Now imagine that we are going to provide an opinion about risk about anything in your company. The approach would be slightly different depending on the department, as per the IIA the different risk functions and reporting lines are the following:
Source, IIA
UK
The principal is that, the further you are from the fire, the more
independent you are. It’s not exactly a skin in the game efficient approach,
but it’s the common and current best practice (I’m not going to challenge it in
this post). Big companies (> 5K employees), specially if they trade on public
stock markets, usually have this structure with little variance. We may enrich
the previous picture with a fourth line of defense including external auditors
or QA IA departments, but it’s ok. These big companies usually public annual
reports including many risks that shareholders shall consider. For instance in
the USA they are the famous 10K required by the SEC. Let’s check for example
the one from Microsoft available here:
It is absolutely clear that this report should talk us about what the
company did in the last year and what it is going to do in the future, so current
and potential shareholders know about what do they have. However, if we check
the content, we can see that most of the information is about risks. The (regulated)
structure of this report is more or less the same for companies trading in the USA
stock markets. You can compare Microsoft with BOFA,
even wonder about the differences:
-
What
company describes more risks?
-
What company
is more impacted by COVID?
-
What
company has more risk categories?
You can check the answers at the end of this post.
Managing a business in big companies is a complex activity with millions of
activities and interactions, dependencies, etc.. We can imagine that the organization
chart of Microsoft or the Bank of America has hundreds of pages, while the number of processes
shall be (if they aim to be an efficient, platforms based, business) much
shorter. No matter if your company is any of these, all of them
have risks, people organised in different ways, assets and processes, many processes. Risks
are an intrinsic component of any business , long history short: What you
sell today to your customers may have 0 value tomorrow. So you are out of business.
Resource allocation for an effective (and efficient) risk assessment
What does the theory says? If we are internal auditors and we tick to the standards, this is that the IIA says:
“1220.A3 –Internal
auditors must be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone,
even when performed with due professional care, do not guarantee that all
significant risks will be identified.
2010.A1 – “The internal audit
activity’s plan of engagements must be based on a documented risk assessment,
undertaken at least annually. The input of senior management and the board must
be considered in this process”.
2010 – To develop the risk-based
plan, the chief audit executive consults with senior management and the board
and obtains an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes. The chief audit
executive must review and adjust the plan, as necessary, in response to changes
in the organization’s business, risks, operations, programs, systems, and
controls”.
That’s generic enough to allow to do many things, also the wrong ones,
like the following:
Error 1 à The organization chart focus.
Microsoft or your favourite company may have a
completely different organization, let’s see some examples with the help of Forbes
and Mckensey:
Which one is yours? No one? The creativity of HHRR and advisory services
of the BIG4 may be quite high 😊 Saying this, risk functions sometimes may pay
excessive attention to the organisation and forget about the process. Actually,
changes in the management team or the way people are organised are attention
points, red flags, that usually auditors or others consider as potential
sources of risk. That could be right, if there is change there is risk.
However, the opposite is also true. Lack of leadership may come in the form of ‘new’
Managers that are ‘landing’ or ‘old’ Managers that look at changes with
resistance. An organization change is a weak argument to trigger an audit, that
is to allocate your risk resources, unless we focus on the processes.
Excessive attention to the organization (resources) may reduce value of
the engagement If it’s not correlated with the operation. Business objectives
are achieved through the Operations and the operations are (or shall be) organized
in processes. Therefore, process oriented audits will more likely address the
significant risks of the organization.
Error 2 à The tech focus.
Sometimes new technologies are coming to make our lives easier and that
is a red flag in the mind of IT Security functions, internal control or audit
departments. If there is a new technology usually there is a new risk, for this
reason sometimes we see audits, pentests or internal control sampling related
with “Red Hat” systems, “Mainframe upgrade” or “CISCO networking”. This ‘technology-focused’
approach usually arrives to conclusions such as:
-
Lack of
hardening / default configuration / lack of patches.
-
Excessive
permissions granted and/or developers with access to production.
-
Non-functional
requirements missing.
-
Project cost
overruns and/or delays.
-
Etc.
Which are not technology related problems but project / change management
issues so, technology audits also have process related issues.
