Joint risk assessment and single audit, sitting in a tree ...

Loss of added value

Internal audit and external audit both present their findings during the same audit committee meeting. It turns out that both structures independently audited the same entity which is part of the wider organisation. A lot of their findings align. They actually turn out to be comparable to some of the issues raised by the production quality people which were discussed during the last meeting between management and the directors of the organisation. Is that really adding value? I think not.

Different manifestations, same root cause

These type of occurrences are more common than we believe. Talking to members of boards and audit committees, we learn that different stakeholders across and even outside organisational often identify “problems” at around the same time period. These problems appear, at first sight, to be very different. The different stakeholders then each ask their “audit capability” (their quality person, their internal auditor, their external auditor, their process consultant …) to look at the problem. After investigation it turns out there is just one or at the most a very limited number of underlying causes.

Either no one notices, except for the auditees who wonder why everyone is asking them about the same problem, independently. Sometimes, it even turns ugly, with different audit entities fighting over 'jurisdiction' of this problem. Visibility and internal political power will likely take precedence over competence.

Wasting oversight resources

What a waste of time and resources. It is highly frustrating for the audit committee members who, in a reality of constrained resources, look at optimizing their available means or even using means beyond their direct control. However, confronted with the trump card of independence of for example the external auditor, their ability to plan to the advantage of their own organization, the organization that is ultimately paying for these services, gets severely hampered.

Overlapping areas of responsibility

Few supervising structures are willing to let go of or share assessment responsibility of areas they believe to be in their area of responsibility. The problem becomes markedly complex when the areas of responsibility overlap. Given the number of roles currently playing on the GRC (the governance, risk and compliance) field, the risks for suboptimalisation of oversight become very clear.

Just today, Marie-Hélène Laimay, senior Vice President, audit and internal control assessment for Sanofi shared an interesting example during the yearly European Commission IAS conference. Quality problems in pharmaceuticals production will have impacts on quality, revenue and the patients. They will touch quality auditors, internal and external auditors and the clients, the patients. But who takes charge of analyzing the issue?

Single audit, multiple areas of expertise

Only a single audit approach with at least a shared and ideally a common risk assessment can optimize the use of the available oversight resources within an organisation. It makes little to no sense to have multiple oversight structures reviewing the same underlying problem. However, we need to recognize the differing needs of external auditors, internal auditors, quality auditors and the like.

A single audit solely managed and executed by one of the oversight structures is therefore likely not to provide an adequate answer to each of these problem stakeholders. Single audits are not necessarily executed by an audit team coming from one single source. Ideally, for those relevant risks which appear in the audit programs of all oversight structures, joint teams would be brought together to allow a response to all relevant questions asked.

Risk assessment and audit, sitting in a tree …

The reality of limited resources available to audit committees require some time of joint risk assessment and, where overlaps exist, a single audit approach executed by a mixed audit team.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

On teaching

This stray but very powerful thought just hit me:

Teaching is, to me, still the most compelling reason to learn something new, either by exploring new horizons or, more importantly, by critically reexamining those areas I thought I knew.

Something that just came to me and that I wanted to share.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

TextExpander: support with a smile

I'm a heavy TextExpander user and I love the application. Taking the time of setting up the text expansion "snippets" once and using them multiple times across different machines saves me time every single day.

Losing my snippets

But I had an issue. For some reason, after acquiring my MacBook Pro a couple of months ago, my beloved TextExpander started to behave, well, badly. It dropped the synchronisation with my Dropbox folder, requiring me to relink to the synchronisation file again and again. Now, I'm a slow learner, so it took me a while to concede that this was not something I was going to solve myself, just by thinking about it.

Delightful support

So I made the support call, to Smile Software, the company that distributes TextExpander. Remember my discussion on delightful processes, based on Shawn Blanc's "Delight is in the details"? Well, Smile most certainly earns the accolade of a delightful support experience. They were quick in reacting to my query, especially considering they were at the other end of the world - kind of.

Guided self-assessment

In non-threathening wording they guided me through a self assessment of my system, and after a couple of exchanges they gave me clear instructions on how to log the events on my system for further analysis. Once I sent that information, they returned very quickly to me with an answer, to which the solution was so obvious that I managed to solve it myself. So, thanks Smile for a wonderful service experience.

A simple problem

Now, what went wrong, or what did I do wrong? Well, my MacBook has an SSD of 256 GB, and I wanted to avoid putting too much information on it. So I installed a 64 GB TinyDrive in the appropriate bay on which I put my Dropbox folder. What I did not know was that it takes some time for the system to mount the drive, during which time TextExpander was desperately seeking Dropbox, in the end deciding it was not there and reverting to factory settings, hence no snippets. An entirely logical thing to do.

A simple solution

So what did I do? The answer was very simple. I switched off startup at login for TextExpander and wrote a very short Keyboard Maestro macro that activates when I login, waits for 60 seconds, then starts up TextExpander. Problem solved.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The "why" of storytelling

Maria Popova hits one out of the ballpark again with this "animated essay" on the importance of storytelling.

Two essential quotes from a great article.

In the first one, she describes in a very clear and concise manner the difference and the interrelation between information, knowledge and wisdom:

At its base is a piece of information, which simply tells us some basic fact about the world. Above that is knowledge — the understanding of how different bits of information fit together to reveal some truth about the world. Knowledge hinges on an act of correlation and interpretation. At the top is wisdom, which has a moral component — it is the application of information worth remembering and knowledge that matters to understanding not only how the world works, but also how it should work.

She then goes on to define what the contribution of a great storyteller should be:

A great storyteller — whether a journalist or editor or filmmaker or curator — helps people figure out not only what matters in the world, but also why it matters. A great storyteller dances up the ladder of understanding, from information to knowledge to wisdom. Through symbol, metaphor, and association, the storyteller helps us interpret information, integrate it with our existing knowledge, and transmute that into wisdom.

Spot on. I would extend this to anyone who is responsible for translating the amazing amounts of information available today into wisdom, such as data analysts or anyone who stands up in front of a group to assist them in making sense of "the data".

Go ahead, watch the video and read the transcript. It's excellent.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A last comment on time budgeting

Throughout the articles on time budgeting, I was looking for a good wording for what I intuitively felt was a relevant and value added approach. Then I read this article on brainpickings.org, which words it in the most excellent and eloquent manner possible. In the words of Annie Dillard in her book "The Writing Life":

How we spend our days is, of course, how we spend our lives. What we do with this hour, and that one, is what we are doing. A schedule defends from chaos and whim. It is a net for catching days. It is a scaffolding on which a worker can stand and labor with both hands at sections of time. A schedule is a mock-up of reason and order—willed, faked, and so brought into being; it is a peace and a haven set into the wreck of time; it is a lifeboat on which you find yourself, decades later, still living. Each day is the same, so you remember the series afterward as a blurred and powerful pattern.

