This post debates the assertions made in a 2014 piece by the consulting firm CEB that internal audit and ERM are failing.
The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag.
It has been used recently to support an argument by a critic that both internal audit and ERM are failing. This was said in the last few weeks on Twitter:
- “CEB survey focuses on some key failings of traditional internal audit and ERM.”
- “CEB survey report does a good job describing problems with IA/ERM but not as good with its prescription to fix the problem.”
- “CEB/Gartner report puts the spotlight on assurance silo overload.”
Leaving aside the fact that it is a 2014 product based on 2012 and 2014 analysis (and therefore should not have been used to discuss the current situation), how good is the CEB piece and what does it say about (a) internal audit, and (b) risk management? How accurate and relevant are its observations today?
Unfortunately, the critic mistakenly conflates internal audit and risk management. Both have their challenges, but they are different – different challenges for different organizations.
One is part of management and the other is independent.
Lumping them together confuses and distracts from addressing their individual challenges.
The CEB piece gets off to an awful start with this sentence:
In the present day, when those types of risks [financial and hazard risks such as the effects of a typhoon] can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that assurance functions and business leaders must identify and manage themselves.
First, practitioners know that you cannot really “transfer” a risk. That is dated thinking (sorry, insurers). Instead, you are sharing it more often than not. For example, there is always a possibility that the insurance claim will be denied, the insurer will fail, or not all the effects will be fully compensated.
Secondly, assurance providers do not “identify and manage” risks – that is the responsibility of operating and executive management with oversight from the board.
CEB recovers somewhat when they talk about how the increasingly extended enterprise and the growing volume of data captured by any enterprise has changed at least part of the risk landscape.
But then they start to categorize risks, saying:
With shareholder value as the barometer, the most potentially damaging types of business risks are the strategic ones, such as competitive incursions or declining demand for a core product. CEB’s analysis of significant market capitalization declines in the past decade shows that 86% of them were caused by risks that were strategic in nature—with operational risks as a distant second place.
Risk is the effect of uncertainty on objectives. That means that to properly assess any source of risk you have to consider how it could affect the achievement of specific objectives.
So, the only risks that rate as “high” would be those with a significant potential effect on the achievement of objectives.
Operational miscues can have a dramatic effect on objectives, leading to customer dissatisfaction and loss, product failure, and so on. Just think of Deepwater Horizon.
Compliance failures can similarly impact objectives when they are so severe that operations are constrained or even closed. Consider the Novartis problem in Japan.
CEB’s analysis by categorization is fallacious and misleads more than it helps.
If you say that strategic risks are those that might have a significant effect on objectives, which can include operational and compliance risks, then it is only to be expected that these are the ones that result in failures to execute and deliver on strategies.
Then there is the paragraph that has drawn the attention of the critic:
At most companies, however, assurance departments with the formal responsibility of identifying (and sometimes managing) risks—such as with Internal Audit in the following graphic—consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.
This is simply a misreading of the situation.
While it is true, based on other surveys and my own observations (the CEB offers no evidence to their observation) that many internal audit functions do not include all significant risks to enterprise objectives in their audit plans, it is not because they consider them “out of scope”.
All risks are potentially auditable. CEB gets that 100% wrong.
Further, all risks are business owners’ responsibility, so the statement about strategic risks being business owners’ responsibility carries no weight.
IMHO, it’s true that many internal audit functions don’t include all significant sources of risk to strategies and objectives in the audit plan. But the reasons lie elsewhere.
It may be because:
- They don’t have the resources or ability to address them and are unwilling to ask for those resources.
- They simply didn’t think of them.
- The audit committee doesn’t support their auditing these issues.
That’s all that is said by CEB about internal audit. The rest is about risk management.
The following CEB assertion may be true (again, no evidence is offered but I believe it to be often true):
Operational executives know risk and strategy go hand in hand, but they struggle to address them together. Similar to how enterprise risk management (ERM) efforts rarely link cohesively into corporate strategy, typical strategic planning processes run by line executives do not do enough to incorporate and address risks.
I entirely agree with these excerpts:
- Too much focus on risk versus reward can encourage “risk aversion,” resulting in lost growth opportunities.
