition, which I defy anyone to take objection to the sentiments expressed).

You list a number of business process problems to illustrate the breadth that people try to assign to GRC, including strategy, communications, performance management, business information and communications as well as specific bullets on risk and compliance. We might add ethics too. None of this need be wrong, but at the end of the day, is it not only semantics?

The bottom line is that a well-run enterprise needs to do all of this (and other things) well. However unless one is setting up an organisation from scratch, many elements of GRC are already in place, even if not clumped together under that Soubriquet. An integrated offering therefore represents a major challenge for any business to contemplate adopting, and the value proposition for dropping existing piecemeal systems and processes and replacing them with a different, integrated, all-singing-all-dancing one, is very hard to demonstrate. So in reality I totally agree that the piecemeal approach, of upgrading capability in specific areas where the business sees greatest risk, is the only practical way forward.

João Revés

Mon, 15 Apr 2013 14:04:32 GMT

In Portuguese we have a saying which we can translate to “put the finger right into the wound”. It’s something close to “hit the nail on the head” but adding that you are touching a no comfort zone.

And I think is exactly what you did.

I agree the GRC concept is great and sure is what any organization should aim to achieve. But as you said, most organizations are far to be such mature. So, the pragmatic way of doing things happen in real life is to address any of the big GRC areas (risk, compliance and governance) or even any GRC flavor by itself, when the opportunity arises and the organization is ready to do it. And, if you do it right, hopefully you would have the opportunity to add some additional flavors/projects towards the ultimate all-processes/areas integrated GRC “nirvana”.

Todd Davies

Fri, 12 Apr 2013 04:31:46 GMT

Great conversation starter as always.

I find a lot of the labels in maturity models to be benign, and reinforce a culture of mediocrity (going through the motions, looking good on paper, no real results).

I've been toying with a scale of good, bad, ugly & great to focus the mind, with distinct differences between each.

My definition of bad is contraversial. For me, bad is when an organisation is compliant with all the relevant standards, and being able to pass an audit agaist ISO 31000 etc, but you have a strong feeling in your bones that you're not getting to the crux of matters. In many models, my bad, would be labeled as mature.

Also in the model, good is the opposite of great and all that usual good stuff.

Tim Leech

Tue, 09 Apr 2013 20:55:46 GMT

Norman:I have been calling on the IIA to advocate Internal Audit reporting on management's risk management processes since the early 90s. I was clearly blazing a path back then and it was a fairly lonely one at the time. I am not "blazing a separate path" now since my first calls for internal audit to play a key role in CSA/CRSA in early 90s were picked up by IIA in mid to late 90s by picking up the CSA Conference (now GRC Conference) and launching the CCSA certification. I have been calling IA to report on effectiveness of risk management processes since 1990. This was made a "should do" requirement in 2000 by the IIA IPPF standards and a "must do" requirement in 2010. It would appear to me I am more "breaking trail" as cross country skiiers say, not blazing a separate path.

I'm not sure why you keep focusing on a few slides in my IIA presentation and papers while ignoring the other points being made. I am advocating that IA's main role should be to report to the board whether they are getting reliable information on the effectiveness of management's risk management porcesses AND the reliability of the information they get on the organization's true retained/residual risk status. You need to embrace the "AND" in the sentence to understand our vision. both parts of the sentence are important.

Norman Marks

Mon, 08 Apr 2013 22:47:26 GMT

Tim, you saw through my very thin disguise!

You draw importance to the idea of "reporting on key value creation and potentially value eroding objectives real time, not point in time, that are deemded outside of risk appetite/tolerance". I agree that this can be important, but even more important is reporting on whether has the capability to manage risks within tolerance! There is some, but little value in reporting that the risk is outside tolerance when management knows that perfectly well and is taking appropriate actions in response.