The original article can be found here, at the brainpickings.org website, an excellent analysis by Maria Popova. Do look at that site for other publications as well. Mrs. Popova writes great articles.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

How my areas of responsibility contaminated my contexts

My struggles with contexts

I don't know about you, but I have suffered through long years of struggle with contexts. I adore the idea that David Allen proposed in his work "Getting things done", but it took me a very long time to get them to work appropriately for me.

I scoured the internet looking for suggestions on how to best organize contexts. There are quite a few interesting articles out there. Nevertheless, I always ended up with a context structure that was way too complex and distracted from my work instead of making it easier.

An epiphany!

Fast forward a couple of years, where I had this epiphany. Now, the way I write it, it must read as if this was a sudden "Aha!" moment. To be more accurate, it was more like a glacial movement in my brain. Now, what did I realize? In order to explain that, I need to go back to the way I used to organize my context. To give you a quick and incomplete taste (just to show the issue ...):

  • Places / Work
  • Places / Home
  • Places / University
  • Places / Errands
  • Tools / Tools @work / Work phone
  • Tools / Tools @work / Intranet
  • Tools / Tools @work / Servers
  • Tools / Tools @home / iMac
  • Tools / Tools @home / Home phone
  • Tools / Tools @home / Internet
  • Tools / Tools on the move / MacBook
  • Tools / Tools on the move / iPhone
  • People / Family / Wife
  • People / Family / Kids
  • People / Friends / Friend 1
  • People / Colleagues / Colleagues @work / ...
  • People / Colleagues / Colleagues @university / ...

Now, looking at it, I see immediately what the significant issue was that caused my problems. Can you see it?

Identifying my mistake

In my effort to properly segregate my contexts, I made the mistake of mixing contexts and areas of responsibility. This led to a significant overcomplication of my contexts.

Now, someone like for example Sven Fechner goes all in when he defines his contexts as a set of physical and psychological boundary conditions. Depending on the location and/or state of mind he can select what he will be doing. That is not an approach that would work for me, but I can see how that would work.

A simple mix of contexts

I currently use a very simple mix of contexts, where I focused on tool changes. After all, one of the key advantages of working in a certain context during a period of time is that I do not need to step outside of that context. I can keep my "tool set" active throughout my work in that context. And that will optimize my use of time. Now, you will see that there are certainly overlaps, but the overlaps to me are less important that the fact that I can really stay in that one context and work my way through what I need to be doing.

I've opted not to introduce hierarchies, although I could. I want to avoid confusing myself, so I kept it very, very simple. Let's explore my contexts for a bit ...

Location specific contexts

I use the following contexts:

  • @BTC: my employer
  • @Antwerp Management School: a university management school where I teach
  • @Solvay Brussels School: another university management school where I teach
  • @home
  • @errands

These are physical locations. When I am physically there, these contexts pop up on my OmniFocus screen thanks to my iPhone's location based capabilities. That is actually the only reason why I created them.

Menial tasks contexts

I use the following menial task contexts:

  • @calls: whenever I have a couple of minutes and my phone with me, I can do calls
  • @emails: I have access to all my email accounts from wherever I am, so this context allows me to send out some emails whenever I have the opportunity
  • @agenda/planning: when I am doing my daily and weekly planning, I look at this context to make sure there is nothing in there that I need to make sure to put in my schedule somewhere.
  • @administration: a catch-all for other menial tasks that need to get done

For these, all I need is a computer or an iDevice and access to the internet.

Shipping contexts

I use the following shipping contexts:

  • @research
  • @thinking/brainstorming
  • @reading/reviewing
  • @writing/analysis

These contexts are where I earn my money. This is where I add my value. What I do here will ultimately lead to some kind of shipping of a "deliverable" which is what I do. You will note that there is no context @teaching. That's because my teaching is solely calendar-bound. Tasks in preparation for teaching will be part of the shipping contexts as I go through the activities that lead to slides and a document. The same with internal audit work for BTC or consulting work I do from my own small company. They all involve these shipping contexts.

Interaction context

I currently have a single interaction context:

  • @meetings/people

Whenever I meet people, either individually or during a meeting, this is the context I will open to make sure I covered everything I wanted to cover with them. Note this context will not be complete, but it will contain those subjects which I am likely to forget. It does not replace a meeting agenda, it provides me with essential input for that agenda.

Waiting for context

And then, of course, I have the waiting for context:

  • @waiting for

This one I use to trigger follow-up actions. I usually defer the action item until the moment I need to follow-up with the specific people.

Overlaps

Apart from the location contexts, which I established to use the location based triggers on my iPhone, the contexts are (largely) agnostic to my areas of responsibility, which was my biggest problem. Now, there is certainly some overlap between the contexts. If I consider for example the @meetings/people context and the location based contexts, I do meet people usually in the same place ... but not always. However, I have established the habit of checking my @meetings/people context right before the start of a meeting or at the end of a conversation, so if anything is in that context, I am quite sure it will show up.

Conclusion

And that's how I solved my context issue. I know that from very complex I have gone to very simple, but the fundamental use is there: I am able to stay in a context and avoid unnecessary tool changes. And that is what contexts are all about. And there is no longer any confusion with my areas of responsibility.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Delightful internal control processes in public sector organisations

Inspired by "Delight is in the details" by Shawn Blanc

The nascent public sector problem

Here's the problem: a lot of public sector organisations have been forced to shed a lot of what has long been considered their bloated structures. This often takes the form of personnel reductions. Some of these are retirees that do not get replaced in their functions. Some are public servants being moved around to other functions. Some are people leaving public service to try their luck in other sectors. At the same time, the tasks to be executed by the public sector remain the same or are, at best, reduced a bit. However, a government cannot immediately and radically reduce the service its citizens and private sector organizations have come to expect. The solutions are both a significant automation, mainly by means of information technology, and mainly in back-office activities, and an increase in the competency levels of the average public servant.

There is no silver bullet

Two considerations here: ICT will not solve everything, and is only as good at the software-implementor combination can make it, and the competency level of the average public servant is actually not necessarily lower than that of an average private sector collaborator.

