Tag Archives: IIA

Adios to ‘3 Lines of Defense’ Risk Model

In this age of disruption, all those organizations that spent many years and lots of cash to dig beautiful trenches for their useless Three Lines of Defense are being seriously damaged. These organizations are now left needing even more effort, to fill up their trenches and get out on the battlefield of real business.

R.I.P., Three Lines of Defense model (the three being: operational managers; risk managers and compliance functions; and internal auditors). Your creators saw a tiny speck of light, but millions are left without defense, and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have three lines, but these are now so blurred that organizations must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches. 

The model turned to a story of failed backward innovation — making something useless even more useless…… and that in the middle of the age of disruption.

As Michael Volkov recently said: “The IIA’s revised model [for the Three Lines of Defense] should be ignored and relegated to the ash heap of bad ideas.”

The elephant in the room is actually a grey rhino, not a black swan; it is time for risk practitioners to learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk, together with beautifully crafted RAG reports linked to a bunch of risk-mitigating responses, are of no use, and that following any standard or framework contributes nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front line and the decisions made by them in every situation of risk that they encounter.

It is time for auditors to get away from the management of risk, far away — and to stay away. By the time anything gets to their line, it is too late anyway; all they can do is to issue a finding, implying that they “found” something. I have never seen an auditor resuscitate a dead business. Lately, we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.

What a pity that the hours of heated, heat map-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or, even worse, last quarter); came to …..nothing! 

See also: COVID-19: Technology, Investment, Innovation

The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases, also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates are still going with the flow. Just like dead fish.

We also learned that “tested” business continuity plans are of very little value; no disaster will follow your plan. Success lies in the way each and every employee will respond to the situation of risk on D-day.

It is time for risk practitioners to grab the bull by the horns and learn this elephant-size lesson that the only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.

How to Remove Fear in Risk Management

Someone is looking over your shoulder, and you know who it is. If you’re the CEO, it’s your board and shareholders. On the factory floor or in the cubicles, it’s the foreman or the supervisor. But just as often these days, the sources of anxiety and caution confronting risk managers may not be corporate employees at all. Rapidly shifting technology that is often difficult to understand and measure, unfamiliar demographics, expanding globalization, and ever more stringent regulatory compliance requirements are now part of an anxiety- producing stew that organizations’ risk managers must understand and deal with. All these forces threaten a corporation’s revenue, margins, profitability, and overall competitiveness more quickly and unpredictably than ever.

Consequently, if you are an internal auditor – the person responsible for assessing and helping improve the risk management process – your chair these days may feel more like a hot seat. Which of the decisions daily barraging a modern corporation should be the higher priorities? And how, in a business world of frequent disruption, will you, your superiors, and those who report to you weigh and mitigate the waves of serious risks facing the company nonstop? What are the most important metrics to use for any given risk issue? Can the company rely solely on its in-house staff to analyze and resolve unforeseen and often unforeseeable problems?

Just as important, how will the enterprise as a whole handle these issues and make necessary decisions? How does company culture get in the way of using risk management effectively, to reach the decisions that will help the company grow and become more competitive, and how can sustainable risk management (SRM) assist?

Company managers often are not encouraged to exercise independent judgment, even when they are the acknowledged experts. Without transparency and effective multilevel communications in their company, managers are likely to be wary of crossing unseen boundaries, suspect that hidden agendas are controlling important decisions, or feel isolated and unsure of the enterprise objectives that should help guide their decisions. Moreover, anxiety about making important decisions is common in organizations that don’t give their decision-makers the tools and data required to make intelligent risk analyses. Without confidence that they understand the risks associated with a decision, and in a culture where the consequences of a bad outcome are punitive, managers understandably are likely to be cautious.

Behind employees’ hesitation to make and express independent judgments or to make decisions can be a corporate culture of mistrust, caution, and covering one’s backside. In other words, a culture of fear – fear of losing face, losing a contract, losing revenue, losing political advantage, losing a job.

A culture of isolation and timidity defeats collaboration, creativity, transparency, and the ability of a corporation to objectively analyze the broad range of risks it faces each day. It can render the internal audit function far less effective and useful than it should be and can be. In this environment, the internal audit function may mistakenly be seen solely as a means of uncovering errors, assigning blame, and enforcing penalties. Managers may be understandably reluctant to provide anything other than the most general and diluted information about their operations and decisions.

One need not wade through the scientific research about the impact fear has on decision- making to understand how destructive it can be. The brain has separate centers for processing fearful and rewarding experiences. As Dr. Gregory Berns, director of the Center for Neuropolicy at Emory University, has explained, “The most concrete thing neuroscience tells us is that when the fear system of the brain is active, exploratory activity and risk-taking are turned off.” Good decisions in this state are unlikely. “Fear prompts retreat. It is the antipode to progress,” said Berns. “Just when we need new ideas most, everyone is seized up in fear, trying to prevent losing what we have left.”

In this way, fear can nullify or dilute a company’s risk management processes. An effective SRM program, however, encourages and supports an environment that minimizes fear, reduces uncertainty, and increases transparency and confidence in decision-making throughout the enterprise.

