Discussing Norm Marks' GRC Wishlist for 2012
Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist. His blog limits the characters you can leave in a reply, so I thought I’d post mine here.
1. Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control”
Norm, if you mean encompassing both so that they are tightly coupled, I respectfully disagree. Ethically, philosophically, these should be separate entities and ne’r the twain should meet. Plus, accountants & auditors make poor actuaries. See the SoA condemnation of RCSA.
Second, the problem with a globally accepted something is that it limits innovation. We already have enough of this “we can’t do things right because we’ll have to justify doing things differently than the global priesthood says we have to” problem to deal with now. Such documentation will only exacerbate the issue.
2. Norm wishes for: “The convergence of the COSO ERM Framework and the global ISO 31000:2009 risk management standard.”
See #1, part 2 above.
3. Norm wishes for: “An update of the COSO Internal Control Framework that recognizes that internal controls are the organization’s response to uncertainty (i.e., risk), and you need the controls to ensure the likelihood and effects of uncertainty are within organizational tolerances.”
First, risk only equals uncertainty if you’re one of those stuck in the early 20th century Knightians. For those that aren’t, and esp. actuaries and Bayesians alike, uncertainty is a factor in risk analysis – not the existence of risk.
Second, this wish seems to be beholden to the fundamental flaw of the Accounting Consultancy Industrial Complex – that Residual Risk = Inherent risk – Controls. Let me ask you, what controls do you personally have against an asteroid slamming into your house? But is that “high” risk? Do you operate daily as if it’s “high” risk? Why not? Certainly you have weak controls, and most people would argue that their house and familys are of high value…
The reason it’s not “high risk” is because of frequency. Yes, frequency matters in risk – and your RCSA process doesn’t (usually, formally) account for that.
4.) Norm wants “guidance that explains how you can set guidance on risk-taking that works not only for (a) the board and top management (who want to set overall limits), but also for (b) the people on the front lines who are the ones actually making decisions, accepting risks, and taking actions to manage the risks. The guidance also has to explain the need to measure and report on whether the actions taken on the front lines aggregate to levels within organizational tolerances.”
Great idea, but for this one to work, you’d have to establish guidance around reward-taking, tolerance, etc., too.
5.) Norm wants “A change to the opinion provided by the external auditors, from one focusing on compliance with GAAP to one focusing on whether the financial reports filed with the regulators provide a true and fair view of the results of operations, the condition of the organization, and the outlook for the future.”
I’m going with “bad idea” on this one. Accountants != entrepreneurs. Despite all their longing for control, power, and self-importance.
6.) For Norm, Regulators should receive ” An opinion by management on the effectiveness of the enterprise-wide risk management program. This could be based on the assessment of the internal audit function”
I’m confused, how is the internal audit function in any way at all related to the quality of decision making? Assurance is *an* evidence, a confidence value for specific risk factors. It seems that Norm is saying that assurance is *the* evidence in total.
Frankly, very few accountants have training or exposure to probability theory, decision theory, or complexity theory. Until they *do*, my wish for 2012 is that CPAs reserve judgement on people trying to use real methods to solve real problems.
7.) Norm wants: A change in attitude of investor groups, focusing on longer-term value instead of short-term results.
AGREED and +1 to you Norm!
In 10.) a, Norm desires that “audit engagements should be prioritized based on the risk to the organization and the value provided by an internal audit project.”
ABSOLUTELY NOT. Unless Audit engagements are to be prioritized by the faulty idea of “Inherent Risk”.
Example, as a risk manager – I may have relatively stable frequency and magnitude of operational losses. They may fall into a “low” tolerance range established by an ERMC or something. But even though I am doing a good job (or really lucky) I may really be concerned about the process enough to warrant a high frequency of audit. There are just so many concerns about this sort of approach by an auditor (from a risk/actuary standpoint) that I can’t disagree more.
In point 11 Norm’s wish is “An improved understanding by the board and top management of the value of internal audit as a provider of assurance relative to governance, risk management”
Me too, but I don’t think Norm and I agree on that “value.”
Again, for a mature risk management group, the value of assurance is simply the establishment of confidence values for certain inputs. And frankly, if the board and top management understood that, I’m not sure Norm would really want them too, because many times the assurance is really a reinforcement of confidence/certainty, and frankly is a job that can easily be done with a risk model that reduces SME bias.
Finally, Norm “would like to see the term “GRC” disappear”
AMEN. To use the ISACA/Audit terminology, Compliance is just “a risk.” To use risk terminology, Compliance is a factor that contributes to secondary or indirect losses.
So, I’m with you – I’d like to see GRC taken out behind the shed. Where I differ is that’s not because it becomes coupled with risk management, but rather because for me compliance aligns better with the authoritarian world of audit rather than a discipline like risk whose goal is to reduce subjectivity, or a discipline like governance whose role is to optimize resource expenditures.
Thank you for your comments on my blog post.
I think we have a disagreement on the definitions of risk and risk management. I ascribe the definitions in the global ISO 31000:2008 standard, with the COSO ERM framework a second-best alternative.
And that’s kind of my point in a couple of those. If I were to adopt those definitions of risk management, I’d actually be doing a *worse* job, or forced to do a worse job of running my group and reporting to my various executives (as a holding company, I get to report to literally dozens)