The public's expectations only continue to increase

Meanwhile, the beneficiaries of the public sector activities, the public, expects that the core tasks of government are executed as well or better as before. This means that a core task should be executed efficiently, effectively, economically and ethically.

The road more traveled

There are two possible roads to achieve those ambitious objectives. The first one is the road more traveled by. A strong level of accountability is established, with strongly established hierarchical structures that "force" the collaborator to perform to a set of key metrics. This traditional approach imposes an order and a level of control that is wanted and required. I just wonder whether or not it is realistic, or whether it will lead to an increase in burn-out of public servants, leading to even larger problems over the long term.

From an internal control point of view, this approach asks for high degrees of internal controls, often added to existing processes. However, once those processes come under pressure, the internal controls added to them will quickly be abandonned, because performing them feels like it does not add any direct added value. And believe me, with further reductions of personnel and the usual teething issues with ICT, it is more than likely that the processes will come under pressure.

The road less traveled

There is another option, one I would like to refer to as the road less traveled by, the road not taken, referring to the poem by Robert Frost.

Qualitative performance is more important than quantitative performance

We can choose to optimize the processes not just from the point of view of quantitative performance, but also in terms of qualitative performance. The public wants a quality service, also from its government. Burden reduction initiatives are essential here. But it's not just the public we should target in this optimization exercise.

Engaging the process owner

The process owner should be able to execute his assigned tasks in the most logical, pragmatic way possible for him or her. This means stepping away from the production optimization mentality that has ruled pretty much any large scale organization since Ford's production chain. There is value in that, but we have likely exhausted that value years ago.

Tasks should not be executed for the benefit of executing a task, they should be executed for the benefit of the public. In addition, we need to establish ownership of the process related risks at the level of the process users themselves. That means that these people need to be allowed to manage their own risks, in the way most appropriate to them. Controls can be validated and optimized, but controls need to be adapted not only to the process and the context, but also to the process user as well.

The question then remains as to how we will monitor this. Nothing in the above excludes the measured use of metrics. Ideally, public sector can introduce some measure of performance based compensation, which should not necessarily be monetary at all.

It is okay to like your work

Ideally, process owners need to "like" doing the work they are asked to be doing. Now, like is of course a very subjective concept. I believe we can go a long way by translating a "liked" process as a process that is as simple as possible (but not simpler), logical, with tangible and measurable results, and ownership complemented by an accountability which is established not at the level of the individual metric, but at the level of the overall personal performance. Ideally, the end user of the public service, the public, has a say in how they appreciate what their public servants are doing.

This counterbalances a move which I often see for the establishment of traditional internal controls, attached to a process which are likely to be ignored under pressure.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Time budgeting: a thousand no's

Brian's question

Brian made the excellent point in this question that it wasn't clear to him whether putting in the time to time-budget was not more of a waste of time than a benefit.

His question is highly relevant. It would make no sense if I would do this exercise without it bringing me some benefit. But how do I know that the significant effort I put into my time budget development will pay off in better used time? How do I know that time budgeting pays itself back? I don't have a 100% certain reply to that ... but as an internal control practitioner, I know from experience that increased accountability generates increased awareness and increased care. Just like developing and following up a financial budget makes me aware how money flows into and from the hands of my family and my business, a time budget increases my awareness and my care for my time.

Lying to ourselves

That whole awareness also works at the level of self-accountability. And this is important as I know I am very good at lying to myself, usually without me being aware of it myself. Let me give you an example:

5 minutes for me are usually between 7 to 10 minutes long. That may seem laughable, or bizarre, but how accurate are you yourself in predicting use of your time? If I tell my wife I'm writing an article which will take me about 30 minutes, she knows we'll be leaving the house in 45 to 60 minutes.

Front and back

I'm constantly kidding myself about my use of my time and I often fail to properly account for its use at all. Put that together with the above, that means I have an issue at both the front- and the back-end of my process. Another example to clarify:

I started my career working for a Big 4 (then still Big 6) accounting and consulting firm. We billed our hours, and I remember the struggle the first time reports were when I had to remember what I had exactly done the previous week. I learned in the first few weeks that the only way to properly account for my time was to keep timely and detailed records of my use of time.

Increased awareness

What time budgeting adds to this for me is the awareness of the available time, the intended use I give to it and the conscious choices I make to either follow the budget or deviate from it, with all the consequences. I know how much time I have available to me and I know what I would prefer doing in that available time. I give my available minutes and hours a purpose.

A thousand no's

When I am "doing" (GTD parlance), when I am living my life, alternative choices will come up. The fact I have to make a choice is not something that I feel as a constraint. Rather, it allows me to not fill the available time with the first type of "relevant use" that comes by. I am not getting sucked into a use of time before I even consider all the alternatives. Rather, I make a conscious choice to either do as I planned to do or to deviate from that intention, to do the planned activity later or even never at all.

Note that I don't feel this is about rigidity at all, no, it is about me making a conscious choice because I have an intended use before any opportunity presents itself. It's like this Apple commercial: "There are a thousand no's for every yes."

A quick side note

To close, a quick side note: as to spending my time with my wonderful wife and kids, I hear you say that that should be evident, at it should not be planned. And perhaps you are right ... but consider this: explicitly marking that time in my time budget as "their" time helps me to say no to other tasks and activities or opportunities whenever they present themselves. It is a conscious choice on my part to spend that time with them and not on other things ... unless I pay them the respect they deserve and discuss with them the fact that there are opportunities that may benefit us all.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Working papers: it's not about you ...

It seems obvious, but it isn't

One of the key requirements of quality working papers is that they contain neither irrelevant information nor personal, subjective statements or opinions. It seems obvious, but during a recent external file review I was taken aback by what I found: personal observations, none too flattering, of an auditor on an auditee, right there, in the middle of the working paper.

Irrelevant storage is money wasted

There are a couple of reasons why this is so important. First, there is the most obvious reason. Whether kept physically or electronically, storage costs money. Irrelevant storage then is money wasted. The more clean and shed of irrelevant documentation your working papers are, the leaner they will be, the less they will cost to store over their intended lifespan.

Now, there is another side to this particular coin. Paraphrasing Einstein: "Keep it as simple as possible, but not simpler." Relevant information, which is information supportive of and essential to arrive at the conclusion of the working paper, needs to remain in the working paper. Only when we are absolutely certain the underlying information cannot be altered and will be retrievable over the intended lifespan of the working papers can we accept it is stored outside of the working papers, for example in an ERP system. Yet, I would err on the side of caution.