Barriers to Solutions

It may seem that established tenets of good corporate governance already include rooting out the fear, indifference, lack of collaboration, and siloed decision-making that stand in the way of optimizing risk management. After all, most companies talk an excellent game when it comes to collaboration and open and honest risk analysis. Too few, however, have developed the internal mettle to tolerate it.

Starting with assessing corporate culture and change management practices, internal auditors can play an important role in transforming the boilerplate talk into sustainable programs. They can provide unbiased, to-the-point assessments, independent of internal politics. The problems they find and the solutions they recommend can be critical for a company seeking to develop the capacity for SRM. But whether from too much caution and resignation or just fear of change, many internal auditors say the structure of their jobs discourages them from alerting their companies to critical gaps in risk assessment and mitigation.

A recent global study by The Institute of Internal Auditors (IIA) Research Foundation spotlights some of the problem areas. Not even two-thirds of the surveyed chief audit executives (CAEs) said they consult with division or business heads when they develop audit plans. Only slightly more than half said they consult with audit committees. There may be many reasons for this audit-in-isolation phenomenon, but it commonly occurs in companies that do not value the risk management process and therefore do not prioritize it. The phenomenon occurs in companies where key players are not encouraged to speak up.

Just one-third of audit plans are updated three or more times a year, the study found. This means that CAEs may be overlooking important changes in the business environment. No wonder only 57 percent said that their internal audit departments were “fully aligned or almost fully aligned” with the enterprise strategic plan. This kind of exclusion signals that leadership does not embrace the people responsible for monitoring management of the company’s risk and that the audit function is not seen as a critical part of the management process.

Our experience with clients reflects these findings and shows that risk management professionals themselves may be at least partially responsible for the isolation and erosion of their programs. They could assume, for instance, that the value and relevance of SRM are obvious and not consistently sell a program that’s underway, neglecting to point out its continuing value, highlight its successes, and develop metrics that are easily understandable.

The program itself may not be as inclusive as it should be. Sometimes risk management processes are not designed to seek out and incorporate the views of front-line employees. Any effective SRM process, however, must reach into the depths of company operations. At the same time, employees at all levels often are not trained well in how to assess and evaluate risk. Employees may be able to calculate some risk in dollar terms without appreciating that they also should be looking at, for example, threats to customer satisfaction, employee safety, and regulatory and contract compliance.

Too often, as well, an unappreciated or ineffective risk management program does not account for the unique characteristics and business objectives of the corporation. Organizations sometimes employ a cookie-cutter approach to developing a risk management framework that’s not calibrated to address essential and distinctive company attributes.

Sometimes risk reporting to the board and top executive levels may be so extensive and detailed that no one reads the reports. Or risk reporting may be so superficial that its assessments and proposed solutions carry little weight. When risk management is not seen as a source of continuous improvement for the organization, risk management funding may be erratic or inadequate, its staffing just an afterthought, and its placement in the corporate hierarchy too isolated to be effective.

Working Toward a More Viable Program

An SRM program protects and advances the organization’s primary business objectives. To do their job effectively, risk management leaders must be included as members of the executive management team. Their inclusion helps to ensure that consideration of risks is incorporated into every significant strategic decision.

It is also possible that a company and its leadership simply are not prepared for the important cultural shift required to champion SRM. All too typically, executives are experts at shifting blame, pointing fingers, and covering their reputations when something goes wrong or hard decisions must be made.

SRM requires a no-blame environment, a collaborative process in which personnel work together to assess and solve problems without fear that their careers will suffer or they will lose the confidence of their peers. A frank and constructive assessment of an operational failure, for instance, is possible only when, instead of trying to find fault, the evaluation concentrates on solutions to keep the failure from happening again. This collaborative approach is not common enough in modern corporations.

Why SRM Is Worth It

The benefits of developing an open, fearless, and transparent SRM program ripple through every level of the enterprise. The program helps ensure that the company can perform with confidence and agility in the face of unpredictable events and shifting economic conditions. It supports the development of accurate, timely, and relevant metrics that reduce uncertainty in decision-making. It provides an effective process for dealing with emerging technologies, surprising moves by competitors, market uncertainties, natural disasters, and even internal scandals. When the program is working, the board, C-suite executives, and managers at all levels understand the kinds of risks the company must deal with and then use that awareness when making their decisions.

An active and embedded SRM program, visibly supported by leaders, regularly refreshes the managers’ awareness and stimulates their insights concerning the shifting market and business conditions that pose the greatest risks to the company’s operations. Employees work collaboratively with their supervisors and are asked to help solve missteps rather than being blamed or punished for them.

SRM offers continuing opportunities to save costs and improve productivity. It can reduce operational and material losses and waste and spotlight process improvements. SRM more closely aligns people, assets, processes, and technology with the organization’s business strategies. It also reassures the board and other stakeholders that compliance issues are being addressed and that company assets and reputation are being protected. The results – which we see time and again – include increased growth, improved profitability, and higher staff morale.