This series of articles is an irreverent, tongue-in-cheek look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs, which have an appearance of legitimacy, but tell us little about risks.
First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes. My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.
Victim #2: Internal Controls vs. Risk Management
If you work in risk management, you may be familiar with the “nerd debate” between audit and compliance about the importance of risk management and internal controls. At one point in my career, I was responsible for both risk and compliance, so I won the argument with myself but continued to debate with audit over the risks in internal controls.
Here is a typical scenario: Audit performs a review of internal controls, policy and procedures or monitoring processes designed to prevent, correct and/or detect weakness. Depending on the audit department’s designated range of severity (e.g., significant, moderate or minor), a final audit report is sent to management for corrective action and a debate ensues regarding the significance of the finding.
The audit process is an important part of the control environment at all firms and is frequently cited as a key “line of defense” function in the Three Lines of Defense mantra in internal controls design. Audit’s review with management is oftentimes a very frustrating experience from both the auditor’s and management’s perspective.
However, any push back by management is often viewed by auditors as resistance to the findings. On the other hand, management frequently feels that auditors do not understand or have not taken into account secondary or tertiary mitigating controls in the event primary controls fail. Inevitably, the following questions may be asked of auditors:
- “What is the risk?”
- “May I accept the risk?”
Another option (my favorite) is “I disagree with the risk, and here are my counterpoints.” This often leads to a stalemate that may never get a complete resolution. Sound familiar?
As everyone knows, auditors have some leverage in the argument, as these findings are part of the reports to senior management and are selectively presented to directors on the Board’s audit committee. Management, on the other hand, does have a valid point in arguing for context from a risk perspective and does not want to be perceived as uncooperative or, worse, deficient in managing their operations. These debates happen in many organizations at all levels of the firm, yet the process for fully addressing internal controls design has not changed in decades. What is the problem?
Several factors contribute to poor internal control design, resulting in a perpetual nerd debate that is never fully resolved. Needless to say, there is a lot to unpack on this topic, but I will offer a few relevant observations. To fully understand the problem, we should look at the opportunities from the auditor’s perspective first, then take on management.
Each year, auditors develop an audit plan based on current issues, past year’s findings and new regulatory mandates determined to be most relevant. The audit plan is packed with initiatives, some driven by management, the Board or external auditor collaboration. Many internal audit functions are so busy much of the work must be subbed out to external audit or consultants who subsidize the audit work, not the costs.
Busy audit functions appear to add value from this work, but in truth, it’s hard to quantify the cost benefit and the real reductions in the total cost of risk or compliance (hereinafter TCoR and TCoC). The TCoR/TCoC is a concept from the insurance industry, but it is equally relevant for all risk professionals to understand and measure their work against. The TCoR/TCoC is a measurable calculation that should be the yardstick for improvement of any risk management program. How you measure TCoR or TCoC is up to you, but there should be a number associated with risk and compliance. Otherwise how do you evaluate the ever-increasing costs of audit, risk and compliance functions?
Next, auditors should create two tiers of audits:
Tier I should focus on internal control design primarily. Rarely will you find a core focus on internal control design at the level I am describing. Basically, auditors should “recommend” opportunities to automate internal controls to relieve operations personnel of the expanding cognitive load that comes with “yet another policy or procedure” requiring a manual process.[i]
Firms spend the bulk of their capital on customer-facing technology while short-changing operations to work out the details on the back end. In my unscientific research I have determined that 98 percent of operational risk is the result of cognitive load, or what is known as decision risk. The vast majority of operational risk, fraud and other internal control failures come from human decision making, intentional or otherwise.
If you could save 50 to 80 percent of operational losses simply by automating key internal controls over a five-year period, real benefits could be realized to the bottom line. I am convinced that auditors, compliance and risk professionals’ focus on high-frequency/low-impact risks is to the detriment of addressing the true risks hidden beneath the surface.
Tier II audits should focus on a risk-based approach. Not the version used today by audit firms in which they decide what the risks are. I am talking about a truly risk-based approach driven by a quantitative analysis of events. With few exceptions, auditors do not have a robust database of losses, events or IT issues to identify high-risk exposures, thereby resorting solely on qualitative determinations of risks and resulting in the major cause of nerd debates.
If you don’t believe me, the next time you are presented with a significant or material finding in an audit report, ask the auditor to explain the distribution of probabilities of expected failure that led to the audit finding. This will be a short conversation if you tell the auditor that you need this information so that senior management can prioritize this finding with the other initiatives they have on their plate.
Audit opinions are an important part of the oversight process and should not be taken lightly. However, I am suggesting that a risk-based approach should not be opinion-based; it should be measurable. The TCoR/TCoC will continue to rise unless a better approach is taken to measure risk reduction.
Management should work closely with audit to understand internal control design. The car industry, aerospace, NASA and other industries have become safer and reduced risks by minimizing the cognitive load on humans who perform complex tasks and maintain high levels of quality performance. We all get tired, and when we do, things slip. We are asking entry-level Millennials to perform at high levels while we allow them access to their social media accounts to keep up with sports news and the latest Kardashian Instagram posts! Something will break in the balance.
The insider threat and operational risks have been perennial problems. Why not simply incorporate internal controls into operating systems and allow operations staff to focus on customers’ needs most efficiently? If you look at the majority of cyber risk events, the primary vulnerability not security defense posture, but human behavior – including the inability of security personnel to keep up with manual processing and updates to internal control maintenance.
In order for this transformation to work most effectively, management must have data to understand why high-frequency/low-impact risks exist! Is it because of complex policies and procedures? Manual workarounds? A lack of straight-through processing? Or other factors? Automating poorly designed controls saves money and reduces risks.
It also helps to reduce the debate about what risk and good internal controls design are.