Do not waste time of your hierarchical superior

Second, think about your audience when writing too much or putting irrelevant information in your working paper. Your hierarchical superior will need to review and sign off on the working papers. In order to be able to do that, he or she will need to read through what you have written and review what you have gathered in terms of information. If you make them read through irrelevant information, you will waste their time, which costs money, and you will most certainly negatively influence their opinion of your as a professional.

Show respect, always, even if there is no direct liability

Speaking about being responsible, third, think about respect. Any subjective, personal observation, especially when it is irrelevant for the intended purpose of the working paper, shows a lack of respect for both the auditee and your hierarchical superior. Now, I'm making abstraction of potential liabilities that may result if such working papers would ever become public. Fundamentally, it is all about having a correct, respectful attitude towards your auditees. After all, you do expect them to be correct and courteous to you too, right? Well, you need to extend them that same favor, including keeping your subjective, personal ideas about them to yourself. You are participating as a professional member of an audit team in an audit, not as a contestant or a judge in a reality show.

A general rule

Now, there is a general, rather obvious rule I once heard which stuck for me: "Do not ever write anything in a working paper which would negatively reflect on you if that working paper became public."

Some working paper review ideas

A good exercise is to go through your working papers and look for indications of subjective writing. Indicators could be the use of verbs such as "feel", "believe", "think" as they indicate a certain leap of sorts, taken from objective, verifiable information to a position without adequate supportive evidence.

Also, you will want to look at the adjectives you use in your writing. Adjectives qualify, while the only subjective opinion an auditor should express in a working paper should be his conclusion on that specific working paper.

In conclusion

When writing working papers, make sure no irrelevant information or personal opinion creeps in. To avoid that:

  • don't overdocument: it costs money to store, it costs time (hence money) to review and it does not add value. But make sure you retain adequate basis for your conclusion in those working papers;
  • be respectful: your personal opinions on people or situations have no place in working papers. Actually, as a general rule, they don not have any place, period. Don't even share them with your colleagues. Keep it to yourself;
  • be sparse in your writing: do not embellish your working papers with unnecessary words or words that express subjective positions. You are not wring a work of literary fiction. You are creating a basis for an opinion or an as objective as possible report.

And that's why personal opinions and irrelevant information have no place in working papers.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Concluding on working papers

So what?

I sometimes review a working paper and think by myself: "So what?" Not in a derogatory, dismissive manner, rather in a silent sigh about an unfulfilled expectation.

A well written working paper without a good conclusion is like a good short story without a proper ending. It leaves me wanting more but not in a good way, and that's a pity. Worse, it's not very effective as I will need to develop the conclusions myself, immersing me more in the work than is strictly necessary during a review.

Four components to good conclusions

A good conclusion should tell me what I need to know in the most concise manner possible. A good conclusion needs the following four components to it:

  • An adequate basis for conclusion: "Based on ..." followed by a concise description of the basis of the conclusion is what I expect to find here. Essential is adequacy of the basis. The question to be answerd by this part of the conclusion is whether the conclusion is based on adequate evidence, analysis or testing work.
  • A competent person concluding: often forgotten, I need to read who is concluding on this evidence, this analysis or this testing. "We" does not do it. The reason is simple: as I reviewer, I am looking for assurance the person who drew the conclusion has adequate competency to come to the specific conclusion. If it is a conclusion on a highly technical matter, I don't want a staff assistant with a couple of weeks of experience to draw the conclusion. That is not credible.
  • A relevant conclusion: the wording can be highly diverse, but a conclusion itself needs to show clear relevance as to the purpose of the working paper itself. It needs to be clear that the conclusion can be reasonably reached based on the work done, given the basis and the competence of the person concluding.
  • Clear next steps: what needs to be done next needs to be clear as well. Most often, in case of conformity, this would be a phrase such as: "We pass further work." In case on non-conformity, it needs to be clear what will happen next, because that part will likely not be part of the work program.

An example

So, a good conclusion would, for example, be:

Based on the reconciliation testing done on the ERP/SAP ledgers and the sales system data for two months selected at random, the IT auditor concludes there are no material discrepancies between the ERP system information and the sales system information. We pass further work.

As your audience is the senior auditor, the manager and the Chief Audit Executive or the audit partner, you need to ensure each of them at their level can glean the relevant information from your conclusion as quickly and as completely as relevant and possible.

And that's why it's important to properly conclude on working papers.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Time budgeting: more follow-up

A reader made an excellent observation in this reaction on LinkedIn ... Time budget not used today will expire.

I fully agree, which actually cements me in my conviction that the only way I'm going to relevantly and usefully spend my time is by ensure that I have, in advance, a clearly defined use for that time. If I fail to do that consciously and appropriately, I will lose that time, never to see it again.

Let's illustrate that with a very concrete example:

I have a weekend day where I have let's say 12 real available hours. 8 out of 24 hours I sleep, 4 are spent eating, preparing to eat, showering and doing general maintenance work around the house.

Now, I have a couple of areas of focus I want to spend time in during the weekend, for example on Saturday, when I have other stuff to do. These are:

  • Home owner
  • Father
  • Husband
  • Writer/blogger

Each of these have typical activities related to them. Home owner for example has a recurring task which is "mow the lawn". Father has "play with kids" and Husband has "talk about past week with wife" and "go shopping for groceries", next to other tasks. Writer/blogger will have "brainstorm article on working papers" and "brainstorm article on the use of contexts in Omnifocus". I know that mowing the lawn, including set-up and clean-up, will take me about 2 hours (yes, my lawn is too large). I know that shopping for groceries, including putting everything away, will take me about 2 hours as well (what can I say, I'm picky) ... Brainstorming an article takes me anything between 20 minutes and one hour, while playing with the kids gets at least 3 hours, and I adore talking to my wife, hence we take 2 hours for that at least.

Now I have:

  • Home owner - Cut lawn: 2 hours
  • Father - Play with kids: 3 hours
  • Husband - Shopping for groceries: 2 hours
  • Husband - Talk to wife: 2 hours
  • Writer/blogger - brainstorm 2 articles: 2 hours
  • Tool switching and other 'loss' of time: 1 hour

Does this seem OCD? It most certainly does, but it is not. Why not? Let's look at the alternative ...

If I don't explicitly, proactively define what I am going to do with those 12 hours, I am likely to let my subconscious, lazy, procrastinating self dictate what I will be doing. Likely that will involve slacking off in front of the TV for a couple of hours of mindless (as compared to mindfull) procrastination.

