Are We Focusing on the Risks That Matter?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

What are the risks that could cause the demise, or at least a significant drop in the share value of an enterprise?

Are those risks given significant attention by the board, executive leadership, risk management, and audit professionals?

Here are a few such risks, taken either from recent news or personal observation/experience:

  • A dysfunctional board: for example, a board that doesn’t challenge the executive team. Reasons could include: a lack of information; timid directors; insufficient independence of the board; directors who don’t allocate sufficient time to the company’s affairs or even skip meeting; or, directors that don’t have an adequate understanding of the company, its strategies, and the risks to those strategies. See this earlier post on board effectiveness.
  • A bully of a CEO (as described by Lord Smith of Kelvin in his speech to the IIA International Conference last year). It is interesting that the report of the Group of Thirty observed that “a very good CEO is preferable to a ‘star’ CEO”. I worked at one multi-billion dollar company where the CEO encouraged competition among his direct reports rather than teamwork. So, instead of sharing information and working together, they hid information and schemed against each other.
  • Ineffective risk management. If risk management is immature or, even worse, the organization complacently accepts as sufficient a program that only considers risk on a quarterly basis, they are flying blind and it’s only a matter of time before they fail. A study by COSO reported that “the state of ERM appears to be relatively immature. Only 28 percent of respondents describe their current stage of ERM implementation as 'systematic, robust and repeatable' with regular reporting to the board. Almost 60 percent of respondents say their risk tracking is mostly informal and ad hoc or only tracked within individual silos."
  • Insufficient information to make decisions. For example, if executives cannot access the information they need when they need, and in a form that is not only reliable but useful, how are they going to make quality decisions?
  • A dysfunctional executive team: for example, where the executives are working to feather their own nests rather than the long term future of the organization, or where one or more executives are ineffective. I worked at one company that, in the middle of a revenue contraction and layoffs, spent more than a million dollars refurbishing the top executive offices. They later gave each other millions of stock options — during a period where the company slipped from #1 in the market to #3. You can only imagine what this did for employee morale and trust.
  • Another example or version of the dysfunctional executive team is where the CEO is unable to lead. I worked under one CEO who was ignored by his COO, to the point that the COO called him "stupid" in front of the other executives. The CEO proved that the COO was right by refusing to fire the COO when requested to do so by the board! (They were both fired, but the company failed within a few years anyway.)
  • A CEO who does not have the trust of the board. Experience shows that the CEO can start behaving irrationally to prove his or her worth.
  • A poor strategic planning process. In a report from last year, McKinsey reported that “only 21 percent of directors surveyed claim a complete understanding of their companies’ current strategy.” If the directors are unable to work with management to define effective strategies, what hope is there for success?
  • Aging products, with a poor record and capability for delivering cost-effective and exciting products or services on time. Just consider the plight of RIM. Tie to this the related risk of disruptive competition that renders the company’s products obsolete. Consider Nokia’s experience: They had a 40 percent mobile phone market share — until the iPhone.
  • A poor corporate culture. There are many varieties of this, such as one that is either too cautious and risk adverse or takes on a reckless amount of risk. Other varieties include: the organization does not pay sufficient attention to employee safety, disregards regulatory compliance obligations, does not pay attention to ethics, or fails to oversee its extended enterprise (and suffers significant reputation loss when incidents hit the news — such as with Apple and Levi’s).

Each of us could probably add to this list from our own experience of reading of the news.

But, the question remains. Are the risks that could sink the ship given sufficient attention? Are the risks levels understood and have sufficient actions been taken to address them?


Posted on Apr 29, 2012 by Norman Marks

Share This Article:    

  1. Norman:
    The risks you list above are relevant and have killed more than a few good companies  but I believe that a key step to focusing in on "risks that matter" is to ensure there is a universe of prioritized end result business objectives that include the organization's key strategic objectives, as well as core/foundation objectives including obeying laws and reliable financial disclosures.  Internal auditors need to focus far more time to assessing their organization's strategic planning and monitoring processes.  Unfortunately COSO 1992 does not see defining and communicating objectives as an element of an integrated control framework. This was reaffirmed in COSO 2012 ED.  

    Identification and evaluation of risks should be about determining a composite estimate of the uncertainty of achieving objectives being assessed.  Attempts should be made to determine the "impact" of not achieving the objective(s) being assessed in whole or part not just fixate on individual risks without linkage to related end result business objectivess.  Objectives with high negative impact if not achieved that also have with high composite uncertainty/residual risk should receive the most attention from senior executives and internal auditors.

    The dangers of "risk-centric" ERM approaches that divorce risks from end result business objectives are outlined in my white paper THE HIGH COST OF ERM HERD MENTALITY at

  1. Tim, thank you for sharing your views.

    You talk about achieving objectives, but in some of the situations I discuss above, the board and top management may not set optimal objectives for the long-term creation of value by the organization. Are you saying that we should make sure effective governance processes are in place as a priority?

