Tag Archives: norman marks

The Current State of Risk Management

The Ponemon Institute recently shared the results of its survey on risk management: The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management. The results are disturbing, but unfortunately what I had anticipated.

The 641 who answered the survey were involved in risk management within their organization, so the results are skewed toward having some level of formalized risk management. In other words, the respondents are better than the general population. Most of the respondents are IT folk, and some of the questions reflect the author’s IT orientation, as opposed to a general business one.

See also: 4 Steps to Integrate Risk Management  

The report, as so many, has to define risk management in its own way. But, frankly, the definition isn’t bad. The report splits the issue into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language and effectively use real-time information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. Ponemon doesn’t define what it means by a risk management strategy, so I can’t comment further.

But this is key:

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire:

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53% of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8% of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30% of respondents say no one person has overall responsibility to ensure the risk management program is well executed.”

See also: A Revolution in Risk Management  

The appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

New Guidance on Operational Risk

The Risk Management Association has published Key Principles of Operational Risk Management. Designed by practitioners at financial services organizations, the document makes a number of good points. But let me start with what is missing: guidance on when to take risks.

When an organization is focused on avoiding failure, it is very hard to be successful.

Operational risk is basically about the things that can go wrong in day-to-day processes that can trip you up. It is impossible to eliminate such risk. The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful.

The issue is not even about “balancing” risk and reward. The potential for reward should always be higher than the potential for loss – but the key is to use the same assessment methods to understand the potential range of positive effects or outcomes as is used to assess the potential harms.

See also: A Revolution in Risk Management  

Recognize that it’s not either/or, reward or loss. It is highly likely that both will occur!

Anyway, the guidance makes some good points:

  • Risk management is an integral part of business management and should be incorporated into overall business and financial planning.
  • Business culture within institutions must embrace the value of risk escalation and welcome independent challenge of risk decisions. Soliciting multiple points of view and engaging in debate result in better, more informed decisions.
  • Senior management should provide direct oversight of current and emerging exposures. Meanwhile, risk management should be part of the normal management process and governance, not be made a separate, adjunct function.
  • Risk teams should be established with qualified, high-performing professionals who are closely integrated with business operations and the decision-making processes.
  • Effective risk management is a basic responsibility of business leaders and managers.
  • Risk management activities dictated solely by remote oversight functions lacking detailed execution experience are highly prone to error and inefficiency.

But I have a problem with the traditional perspective in this section:

As part of sound business and strategic decision-making, operational risk implications must be assessed and considered to determine whether to

  • Manage the risk.
  • Tolerate the risk.
  • Transfer the risk (for example, by insuring against the risk).
  • Decline the risk.

To be successful, sometimes you need to take the risk, even to embrace the risk because of the potential for reward.

See also: Risk Management, in Plain English

The attitude of tolerating or even accepting the risk is simply wrong. Take it happily!

If financial services organizations fail to take the right level of the right risks, they will fail and fade away.

I welcome your comments.

A Revolution in Risk Management

The management of risk, whether you call it enterprise risk management, strategic risk management or something else, is about helping an organization achieve its objectives. All the standards, frameworks and guidelines talk about risk in terms of its ability to affect the achievement of the organization’s objectives.

Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful. This allows the consideration of risks but not really how they might affect the achievement of objectives and which objectives might be “at risk.”

See also: How to ‘Gamify’ Risk Management  

Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?

Then we can answer these questions.

  • Considering all the things that we have identified that might happen, how confident are we that we will meet the objective (within an acceptable level of variation)?
  • What is the possibility that we can exceed it?
  • What is the possibility that we will fall short?

The assessment will not only provide valuable insight but will enable decisions to be made that will increase the likelihood and extent of success.

The report might look something like this.

Screen Shot 2016-11-11 at 11.56.30 AM

What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)

Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?

Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?

A report like this moves the conversation from focusing on failure to focusing on success.

See also: Can Risk Management Even Be Effective?  

Such a report changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.

This is a revolution in a couple of ways:

  • It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
  • It demonstrates how the management of risk is of huge value to the organization.

I welcome your comments.

Is this an approach that COSO and ISO should adopt as they upgrade their guidance?

How to Respond to Wells Fargo Fraud

I hope the Wells Fargo scam is causing boards, executives and practitioners everywhere to pause and reflect: Could something like this happen to us?

If it can happen at a great institution like Wells Fargo, it can probably happen anywhere.

In a couple of posts, I have shared questions that should have been asked and that should drive similar questions at other companies. For instance, why did management set incentive goals that didn’t appear to be aligned with driving revenue or earnings? What led to the failure of the controls that were designed to ensure that customers approved the opening of accounts in their name? Why didn’t customer complaints lead to identification of the problem? Why was the problem allowed to continue for at least five years? Did management have any idea that the culture of the organization would permit such a pervasive scheme? What was the role of internal audit, of the compliance officer, of whistleblower provisions and of risk management?

In a podcast with MIS Training Institute (which I recommend), I made another point. I think this is critical for everybody to understand.

I said that when people feel they are able to get away with a minor fraud, they will do something else. The level of fraud may start small, but it almost always increases.

I asked what else has been happening at Wells Fargo.


