10 de enero de 2022

The metarisk series (III), company risk profile and risk-functions resources allocation.

 Now imagine that we are going to provide an opinion about risk about anything in your company. The approach would be slightly different depending on the department, as per the IIA the different risk functions and reporting lines are the following:

Source, IIA UK

The principal is that, the further you are from the fire, the more independent you are. It’s not exactly a skin in the game efficient approach, but it’s the common and current best practice (I’m not going to challenge it in this post). Big companies (> 5K employees), specially if they trade on public stock markets, usually have this structure with little variance. We may enrich the previous picture with a fourth line of defense including external auditors or QA IA departments, but it’s ok. These big companies usually public annual reports including many risks that shareholders shall consider. For instance in the USA they are the famous 10K required by the SEC. Let’s check for example the one from Microsoft available here:

It is absolutely clear that this report should talk us about what the company did in the last year and what it is going to do in the future, so current and potential shareholders know about what do they have. However, if we check the content, we can see that most of the information is about risks. The (regulated) structure of this report is more or less the same for companies trading in the USA stock markets. You can compare Microsoft with BOFA, even wonder about the differences:

-          What company describes more risks?

-          What company is more impacted by COVID?

-          What company has more risk categories?

You can check the answers at the end of this post.

Managing a business in big companies is a complex activity with millions of activities and interactions, dependencies, etc.. We can imagine that the organization chart of Microsoft or the Bank of America has hundreds of pages, while the number of processes shall be (if they aim to be an efficient, platforms based, business) much shorter. No matter if your company is any of these, all of them have risks, people organised in different ways, assets and processes, many processes. Risks are an intrinsic component of any business , long history short: What you sell today to your customers may have 0 value tomorrow. So you are out of business.

Resource allocation for an effective (and efficient) risk assessment 

What does the theory says? If we are internal auditors and we tick to the standards, this is that the IIA says:

1220.A3 –Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

2010.A1 – “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process”.

2010 – To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls”.

That’s generic enough to allow to do many things, also the wrong ones, like the following:

Error 1 à The organization chart focus.


Microsoft or your favourite company may have a completely different organization, let’s see some examples with the help of Forbes and Mckensey:


Which one is yours? No one? The creativity of HHRR and advisory services of the BIG4 may be quite high 😊 Saying this, risk functions sometimes may pay excessive attention to the organisation and forget about the process. Actually, changes in the management team or the way people are organised are attention points, red flags, that usually auditors or others consider as potential sources of risk. That could be right, if there is change there is risk. However, the opposite is also true. Lack of leadership may come in the form of ‘new’ Managers that are ‘landing’ or ‘old’ Managers that look at changes with resistance. An organization change is a weak argument to trigger an audit, that is to allocate your risk resources, unless we focus on the processes.

Excessive attention to the organization (resources) may reduce value of the engagement If it’s not correlated with the operation. Business objectives are achieved through the Operations and the operations are (or shall be) organized in processes. Therefore, process oriented audits will more likely address the significant risks of the organization.

Error 2 à The tech focus.

Sometimes new technologies are coming to make our lives easier and that is a red flag in the mind of IT Security functions, internal control or audit departments. If there is a new technology usually there is a new risk, for this reason sometimes we see audits, pentests or internal control sampling related with “Red Hat” systems, “Mainframe upgrade” or “CISCO networking”. This ‘technology-focused’ approach usually arrives to conclusions such as:

-          Lack of hardening / default configuration / lack of patches.

-          Excessive permissions granted and/or developers with access to production.

-          Non-functional requirements missing.

-          Project cost overruns and/or delays.

-          Etc.

Which are not technology related problems but project / change management issues so, technology audits also have process related issues.