You also state"In many organizations management doesn't report on risk to the board hence internal audit must continue to function as the primary risk/control analysts". I disagree with this assertion as being outside the scope of internal audit and in violation of IIA Standards and their Position Paper on the role of internal audit in risk management. Instead, internal audit should report to the board that management does not have effective risk management in place.

We do agree that internal audit should not report on control effectiveness, but instead focus on whether management has the processes in place and operating effectively to manage risks.

My fondest wish is that you would join the call, with which I believe you agree, instead of blazing a separate path.

Tim Leech

Mon, 08 Apr 2013 22:27:06 GMT

Norman: Since I suspect the person you are referencing as "One provocative (and even more controversial than me) internal audit advocate" is likely me, I think it's important that you understand that what we are advocating in our presentations globally is reporting on key value creation and potentially value eroding objectives real time, not point in time, that are deemded outside of risk appetite/tolerance. You seem to only focus on the term "residual risk status" in our presentations but not the key "Residual Risk Rating" ("RRR") we advocate to simplify reporting to senior management and the board. Sometimes the "Residual Risk Rating" is assigned by an "OWNER/SPONSOR" of objectives in organizations that embrace risk self-assessment. In those organizations that are still content with Internal Audit being the primary risk/control analyst/reporter it may be Internal Audit that assigns the RRR or other assurance specialist such as safety, environment, compliance, outside specialists, etc.

In many organizations management doesn't report on risk to the board hence internal audit must continue to function as the primary risk/control analysts. In today's world I believe IA filling the role of primary risk/control analyst providing subjective opinions on "control effectiveness" without providing reliable information on the risk that remains after considering risk treatments or opining on the effectiveness of mangement's risk management processes should be considered to high risk.

David Doney

Sat, 06 Apr 2013 18:53:36 GMT

Hello Norman, I thought this was a great post. The back and forth with Tim Leech was a nice bonus! I think for this vision to be a reality, the organization would require a strong ERM program. Without that, IA would have too high a hurdle in terms of the evidence gathering required. In the absence of ERM, I would think helping the organization build up its risk assessment capabilities (at least within the COSO objective categories) would be a starting point. That might require an audit of the risk management program or a facilitated approach if management acknowledges the shortcoming in the risk management program without the audit. In our company, from the IA vantage point we have good perspective on the financial reporting risks due to the SOX program and coordination with our external auditors. However, we don't have as good a view into the other COSO objective categories (L&R Compliance, Strategic, Ops). Our board recently asked us to build out the Legal & Regulatory risk assessment process. The CFO is liking what he sees and is thinking through how we identify, prioritize and describe mitigation plans for strategic and key operational risks. Once we have the silos in shape, hopefully the board and top management will provide the oversight committee to lock it down so we have a solid ERM program. Then we would have the enabler for the opinion you mention. Thanks again!

Frans Kersten

Sat, 06 Apr 2013 13:56:00 GMT

I don't believe it is that black or white on risk only. The audit department I once worked for came across a situation in which important key controls had not worked because of absence of the manager who should have executed those controls (sickness) and no arrangement for replacement during this absence. During this period, fraud could have been committed and not have been discovered. Additional checking of actions and transactions was undertaken afterwards to see if anything unwanted had happened. Fortunately, nothing had. The reaction by management was as if nothing had happened at all, as if there had not been any risk. The fact that they had not been 'in control' didn't matter.

Norman Marks

Fri, 05 Apr 2013 15:00:21 GMT

Jazinda, the auditor should identify risk not in terms of a standard, but in terms of how it could affect the business. Just because there is a theoretical risk doesn't mean action should be taken. For example, every time you breathe you are taking a risk, but you won't stop breathing! A determination has to be made as to whether the risk should be accepted or not. The auditor may have an opinioni, but it remains a management decision.

If the auditor listens to management explain why the risk is acceptable and then disagrees, the auditor should escalate to more senior management. If necessary, because the risk is significant, the auditor will take it to the board. See the IIA Standards on this topic.

I hope that helps.