Now, imagine my wife calls me to tell me her parents will be visiting us this weekend. They'll be arriving around noon and will likely leave at around 6PM. These are hours we will be spending with them, which means that some of the intended, budgeted time slots will drop. I make the choice to drop the writing and the lawn as well as the "talking to wife" because that gets replaced with "talking to wife and parents".

Completely different from a reactive scenario, this is an active choice of rebudgeting my time usage. It has, as any budget decision has, consequences, as it means I will have to cut the lawn another time, and make some time another day to do the writing if I want to keep up my publishing planning on my blog.

Active versus passive. Proactive versus reactive. Considered versus sprung-upon-you. What do you chose?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Time budgeting: a follow-up

Using Timeful for a couple of hours

Based on the feedback from some readers with respect to this article, I've been playing around a bit with Timeful, an interesting iOS application developed with the support of Prof. Dr. Dan Ariely. Some of you suggested it may provide some answers to my issues with time budgeting and linking available time to to-do's.

First, I need to say I like the approach the application takes. It shows you all the competing time interests and suggests what can be done when, based on a number of underlying algorithms. This app looks like it takes an available time focused approach.

Still not a 'conscious' budget approach

That said, it does not fully answer the point that I have: it does not ask for a conscious available time assessment, it rather shows you what you have left. And that's where the issue lies, as far as I'm concerned. A budget approach such as YNAB first makes you very aware of what you have available to you, in money, and then asks you to divide that money over budget categories.

What I would like to see is an application, or a method, or a solution that would allow you to first make a clear overview of your available time for a certain context, for a certain area of focus, and then to confront you with your identified categories (call them projects in an area of focus, to stay within GTD parlance) and ask you to make the choices that need to be made.

Conscious choices focus on the "important, not urgent" quadrant first

I cannot stress enough the need to go about it this way: first identify what is available to us and then to give that time that you have committed to a job, every single minute of it. This is not about mechanically or even OCD like attributing time to projects: this is about making very conscious choices to first allocate time to an area of focus and then detailing how to use that time in that area of focus.

This is making very conscious choices for certain projects and activities and not for others. Whenever there is a conflict in your head, like with a spending decision, the fact that you have already made a choice beforehand, usually within a larger picture of reaching certain objectives will make that decision easier. It does not mean you will only focus on longer term goals, but rather than any choice not for a longer term goal means you are confronted with the impact of that decision on your longer term goal then and there.

It should, in my opinion and perception, lead to spending more time in the "important, not that urgent" quadrant rather than in the "Really urgent now, not very important, but yikes, it burns" quadrant.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Clearly written working papers

A quick stroll down memory lane

Let me take you on a quick stroll down my memory lane. I was a young auditor, fresh out of university, working on my second or third audit. I was a high potential, as I had already achieved mastery of those skills essential to a young staff assistant: I knew how to make one mean pot of coffee and I had decyphered the hidden workings of the mainstream copying machines. Real auditing I had not yet done, but I was ready and eager to take that next, defining step in my career.

I was asked to perform a reconciliation on cash balances, one of the most basic of external audit assignments. And I had every intention to audit these balances the way they had never been audited before. I was going to make a mark as the best staff assistant they had ever seen.

Before I go on, you need to know a bit of logistical context: we used to work with big yellow 14-column working papers in those days. I know this dates me a bit. The 14-columns, which folded in three to make a neat "letter" or "A4" sized "booklet" were ideal for documentation purposes. You attached the evidence, usually copies of relevant documents, to the left side of the paper and documented on the two right "sides".

There was some minor issue with the reconciliation, but as a first year staff assistant intent on immediate fame, it did not seem that minor to me. So I documented and documented, I wrote and wrote ... ending up attaching two more 14-columns to that already large initial one. As one side of one single 14-column covered about 3 standard "letter" or "A4" pages, that made for about 8 pages of documentation plus one page with evidence attached.

I very proudly showed up at the desk my senior was sitting at. If I would have been a dog, there would have been tail wagging involved. A lot of it. My senior looked at the working paper, in amazement and disbelied which I, for a second there, mistook for admiration, then uttered something I - to this day - refuse to believe was anything else than: "You have got to be kiddin' me ..." pulled off the evidence and shredded the entire working paper. Needless to say it took a bit of time, because there was a lot of paper. He then sent me away with a simple: "Again, and to the point."

Six considerations for better working papers

I was heart broken. There went all my good work. That evening, he took the time to show me what was wrong with my well-intentioned approach. That one evening has taught me what it really means to write clear and concise working papers. He told me that:

  • my main audience was him, the audit manager and the audit partner when they were reviewing the working papers. Each of them was under significant time and budget pressure and had a lot of other, more important work to do. They needed to be able to glance at the working paper and see immediately whether or not there was an issue and if so, what that issue was.
  • my working paper was not a work of literary art, nor should it be. Write what needs to be written, but nothing more. Be concise. Be clear, use often used words that can only be interpreted in the way they were intended to be. That was also intended for the secondary audience, third parties reviewing the working papers in case of issues.
  • If there was no issue or even a minor issue, I need to state that clearly. I did not have the obligation to recount, in detail, what my testing approach was if that was already documented in the work program. And if it wasn't, I first needed to explain why I adopted an alternative approach than the one well established over years of auditing that specific client. In case of no or minor issues, I need to sign off on the work program indicating the work had been performed and I needed to conclude on the working paper.
  • If there was a material issue, I needed to explain what the issue was, what its potential impact could be, what my sources of information were and how I validated these sources of information in as far as that had not yet been described in the work program.
  • The cut-off on whether or not something was important was the materiality established by the manager and the senior prior to the audit. Materiality was not based on my opinion, it was based on an objective, reproduceable calculation. Nothing more, nothing less. Materiality is a risk acceptance threshold.
  • writing in pencil instead of a pen may feel very junior high, but it allows for comments and calculations on working papers to be erased and rewritten with ease. That's an efficiency point, both for writing and reviewing. Most managers and partners don't like to review working papers with visible and confusing corrections, as these again ask for time to review and understand.

It is essential to be as concise and as clear as possible when writing working paper documentation. The purpose of the documentation is to ensure your analysis can be reviewed and if necessary reperformed based on the available data, leading to the same conclusions you had.