The process approach

Spoiler: Yes, this is the most efficient approach. The one that raises more risk for the organization per hour of auditor / tester. Since I’m specialised in IT I will explain that using IT processes:

First column describes some of the usual processes that IT departments (so, under the CIO) have to run in order to deliver service. Names shall ring a bell (not exhaustive list) to you since they are common in ITIL / COBIT processes and other standards & best practices of reference. When the CIO looks to his people it looks to the organization chart, to the portfolio of services, to the IT KPIs, etc. When an auditor looks to the CIO he shall look to all of that, but also to the list of processes that the CIO has or should have. If there aren’t processes there is no structure, where there is no structure the maturity of the organization is low and therefore people improvise or follows ‘professional judgment’ to keep the business running

Note: ‘Professional judgment’ is the worst enemy of risk functions.

But I will explain that another day.

So, if I am the head of an internal audit department and I plan considering:

-          Organizational changes.

-          Technology changes.

Chances are high that I don’t have the right focus or that I am missing ‘strategic’ or ‘key controls’ in my assessments. But these are not all the errors in this phase, others that we may see are the following:

- Input Senior Management à Don’t get me wrong, this input is important to plan, schedule, align, understand business priorities, etc. But if this is the key reason that is not a risk-based decision, actually can be a bias in the decision-making process.

- Audit cycle à Doing an audit just because times flies and we don’t pay a visit to some people since three or five years ago is also a very weak argument. We need other red flags.

- Team / peer proposals à Sometimes we receive these ideas and they are absolutely necessary, some times quite good, but we need to be sure that are risk&data driven and not hunch-driven, also if they fit within our Audit Universe or they would be one-off and why that matters.

- Etc.

So, how do we decide? How do we plan?

To take a risk-based decision in order to plan your engagements is a complex decision, which means that you need to have the right information (key factors) in order to maximize the risk reported where and when it matters. Here you may say, wait a minute! We already have that information in the 10K report of any publicly trading company, those are the priorities!

That would be a good point and if you ask to the army of risk-functions managers (starting from the CISO, Head of IRM/ORM/ERM / Compliance / Internal Audit, etc.) they will be able to map 99% of their plans, projects and testing with the strategy and key risks. The reason is that those risks are usually so generic and vague that almost ‘anything’ can fit inside (we may have some fun challenging the risk categories and the list of risks). So I am afraid that there is no easy answer, however I will try to help you with some suggestions of relevant inputs from the most relevant to the less relevant for your resource allocation:








Note: Most of the icons have been downloaded from flaticon, rights are from the icon creators (like Chattapatk).

One last comment here. It is important that when you define what are you going to audit, test, check, whatever, defines what you are not going to talk about. So, if a risk materialises with a high impact in the next sprint, quarter, year, etc. And it was not in your radar, could be that you didn’t have the right priorities. For example, business continuity audits / projects after March 2020.

And that’s all about high-level risks and risk-functions resources allocation. This topic is long to explain but I tried to summarise the key concepts with the example of audit plans. In the next post of this series we will go deeper into the fieldwork and check how do we analyse, test and the many bias that we face in that process.

Microsoft vs BofA risk profile

* 10K reports are always interesting to read, even if you are not an investor, they contain a lot of business and risk information that allows to know many details. I recommend always to read this report of your current employer (if that is possible). To the questions described before, here the answers according to the information that these companies publish:

- What company describes more risks? Microsoft wins with 32, while the Bank of America has 31.

- What company is more impacted by COVID? This is the risk nº1 for BofA while it is part of another risk within the category of ‘general risks’ of Microsoft. Almost at the end of the list.

- What company has more risk categories? Here the winner is BofA with 9 risk domains, while Microsoft has 7.

You can see the risk categories and risk titles (each one has a very long description) in the following table:

It is interesting to see that the weight of IT risk is ‘quite low’ for a bank who holds all his money in IT systems (…), while for Microsoft having liquidity does not look a big deal even though their cash is more or less the same than their current debt (they are confident that BofA will lend them 😊 ). Also Microsoft does not report here the vulnerabilities of any of its products even though the trend is to have more every year:

I guess that something big-happened between 2013 and 2015. You can place your bet (new CEO, new software products, Iaas / PaaS, SaaS, digitalization, the migration from waterfall to agile methodology or probably all of them), but as per the stock performance, it seems that no shareholder is concerned about that.

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-iii-company-risk.html

0 comentarios: