http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/ Blogen-us Tue, 17 Jul 2012 10:08:12 AMTue, 17 Jul 2012 10:08:12 AM http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/2011-07-09ISO 31000 (and COSO for that matter) has absolutely nothing to do with complexity. “Complexity” has become something of a buzz word in today’s business culture, becoming more vague and imprecise than many of us attempting to understand complexity would like. The misappropriation of the concept is always done with the best of intentions. Well, Neil, any author savvy enough to introduce Mandelbrot and fractal geometry into the mix doesn’t get a free pass. I am not so much worried about “new” risks – there is not much new under the sun. I am, however, worried about certain types of risks that may become “enriched” due to the increasing complexity and uncertainty in the environment. Here’s an allegory of sorts to illustrate... Amanda was an ERM professional looking forward to a vacation at the seaside community of Amity. She performed a comprehensive ISO 31000 based risk assessment and was promptly eaten by Bruce-The-Shark the first evening of her arrival as she went for an evening swim. Retrospective: Well, shark attacks are not Talebian Black Swans even though they are popular wisdom suggests they are relatively rare. Predictive analytics were of no use to Amanda because we did not have any data suggesting a history of shark attacks at or around Amity (that may suggest crummy data, sharks seldom if ever frequented the Atlantic waters around Amity, or a change in the environment, etc.) Perhaps global warning irritated Bruce and he sought cooler water for hunting? The paradigm the “late” Amanda used, however, was retrospective. It was based on the notion that yesterday is pretty much like today and will be pretty much like tomorrow. It was also based on a Gaussian distribution (an artifact from systems assumed to be in equilibrium). I am not a complete nihilist when it comes to quant. Had Mike Nichols asked me to write the dialogue for the classic movie The Graduate, I would have said “thresholds” to Benjamin, rather than “plastics.” If you have no idea of what I speak, stop reading this silly article and go rent the movie! • We need to get an idea about when our environments (yes, the plural) change. • We need a more robust picture of our operating environments • We need to challenge, not embrace, goofy 20th century predictive models • We need to think about resilience based risk strategies & complexity science; and forget about holistic solutions between silos and other goofy Human Resources voodoo Remember, if you’re going to swim with the sharks, don’t ask the Mayor of Amity for a self-assessment of the risk. http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/2011-05-18Worth reading and very helpful to inernal auditors-keep it up http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/2011-05-12The Institute of Internal Auditors (IIA), in coordination with its institute The IIA-UK and Ireland, has issued a position statement on The Role of Internal Audit in Enterprise-wide Risk Management http://www.theiia.org/guidance/additional-resources/coso-related-resources/the-iia-takes-a-stand-on-erm/ It is indeed strange to read that they consider legitimate the following activities : • Coordinating ERM activities. • Maintaining and developing the ERM framework. • Championing establishment of ERM. • Developing risk management strategy for board approval. These activities seem to be in contradiction with the role of Internal audit according IIA-USA and IIA-Australia (see http://www.iia.org.au/aboutIIA/whatIsInternalAudit.aspx) (see http://www.theiia.org/guidance/additional-resources/coso-related-resources/the-iia-takes-a-stand-on-erm/) I think the IIA-USA and the IIA-UK go themselves confused whereas the IIA-Australia has clearly endorsed ISO 31000 and its role of as the auditors : See : http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/ Here is an on-going discussion on this subject : http://www.linkedin.com/groups/Legitimate-Internal-Audit-Roles-Safeguards-1834592.S.53904876?qid=b4b41047-ab72-4a16-b15b-7c778507d62f&goback=.gmp_1834592 http://www.theiia.org/intAuditor/feature-articles/2011/april/managing-the-complexity-of-risk/2011-05-10MANAGING THE COMPLEXITIES OF RISK The organization’s goal to achieve maximum risk free environment in the business should not be bias upon. As the entrepreneur can feel it is not the single man’s affairs to manage the organization. The entrepreneur should value his time and money to each area of responsibility he employs in the organization. The entrepreneur must think to possess the security of services giving weight to each individual in their capacity of responsibilities. And the entrepreneur must hold each departmental head as himself, in responsible for safeguarding of the organizations’ assets and keeping the organizational environment expose to minimum of risk if not all 100% risk free. Enterprise Risk Management should also govern the human resources management of the organization. Internal Auditor can not be responsible risk free, if all the heads of departments are left free and innocent, this situation leads the organization in multiplicities and complexities of risks. Internal auditor can hold things responsible within the organizational culture of risk assessment, but deliberate efforts by the other departments to expose complexities of risk do expose organization, managing lot of risks with rule of thumb and without documentations and legal implications. To control the risk every act of the organization is managed through controls and governance. Enterprise Risk Management should be such to test the controls and variances to be looked upon. Matching ERM within different organizations is a source to study. But entrepreneur and management of organization is an identity to practices to utmost enforceable of sets, standards, optimality, and decisions. Internal auditing is to approach as not to divert from its due control to abide by law in administration , a check to point out as feasible as pre-measuring the controlling standards of safeguards of company’s assets. Rashid Pervez ID# 1394262