    Also, you talk about high risk areas (residual risk is always the measure). But should we not be looking more at areas where the risk exceeds organizational criteria? There are some risks that may have a high potential impact but are accepted as part of doing business. In other words, the level of risk is less important than whether the risk is not at an acceptable level (and that can include when the risk is too low for an overly cautious company).

  1. Norman:

    Yes I do believe internal auditors should assess and report on the effectiveness of the organization's process to define and communicate objectives.  This is one of four categories in the Canadian CoCo integrated control framework. In some companies they haven't even communicated and assigned accountability for specific reliability objectives related to financial accounting statements and note disclosures.  Under COSO 92 this would not be considered a control deficiency.

    Under the RiskStatusline system we promote any Residual Risk Status rating greater than 0 indicates unacceptable residual risk status.  There also may be situations where residual risk status is rated as 0 but still constitutes a high level or residual risk. These situations should be concensus agreed with senior management and the organization's board of directors to ensure it is within the organization's risk appetite/tolerance.

  1. I agree Norman but one of the challenges for internal auditors is how to audit behaviours and attitudes as distinct from structures and processes.




  1. Risk as a concept and as an issue of practical risk management is implicitly linked to objectives. These need to be clearly articulated and communicated throughout the firm. If not, there is no context in which risk management can take place.

    Norman is right that the really big tisk issues are concerned with gocvernance, behaviours and culture. However, as I think more about risk (in my case oeprational risk in its broadest sense), I wonder whether we should also use risk connectedness maps to identify truly important risks. That way you get back to cause which is the fundamental thing we are managing.

    But back to culture. The key is to define precisely what you mean by excellent and, for that matter, inapopropriate behaviours and trhe grades in between.  A number of firms are doing this across the spectrum of their 'people' related risks.  That way you can weriously and objectively link pay wioth behavioural performance as well as finanical performance.

    In a speech to the IIA in Scotland last year, I picked up on Lord Young's speech and his theme that audit could be the 'canary in the mineshaft'.  I happen to be fairly hard-line about confining audit to process, but if behaviours were properly identified by the firm, then I wonder whether it might be a legitimate role for audit to ensure that the behavioural assessment process is fair and consitent? It's a theme I'm going to put to a seminar I'm running for the Institute in Oslo later this month.



  1. Norman 

    Good central question: Are the risks that could sink the ship given sufficient attention? 

    Probably not, by either the Board or Senior Management or IA. 

    The paradox here is that so many of the key risks relate to strategic risks or board level effectiveness, yet stakeholders will hope they have done their best to select "the best" in terms of experience and organisational insight.

    The problem is that no one is perfect (weak CEO a problem, overly strong CEO a problem ~ need one that has just the right balance!) and often its their own views / blindspots about risks and issues that will lead to problems.. Often these issues are right under the nose of the CEO or unthinkable (the 9/11 "failure of imagination" problem)

    Likewise the board and senior executive teams have a tricky balance to maintain ~ need a positive collaborative mindset, yet the right amount of challenge as well.. 

    So much is about behaviours in relation to key decisons and activities and paying close attention to these is one important way in, (being careful not to get false assurance from generic cultural things that are going well)

    The very best boards and executives ask for facilitation from time to time, to help them with their behavioural biases, but this is still the exception.. 

    In terms of IA's role ~ keep paying attention to the time being spent on strategic risks and governance related concerns when doing the plan. In addition I recommend developing a deeper appreciation of behavioural risks, but recognise the challenges of being allowed to observe and comment at the highest levels

  1. I share your opinion about these risks that reflect the reality of many corporates but generally we don't identifiy such risks because it is a matter of the top management that must be the role model in ethics, trust, accuracy, integrity, etc. and it is the most important components of internal control : "environmental control" thas directed by the Board of Directors.

  1. Yes, Safae, I agree we don't usually identify these risks. But shouldn't we?

  1. In my opinion, there are risks which an audit can identify as they are measurable, whilst others can only be "sensed". These are risks, to be identifed by e.g. market research following an impact assessment request to the relevant managers asking for comprehensive and clear response strategies. In general, managing risk appropiately requires a clearly defined governance structure that forces workflows to be triggered (risks or issues identified) across the organization departments, regardless of the matter, to finalizing with a response paper that has been completed by all departments including a cross-functional impact assessment. In order to adress your executive Management operational risk identification there are many ways of enforcing processes, whilst asking your employees of all levels to submitting their thoughts and ideas about any possible element of risk (e.g. as a Sharepoint dropdown workflow adressing risks like "how is the company seen by your friends" or "what would you change here", and sending these to a central Team of experts to analyse input and possible impact, providing solution proposals (via their teams). It will show interesting results, as the tickets coming in through will not be as much in numbers but the content will be and that will enable a better definition of new strategies to be launched. The other problem you already adressed is malfunctional executives for various reasons. That can only be resolved with a direct conversation and immediate decision taking of re-arrangement of responsibilities if needed. In summary, yes, such risks have to be identified and adressed. How you do it best according to your companies profile, is the question and that most probably needs someone from the outside to identify the weaknesses an insider might overlook. It is a matter of making the company one team.

Leave a Reply