Good documentation is essential, especially using CAAT

Ensuring your working papers are written as clearly and as transparantly as possible becomes even more essential when you are performing computer aided testing. While likely the least exciting part of the analysis, documentation is a must-do considering that this type of testing can quickly take you down the proverbial data rabbit hole, following interesting data threads. If you do not clearly document what you are doing in every step of that process, understanding and reperforming your analysis will become difficult if not impossible, even for yourself. It is therefore important to be as concise and as clear as possible.

If ..., then ...

If you fail to produce clearly written working papers, there are two possibilities:

  • in the best case, your audit senior and manager will give you the benefit of the doubt but will not be able to adequately judge the relevance of your work. This reflects poorly on you, and if you have made a mistake, you will be responsible for the consequences;
  • in the worst case, you will be asked to reperform the work and the documentation, which is a waste of precious time and money for your audit organization.

And that is why audit working papers need to be written clearly.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Productivity budgeting: the missing personal productivity component

Limitatons of personal productivity tools

Modern productivity methods and tools go a long way towards optimizing our focus on areas and things that really matter to us. GTD, for example, provides us with an elaborate basis for identifying what we need to do next, depending on our context but also on our overall priorities, expressed in projects in areas of focus which roll up to an overall vision of what we want to be or do.

But there is a nagging gap in all productivity approaches I've read and used so far ... each of them, if not used with due care, will devolve into a to do list of mythical proportions, creating unreasonable expectations on what can be done by us. Remember, we are mere humans.

Confrontation with an unplanned expense

Whenever I do my weekly review, especially the part where I go through my projects list and look at all the intended tasks I have yet to execute, I am always amazed and honestly a bit terrified at how much there is left for me to do. I often feel like a person who is being confronted with a significant unplanned expense. The feeling is dread. I'm observing myself developing a resistance to my weekly review to avoid being confronted with that feeling every single week.

And it's not just that. The effectiveness of the "incompletion trigger list" leads to a situation where I find my creative mind generating at least two additional actions for every action I have cleared the week before. My sense of accomplishment tends to suffer. For everything I do, more remains to be done.

Balancing what we want and can get done

Some of you may call this life, but in my mind, life should not just be about what remains to be done. Productivity and its cousins effectiveness and efficiency are - to me at least - all about the balance between what can be done and what is being done. What can be done is not just limited by our imagination and our ability to stick it on a to-do-list, it is also, in a major way, limited by our available capacity, by our real availability ... by our available time.

The time budget problem

I can see the broad strokes of what is missing in my understanding of current productivity methods. I fail to approach productivity as the fundamental budget problem it is. Not a money budget problem, but a time budget problem. Let me explain with a parallel to budget approaches:

Wanting things or experiences without having either unlimited funds or a structured approach which maps out how we will use our available funds to accumulate to get to the amounts necessary to acquire these things or experiences will get us exactly nowhere. The approach where we label money we have available for expected future expenditure is called budgeting.

Now, in money matters, there are two important aspects to budgeting, expertly described by YNAB and quickly and incompletely recapped here:

  • You can only budget what you are sure to have available to you. If you budget dollars or euros you don't have available to you, you are creating an illusion. You cannot spend what you don't have available to you. Not understanding that simple rule has led a lot of people into credit card debt.
  • Once you are sure about what you have available to you, you need to give each dollar or euro a job. If you do not, it is sure to get wasted on something irrelevant, and it does not honor the idea that a lot of small savings can really lead up to overall important savings.

The challenges of time budgeting

Now, the same goes with time. I can only really spend the time I am sure to have available to me. Anything that I put on my to-do list is an implicit commitment to my time. Overcommitting is easy when I don't know what I can reasonably commit to. Overcommitment, or not being able to do what I expected to do leads to disappointment with myself and with my approach, over time leading to abandoning an otherwise excellent way of identifying what I need to work on to remain focused.

The flip side of this is that I need to give all my available time a purpose, even if that purpose is relaxing. If I don't, those unassigned hours are likely to be spent in a zombie-like stupor in front of the TV, watching yet another reality series or even a good show, not really being here, being somewhere and somewhen else. That is not participating in life, that is wasting time.

Components of a time budget approach and link to GTD

So, what I am looking for is a budget approach to life. I need to:

  • truly know what I will have available in terms of time ... getting to really know what I can do with available time is likely to be an iterative process, and;
  • assign that time to realistic purposes, for which my GTD-established task list will be a great starting point.

This is one way to make sure that the to-do list does not create undue stress and lead to unfulfilled expectations it intended to alleviate.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The relation between audit reports and working papers

Audit reports tend to be overly long

I've mentioned before I don't like overly long audit reports. The length usually does not add relevant information for the audit committee and only aims to prove to the audience how much time and effort the internal auditor put in that specific audit. While commendable this is not something I should read in an audit report. It's understood that you do your very best. If you sign off in accordance with IIA standards, you say as much. Only a lot shorter.

I know plenty of internal auditors that feel they need to show the work they've done. They reaction is understandable, because the only work the audit committee will ever see is the audit report. The need to be accountable is entirely normal for someone who checks on accountability all the time.

Make sure to adequately document your work

"Make sure you adequately document your work," is something the beginning auditor hears from day one of their career and it tends to stick, as much as the use of most copiers and how to make a good cup of coffee. Often, it sticks too hard, and the need to document is reflected in the audit reports.

Am I saying you should not adequately document? No, not at all, but documentation and evidence should be in your working papers and not in your audit reports. Your main audit report audience is your audit committee member, who has no added value in reading how you performed test X of Y. They hired you for your competence, and it is your professional judgment as to how you execute your testing.

To compare, while it's interesting to find some information on the bridge you're about to drive across with your car, such as how high it is, when it was built and how much it cost, you will not stop to contemplate the redundancy data and the calculations the engineer made when building the bridge. You assume that engineer knew his or her job. It's the same with an audit report.

Auditees can get additional information based on good working papers

But what about that other audience, my auditees? What if they want additional information? Well, that's where working papers come in, and that's where working paper documentation becomes so very important. It is entirely acceptable to allow an auditee access to copies of carefully selected parts of the working papers. Of course you will need to clear it with the audit committee, but in essence there is nothing wrong with it.

Working papers need to be "in order"

Now, this imposes requirements on the working papers as well, an often neglected area of our work. In order to ensure that working papers can adequately be presented to auditees or even third parties, where relevant, they need to be "in order". I'll blog more about working papers later, but let's define "in order" now.