- The risk prevention activities (i.e., eliminating any chance of risk) that are appropriate for other kinds of risks can lead to avoidance or aversion of strategic risks that companies would be better off taking. When companies overemphasize the risk (not reward) of strategic decisions such as developing new products, entering new markets, or selecting merger and acquisition targets, they can inadvertently foster indecision or inaction among executives and frontline staff by making them too cautious.
- Leading companies view every decision they make as a risk decision; they explicitly link risk to overall corporate strategy and deliberately choose their risks with great calculation.
- In short, leading companies win because they empower their employees to take and manage risks, not because they do a better job preventing them
- Incorporating multiple perspectives on both risk and opportunity removes biases in the planning process and improves confidence in strategic decisions.
- Scenario planning is a common approach that incorporates strategy and risk. Leading companies are increasingly conducting scenario analyses on hypothetical strategies to identify potential outcomes, associated risks, and alignment with corporate risk thresholds.
- Embedding risk in strategic planning, and vice versa, is most effective during planning months and for a short time afterward. But during the rest of the year, risk-comfortable executives who lack clear understanding and guidance on what is, and what is not, an acceptable level of risk will expose the company to greater risks through their day-to-day decisions.
- From our experience, leading companies that ensure a risk-based context for strategic decisions improve decision quality by as much as 42%, and companies that effectively reduce risk aversion can accelerate executive action by 34%.
- Companies’ greatest risks are their people. Instead of focusing disproportionately on risk processes, leading management teams and assurance groups anticipate and manage the root cause of most risks: human behavior and judgment.
So overall, the CEB has some good stuff. I really like much of their language, especially in the points above about risk aversion and indecision. There is more in their document that has merit, especially about human bias and how it affects judgement and risk-taking.
But does it capture all or even the more significant problems with either internal audit or ERM practices? Does it offer the right solutions?
I am not persuaded that it does on either count.
I am not going to conflate the two separate activities. Let’s take them one by one, starting with internal auditing.
First, I have to say that while there has been significant progress in internal audit practices over the last several years, problems remain. As I have written before, the majority of board members and executives report that they do not believe internal audit addresses the risks that matter to them, the more significant risks to enterprise objectives.
This is critical!
In addition, many internal audit functions:
- Only update their audit plans annually. They should instead, as recommended by Richard Chambers and me, be updated continuously – at the speed of risk.
- Do not provide assurance on the management of risks to objectives. Instead, they assess and rate controls without indicating which objectives might be affected and by how much.
- Do not provide actionable information, helping leaders know not only what might be wrong but whether strategies and even objectives might need to be changed.
- Limit the insight they provide to what is written in the audit report. It’s so much better to have a conversation.
- Make it difficult for leaders to find the nuggets of valuable information in their audit communications by burying them in a mountain of trivia in their audit report. Auditors need to communicate what leaders need to know, not what they themselves want to say, and do it clearly, concisely, and promptly. Leaders need actionable information now.
If CAEs and their teams focus on these six points, they are on the way to success.
Turning next to risk management, the CEB identifies some important points.
But there is a huge disconnect between practitioners and leaders at many if not most organizations.
Here are some of the problems, all of which I have written about before. Too many risk management functions:
- Focus on the possibility of failure instead of how to succeed.
- Think that the periodic review of a list of risks is risk management. It is not. It is enterprise list management (DeLoach). Risk needs to be managed continuously.
- Focus on risks out of context instead of the possibility and degree that an enterprise objective might or might not be achieved.
- Do not set as a goal helping decision-makers make the informed and intelligent decisions necessary for success.
- Apply their discipline only to the possibility and magnitude of potential bad things, not to both good and bad.
- Fail to recognize that an event or situation can have multiple effects, some of which are good and some not so much.
- Talk in their own technobabble (i.e., risk) instead of the language of the business. It is better by far to talk about what might happen and is that ok.
- Do not understand that risk is taken or modified with every decision. Relying on a corporate-level risk appetite statement doesn’t guide every decision and taking of risk.
There is more, but if risk managers address these eight points, they should be on the way to success.
I discuss both issues, internal audit and risk management effectiveness, in separate books: Auditing that matters and World-Class Risk Management. There is more to be said and done on this topic and hopefully both practitioners and their critics would see value in reading them.
What would you add?
I welcome your comments and perspectives.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021