The public reaction by the Wells Fargo CEO, John Stumpf, included an observation that the scam only involved at any time about 1,000 people of the 100,000 in the branch network.

Let’s set aside the fact that 5,300 people were fired over a period of five years and that this number does not count anybody who was less severely disciplined or not caught.

Let’s set aside the fact that 1,000 people fired in each of the last five years reflects a continuing failure and, to me, indicates a breakdown rather than a one-time failure in controls.

The point is that he seems to believe that this is a small level of incidence, almost (in my words) an acceptable level of risk.

See also: Bridezilla and Workers’ Comp Fraud  

I am drawn to agree that this is a low level of failure. I’m not sure it is so low that it would be acceptable.

Let’s talk reality.

While it looks and sounds good to say that an organization has zero tolerance for fraud, corruption and a failure to comply with laws and regulations, that zero level is just about impossible to achieve.

You would need somebody looking over everybody’s shoulder all the time to ensure that no inappropriate activity was happening, and somebody looking over that person’s shoulder to make sure they were watching properly.

All you can do is have what a prudent person would believe is a reasonable level of control, given the risk of fraud.

According to studies by the Association of Certified Fraud Examiners, the typical company loses about 6% of its annual revenue to fraud. That number includes theft of time, personal use of the company’s laptop and so on.

Is that an acceptable level? Maybe it is; maybe it isn’t. You decide for your company — and consider the cost of reducing the fraud risk. Is the cost greater than any reduction in fraud risk?

The same goes for compliance issues or the activity reported at Wells Fargo. Was a reasonable level of control in place? Could controls have been improved to reduce the risk without incurring substantial cost? I suspect the answer is yes, but we don’t know enough of the facts yet.


Let’s also consider other forms of fraud, abuse and corruption.

Are these acceptable practices, or are they another form of fraud?

  • The CEO of a multibillion-dollar company approves the funding of a charity of which his wife is the chair. There is no clear benefit to the company, no link to its operations.
  • In response to falling revenue and profits, the CEO of another company lays off about 10% of the workforce. The board awards him a $1 million bonus for completing the reduction in force. At the same time, the CEO spends $1 million to renovate the executive suite of offices.
  • A senior manager in IT refuses to provide support for the implementation of a disaster recovery plan because it is not included in his personal objectives.
  • The vice president of procurement for Malaysia refuses to follow instructions from the executive vice president (EVP) of procurement (to whom she does not report) and adhere to global contracts with major vendors negotiated by that EVP. Instead, she negotiates successfully with the local subsidiaries of those vendors. While she obtains better prices for Malaysia (for which she and her boss, the president of that region, are rewarded) she puts the corporate contract in serious jeopardy.
  • A senior executive decides to hire a friend.
  • The chairman puts pressure on the company to select as a director an individual whom he knows will vote his way rather than searching for a director who will add critical expertise.

All of these are situations where, in my view, individuals put their personal interests ahead of those of the enterprise as a whole.

They act in a way that brings them rewards but that hurts the company as a whole.

See also: How Bad Is Insurance Fraud Really?

While technically they have not stolen and have not broken any laws, they have acted inappropriately. I will let you decide what to call their behavior.

But let’s be honest: Self-dealing is ripe around the world. Very few are selfless, putting the interests of others ahead of their own.


So what does this all mean? Where am I going?

  1. What we have seen at Wells Fargo (based on the few facts we know) is, in some ways, normal human behavior. When people believe that the behavior is encouraged or at least not discouraged and that they will not be caught, they will “game” the system.
  2. While we focus on fraud, we might be better off focusing on behavior and actions. There are many forms of behavior that will harm the organization.
  3. We cannot prevent or even detect all actions that result in a loss to the organization. We need to understand all of its forms, the impact and likelihood of each, and ensure that we have the controls in place that provide a reasonable level of assurance that risk is at acceptable levels.
  4. Management must take ownership of the design and operation of those controls.
  5. Internal audit should provide assurance on the management of the more significant risks.
  6. When the level of risk that the controls are failing rises, the root causes must be investigated.
  7. A low level of fraud, if left alone, will normally grow until it is unacceptable.

I welcome your views.

Risk Management, in Plain English

For a while, I have been saying that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits and projects.

Leaders of the risk management function talk about risks, impact or consequences and sometimes talk in technobabble about terms that only risk practitioners and statisticians understand, such as “risk capacity,” “alpha” and “residual risk.”

See also: How to Remove Fear in Risk Management

The traditional way of explaining the risk management process is (per ISO 31000):

  • Establish the context
  • Identify risks
  • Analyze risks
  • Evaluate risks
  • Treat risks
  • Communicate and consult (throughout the above)
  • Monitor and review (continuously)

Can this be translated into plain English?

How about this:

  • Anticipate what might happen
  • Analyze the possibilities
  • Ask: Is there a problem? Can we do better?
  • What are the options? Can we improve them?
  • Which is best?
  • Decide
  • Act
  • Review/monitor/learn

I especially like the work anticipate. It’s better than talking about “uncertainty,” another word that risk practitioners understand (I hope) but that executives find difficult.

See also: How Risk Management Drives Up Profits

Isn’t risk management all about anticipating what might happen between where we are and where we want to be?

I welcome your thoughts.

Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is “risk management”?