For working papers, I would define "in order" as:

  • Organized
  • Clearly written
  • Documenting interviews and test performed
  • Concluded on
  • Supportive of the conclusions of the audit report, including complete evidence
  • Empty of all documentation that does not directly offer support for a test, a position during the interview or a conclusion
  • Empty of all personal opinions or inappropriate comments or remarks
  • Reconciled to the final version of the audit report
  • Signed off on by the CAE or the responsible for that audit

In the next week, we'll discuss each of these elements more in detail.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Quick tip - learn to use your tools

I've recently taken a close look at the application folder on my Mac. If you sort your applications by "date last opened", you may be in for a surprise. More than 70% of the applications I have installed had not been opened in the past 30 days. Including some applications I consider essential and would not ever want to remove from my computer.

That simple fact led me to consider why I actually acquired the 70% that had not been used in the past month. With very few exceptions, I've downloaded or purchased them to solve a single problem. This is not unlike buying the most extensive Swiss Army knife in order to clip your nails, because it has - of course - a nail clipper. I'm using only a very limited part of the capabilities of the tools I have. And that's a problem on several levels. Let's examine this a bit further:

I don't know what I've got

Because I acquire these tools for a single purpose and I never take the time to learn what else they can do, means that I have really no idea what these tools can do for me other than what I wanted to use them for.

Take Name Mangler, for example. I acquired the tool because I had to rename a bunch of JPEG files with duplicate names, as JPEG files that come from cameras tend to have. Little did I know that this was one of the prime applications for automatic renaming available on the Mac.

If I don't know what I have, I'm likely to go looking for another application to do a job I need doing, but that one of my current applications can handle if I only know about it. If I read the manual, or get to know the tool by using it in different configurations, I will not go looking for a new solution, saving myself significant research time in the process.

I've been wondering whether this is the result of a couple of years of iOS use, where single purpose tools are often the norm more than the exception.

I have multiple tools that serve the same purpose

That leads to situations where I keep similar data in the same type of tool. If the data is accessible and in a format that is shared by multiple tools, this may appear less of a problem. Markdown formatted plain text files, for example, can be read by quite a few applications, some of which I have installed. However, the problem lies elsewhere. The time I invest in getting to know the basic functionality of each of these tools could have been better and likely more productively been invested in getting to know one of these tools a lot better.

Instead of focusing my effort at one tool and really getting to know it, I diffused my effort over several tools. In text editors, I am a jack of all trades, but a master of none. And that is only due to the fact I felt the need to download and use a number of them.

My current text editor set-up has been reduced from a mix of Ulysses, FoldingText, Sublime Text 3, Byword and nvAlt to just Byword and nvAlt. Byword is for writing, nvAlt is for looking up information across my library of text files.

Imagine for just a moment the time spent in getting to know even the basics of these tools.

What do I suggest to resolve this?

Well, I've learned the hard way, so you perhaps shouldn't. There is really only one solution I consider as an adequate answer to this problem: you need to invest in your tools. Get to know them. Be aware what you can do with them. If you have a problem, check whether there is anything in your current toolbox that my solve the issue. It perhaps will not be the most elegant of solutions, but you will have mastered more of your existing tools.

As Kourosh Dini so eloquently states: "Mastery is mastery of the basics."

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The real relevance of internal controls and their development

Mutual exclusivity?

I'm hearing a lot of comments about the relevance and the redundancy of internal controls and especially internal controls development and internal controls training. A number of new management philosophies such as this one - pretty much unknown outside of the French speaking world, but mirrorred in philosophies such as the one of Ricardo Semler - talk about ownership and responsibility of the collaborators. I've written about this most recently here.

What surprises me is that these approaches are seen as mutually exclusive. As if internal controls are something bad, or something redundant or even limiting in a context where collaborators are given individual freedom. First, what any given responsibility comes the ability to respond, but also the obligation to explain what was done and how means (both budgets and people) were used. Well designed internal controls increase the likelihood the use was appropriate, effective and efficient.

More than a response to a single issue

But we should not see internal controls as just a procedure or a procedural aspect. We need to see it as a training for eventualities which will most certainly occur. The real value of using and learning about internal controls is that it teaches people to handle those unexpected occurrences which we will be confronted with, whether we like it or not. The best internal controls teach our collaborators to handle eventualities, even outside of the reach of those controls, because the habits of working with the controls have become so engrained that they become second nature in any type of situation.

Think about budget usage controls which are used at work and find their way into the home, leading to better budgetary control and a better life for a family. Or consider solvability checks required at the start of a contract being executed at regular intervals, ensuring the organisation doing the work remains capable of executing that work well. These are but a few examples.

Developing muscle memory

More than just considering the narrow scope of internal controls, consider the use, the training and the development of internal controls as the exercise leading to muscle memory, to a direct response when faced with a control deficiency stimulus.

And let's remain aware that the untrained will never be able to decently dance the tango of work and life. Even if we encourage them to take their responsibilities, we have an obligation to provide them with tools that allow them to appropriately take these responsibilities. Internal controls are one of these tools.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

So what do you do when you don't do what you're usually doing?

A strange question

Okay, I admit, that may be a rather strange question. But think about it for a second ... do you have other projects than professional ones?

Yes, I know you have your family and friends, but do you have objectives, very specific aims you want to achieve with or for them? And if you are alone, do you have hobbies? Are you very clear on what you want to achieve in those?

Look, this is far from a plea to quantify every single thing you do in your life. Life should most certainly not always be about performance, about results. But perhaps being here and now is partly about clearly understanding why you are here, now instead of somewhere else.

Now only has limited meaning without a clear sense of purpose

Without a clear sense of purpose, now only has limited meaning. Now becomes the moment between what was and what will be. Not to be lived, but to be ensured, to be bridged. Those around you at that moment will experience you bridging that moment, not living it, because you will not be there. At those moments you are either living in the past, going over what has happened, or you live in the future, preparing for what will be.

You are only this moment

The point is, you are not here, now. While you are just and only here and now. You are not different from this moment ... and this one ... and this one. It's important that as many of these small moments make sense and are lived to the fullest. As Annie Dillard said: "How we spend our days is, of course, how we spend our lives."

Because it is so easy to drop into bridging behavior, it makes sense to formulate a clear purpose and sense of objectives in each area of responsibility in your life. Your significant other, your kids, your friends deserve to be part of one of your projects. They have the right to figure in your life, more so than any job related person or entity has that right.

If you fail to identify the relevant areas of responsibility in your life, you will not give yourself and those around you the authorisation to experience you and your presence in all areas of your life. And whomever you are, that would be a loss, not just for those around you, but for yourself most of all.

So, what do you do when you don't do what you're usually doing?