The process approach
Spoiler: Yes, this is the most efficient approach. The one that raises
more risk for the organization per hour of auditor / tester. Since I’m
specialised in IT I will explain that using IT processes:
First column describes some of the usual processes that IT departments
(so, under the CIO) have to run in order to deliver service. Names shall ring a
bell (not exhaustive list) to you since they are common in ITIL / COBIT processes and other standards
& best practices of reference. When the CIO looks to his people it looks to
the organization chart, to the portfolio of services, to the IT KPIs, etc. When
an auditor looks to the CIO he shall look to all of that, but also to the list
of processes that the CIO has or should have. If there aren’t processes there is
no structure, where there is no structure the maturity of the organization is
low and therefore people improvise or follows ‘professional judgment’ to keep the business running
Note: ‘Professional judgment’ is the worst enemy
of risk functions.
But I will explain that another day.
So, if I am the head of an internal audit
department and I plan considering:
-
Organizational
changes.
-
Technology
changes.
Chances are high that I don’t have the right focus or that I am missing ‘strategic’ or ‘key controls’ in my assessments. But these are not all the errors in this phase, others that we may see are the following:
- Input Senior Management à Don’t get me wrong, this input is important to plan, schedule, align, understand business priorities, etc. But if this is the key reason that is not a risk-based decision, actually can be a bias in the decision-making process.
- Audit cycle à Doing an audit just because times flies and we don’t pay a visit to some people since three or five years ago is also a very weak argument. We need other red flags.
- Team / peer proposals à Sometimes we receive these ideas and they are absolutely necessary, some times quite good, but we need to be sure that are risk&data driven and not hunch-driven, also if they fit within our Audit Universe or they would be one-off and why that matters.
- Etc.
So, how do we decide? How do we plan?
To take a risk-based decision in order to plan your engagements is a
complex decision, which means that you need to have the right information (key
factors) in order to maximize the risk reported where and when
it matters. Here you may say, wait a minute! We already have that information
in the 10K report of any publicly trading company, those are the priorities!
That would be a good point and if you ask to the army of risk-functions managers
(starting from the CISO, Head of IRM/ORM/ERM / Compliance / Internal Audit,
etc.) they will be able to map 99% of their plans, projects and testing with
the strategy and key risks. The reason is that those risks are usually so
generic and vague that almost ‘anything’ can fit inside (we may have some fun
challenging the risk categories and the list of risks). So I am afraid that
there is no easy answer, however I will try to help you with some suggestions
of relevant inputs from the most relevant to the less relevant for your resource
allocation:
Note: Most of the icons have been downloaded from flaticon, rights are from the icon creators (like Chattapatk).
One last comment here. It is important that when you define what are you
going to audit, test, check, whatever, defines what you are not going to talk
about. So, if a risk materialises with a high impact in the next sprint, quarter, year, etc. And
it was not in your radar, could be that you didn’t have the right
priorities. For example, business continuity audits / projects after March 2020.
And that’s all about high-level risks and risk-functions resources
allocation. This topic is long to explain but I tried to summarise the key concepts with the example of audit plans. In the next post of this
series we will go deeper into the fieldwork and check how do we analyse, test
and the many bias that we face in that process.
Microsoft vs BofA risk profile
* 10K reports are always interesting to read, even if you are not an investor, they contain a lot of business and risk information that allows to know many details. I recommend always to read this report of your current employer (if that is possible). To the questions described before, here the answers according to the information that these companies publish:
- What company describes more risks? Microsoft wins with 32, while the Bank of America has 31.
- What company is more impacted by COVID? This is the risk nº1 for BofA while it is part of another risk within the category of ‘general risks’ of Microsoft. Almost at the end of the list.
- What company has more risk categories? Here the winner is BofA with 9 risk domains, while Microsoft has 7.
You can see the risk categories and risk titles (each one has a very long description) in the following table:
It is interesting to see that the weight of IT risk is ‘quite low’ for a bank who holds all his money in IT systems (…), while for Microsoft having liquidity does not look a big deal even though their cash is more or less the same than their current debt (they are confident that BofA will lend them 😊 ). Also Microsoft does not report here the vulnerabilities of any of its products even though the trend is to have more every year:
I guess that something big-happened between 2013 and 2015. You can place
your bet (new CEO, new software products, Iaas / PaaS, SaaS, digitalization, the
migration from waterfall to agile
methodology or probably all of them), but as per the stock performance, it seems that no shareholder is concerned about that.
https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html
https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html
https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-iii-company-risk.html