Here are four steps that will at least get you on the way

Step 1 - Get out of limbo

That waiting area that some of us spend quite a lot of our lives in has a name. It's called limbo. It's that place where you are in between other things. We all spend too much of our lives in limbo.

The best way to get out of limbo is by identifying our areas of focus, as David Allen refers to it in his GTD book. This Simple Dollar post describes more in detail what areas of focus are.

Ideally, you identify all the areas of focus you cover when consciously awake. Not just those areas you deem important, but also those areas you may not be really aware of. Using a time and activity tracker, such as RescueTime for example, is a good first step to understand what - on your computer at least - you are up to. I believe you may actually be surprised. After a couple of days, you will at least be aware of what you are actually spending time on.

One of my key areas of focus which does not get enough attention is 'being a father to my children'. Note this is not being an adult around smaller people. No, this is about being a dad.

Step 2 - Define objectives for each area of focus

Take your time and define at least one objective, something you want to realize in each of the areas of focus you identified in the previous step. This objective can be a simple answer to the question: what do I want to do for the people which I interact with in this area of focus.

In my area of focus 'being a father to my children', I have the objective to "make my children laugh".

Step 3 - Identify projects that allow you to achieve those objectives

Once it is clear to you what you are trying to achieve in the chosen area of focus, it becomes a lot easier to define a project that will lead to the achievement of those objectives. It proves the point that asking the right question is often the most difficult part in approaches such as GTD.

I had a couple of days off last week, and one of my projects was to visit entertaining statues in Brussels, such as this one and this one. I concede Belgium can be a confusing places. My kids did laugh once the initial surprise and shock wore off.

Step 4 - Make a conscious choice to commit and then be there, then

You are but this moment. Each moment, you have the choice to be here, or not to be here. We often forget we have that choice. But remember, as David Foster Wallace said, "this is water". If you chose to be here, now, you will be here in a mindful manner.

I'm sure there were a myriad of more productive ways I could have spent my day off. None of them would have been as good fun as that day in Brussels turned out to be. I choose to be there, not somewhere else. I was in the middle of the water.

GTD as an approach provides you with the essential tools to be mindfully present in the moment. We just have to use them the right way in all the areas of our lives.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Brett's courage

Much respect to Brett Terpstra for opening up about his past in this extremely personal post. I've never struggled with substance abuse myself, but I was a very, very heavy smoker from 1988 until late 2007. I'm defining heavy smoker as ranging from one pack to two packs of Camels per day. I had gone through numerous attempts to kick the habit before finally being able to quit in October 2007, thanks to good advice from a couple of colleagues.

I find it simply amazing that a strong and focused person can turn around his life in such an inspiring way. Each and every day something Brett made touches my life when I work on my computer. Whenever I work on texts, Marked 2 is one service call away. I use Searchlink for each blog post I write. I arrived at my editor of choice, Byword, after consulting Brett's crowd sourced list of text editors for Mac.

So Brett, thanks for sticking around and making a difference for a lot of us, Mac users. And happy belated birthday!

And for those not yet supporting Brett, he has an open support model running which allows you to support his work. You may consider doing that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Risk management maturity - moving beyond risk registers?

An interesting article on risk register obsolescence

I recently read this article by Michael Werneburg which was subsequently updated here. The article deals with the evolution of risk management in organisations beyond the use of risk registers into a risk mature organisation. It restates and reiterates a number of points that have been made by Matthew Leitch in the past on his blog Working in Uncertainty. The basic gist of the argument put forward is that risk mature organisations no longer need risk registers or any kind of specific risk management procedure because they have embedded the risk (management) dimension into their daily management practices.

Well, I can tell you that I am torn by that position. On the one hand, I do believe that the authors have a point as far as risk mature organisations are concerned. A well established risk management practice will lead to risk thinking becoming embedded in management's mind and integrating in management's agenda.

Risk maturity requires an evolution

However, I do not agree at all with the assumption that is being put forward which states that because this is the case, we can take the training wheels of any organisation, abandoning a formal, procedural approach to risk management and evolve straight into risk maturity without passing through a risk learning process. I think that position is fundamentally wrong. Werneburg describes in his update how risk maturity came about, and while details are limited, it appears the organisation underwent a significant evolution to come to a risk mature structure.

Organisations do not self-mature. People don't either (not really)

Now, why do I react so vehemently to this type of thinking? I am very much aware that this thinking fits into the self-maturing organisation thinking some management philosophies currently embrace. They imply that if you leave your collaborators alone, they will make mistakes but will learn from them and evolve based on that learning to a mature state.

First, this is an assumption that is based on scant evidence at best. For every maverick like Ricardo Semler that succeeds in implementing such a change in an organisation, there are tens of organisations that fail to appropriately implement this kind of self-rule. If this would work, the banking crisis would have been avoided all together. However, individuals are often selfish rather than selfless operators.

Gambling with tax payers' money

Second, especially in a public sector context, this type of laissez-faire attitude is a gamble with tax payers' money. As public sector transparancy is already much under scrutiny, consciously risking budgets for a 'learning experience in risk' while very hard budget choices need to be made with very real effects on very real people, can hardly be considered as mature behavior.

Public sector organisations need their risk training wheels

As far as managing risk exposure is concerned, a lot of public sector organisations still need their risk training wheels. They also need a strong, directive management, especially in light of the significant personnel cuts which are not always in line with the real needs in the different departments.

Establishing a common language by means of a risk model, ensuring that appropriate risk identification is timely and consistently performed and using the risk model as an aggregating structure to bring together solutions that actually work in specific situations is an approach that organisations that have not yet reached risk maturity need.

Falling on their proverbial faces

Any management team that fails to put in place these essential systems and practices cannot expect to escape the confrontation with reality unscathed. They will fall on their proverbial faces. Much to my regret, experience and common sense cannot be transferred through osmosis. It's not by standing next to greatness or experience that you will become more experienced. Unless someone clearly explains the dynamic or organisations and their management teams auto-magically becoming risk mature without doing the work and the learning, my cynical internal auditor's heart will have to assume it is not happening.

Trust, but verify

Let us not forget the Russian proverb "doveryai no proveryai", which translates to English as "trust, but verify", which became Ronald Reagan's signature phrase in the US-Soviet Union relations of the mid and late 1980's. A risk model based risk management system for a young or maturing organisation as contained in a written and applied risk management process, combined with a well functioning internal audit department provides a decent basis for this verification component. You may trust, but internal audit will make sure it gets verified.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx