Risk acceptance requires hard work

/ CasMo HQ/

Rereading the title of this post, my first reaction is that this is stating the blindingly obvious. The problem is, in reality this is far from that obvious. More than once I've been confronted with situations in which risk acceptance by a manager turned out to become risk ignorance. And risk ignorance is just another way of saying that someone no longer feels responsible for dealing with the risk.

This may come as a shock: any identified risk in your area of responsibility falls under your responsibility, whatever your preferred risk treatment will be. Sadly, that is quite often not the case.

Accepting a risk is not the end of management responsibility

Some managers believe that accepting risks, whether related to issues raised in an internal audit report or identified based on appropriate risk management, is the end of it. By accepting risks, they often feel they can make the demon of having to solve a problem go away. They feel they can sleep soundly ... at least for a while.

Of course, nothing is further from the truth. As I stated above, all identified risks needs to be properly managed. Risk acceptance is a risk management option, but choosing to accept a risk does not imply that risk has gone away or no longer matters to you.

On the contrary, it puts the burden of making sure the organization is adequately prepared to deal with that risk plainly with the responsible manager. After all, as a manager, if you have been informed of an issue and you have accepted the risks related to the issue, you need to be ready to deal with that risk if and when it occurs. That's called contingency planning, and it may actually involve quite a lot more work that you believe it does. Let's examine why this is so very important.

Accepting the risk is not ignoring its potential consequences

Let's illustrate the issue with a concrete example most of us can associate with:

Imagine you are driving a car faster than you are allowed to drive it. Your risk of having an accident will increase. You accept that risk by making the decision to drive faster as well as by the actual act of driving faster. Hence, you have accepted that risk.

Now, does that attitude of risk acceptance allow you to ignore any required contingencies you would normally take, such as having a fire extinguisher in the car and making sure your airbags are functioning correctly? Let's be clear ... it does not.

Whether we are talking about driving a car or managing an organisation, the same principles apply. The fact that you consciously decide to accept an exposure does not free you from the burden of managing the organisation, the entity or the process you are responsible for. To make it crystal clear, risk acceptance assumes that the responsible manager is fully aware of the potential yet very concrete consequences a risk occurrence may have as well as what needs to be done to deal with that contingency. You cannot avoid that responsibility. At all.

In essence, each manager is responsible for exercising the due diligent behavior with respect to the responsibilities that have been delegated to him or her. Correct behavior is then not ignoring a risk you have "accepted", but preparing your organisation for the eventual possibility that the risk may occur. Rather than working on reducing the likelihood of occurrence of a risk, you focus on reducing the impact if it were to occur.

Let's revisit our speeding example. Your car is, or should be, equipped with minimum safety measures, such as a fire extinguisher or airbags. If the risk of an accident were to occur, you will be bruised, but hopefully safer than you would have been without those measures. You will still face a loss, in this case the car or the convenience of driving your own car for a while, but the loss will ideally not be of a completely disruptive nature.

Lack of due diligent behavior requires removal

In the same vein, all managers should regularly review the risks they have accepted and assess whether or not there are measures in place to deal with the potential impact of a mishap. If these measures do not exist, I firmly state that the manager has not shown due diligent behavior. In that case, the board should take all appropriate actions to remove this manager from his or her position.

The external specialization fallacy

/

You can't oursource your core tasks

There are a couple of essential tasks you cannot outsource:

  • If you're about the execute a coup d'etat, you can't bring in mercenaries in key roles or positions and assume you will remain in control;
  • If you want to rule a market, you cannot have key product development and innovation done solely by third parties;
  • If you want to fundamentally change the way your organization functions, you cannot have a full successful reengineering done by an outside consultant;
  • If you want assurances your business is run with due diligence, you cannot outsource your internal audit function

Why? Because the people you outsource this function to don't care as much or are not as informed as people on the inside. After all, they are but guns for hire. When the job is done, their work is done, and they move to another role or responsibility. Even worse, who do you believe defines when the job is done? You, the client? Don't bet on it. The job usually is done just about when the money runs out.

Providing assurance on due diligent behaviour is a core task

Your organization is likely to be about a very specific set of services, products or solutions. That's what makes your organization special. That's what clients come to experience or purchase. Some organizations are more specific than others, but the way they function internally is usually very specific and requires both a deep knowledge of the processes themselves as well as a thorough understanding on how these processes came to be what they are.

Now, in order to provide assurance on due diligent behaviour by all people involved, you need people who understand what is going on in the organization and why it is going on. Your assurance providers need to be specialized, not only in your business, but in your organization. In order to provide your organization with the most relevant value for money findings and recommendations, the internal auditor needs to be able to take the time and develop a deep understanding of your functioning.

The specialization fallacy

Most internal audit service providers will try to convince you of their uniqueness (let's be real here, they really aren't that special) and the skill set of their advisors. A couple of issues:

  • The leverage model dictates a 1 to 3 (123) hierarchical structure to make a project profitable. Remember the mercenaries above who leave when the money runs out? A typical service provider aims at providing you with three juniors for every senior, with three seniors for every manager, with three managers for every director or partner. Given that deep expertise on average requires 10.000 hours of hard work, and that real chargeability will run at around 60% for seniors or above, which is where the real learning happens, you can make the calculation yourself. The more experienced the advisors are, the less likely you are to find one of those on the team being proposed to you;
  • Service providers often claim sectoral experience. At the same time, they claim fire walls between their teams. This to me just doesn't add up. In a competitive environment you either have sectoral knowledge gained at a competitor. In that case, you should not be on the team. Or you have no knowledge of the sector that is relevant to me.
  • If not sectoral experience, they can bring technical experience. I agree that under certain, very strict conditions, it makes sense to outsource a very technical aspect of a job because you don't have adequate knowledge of the area. However, the number of cases in which this is applicable are limited to mainly specific ICT areas. And even then ...

Bottom line, the specialization you need access to the most should not be available due to firewalls in place between teams in a sector. And it's unlikely someone will have invested significantly in your organization ... because the return usually isn't there, except for really large organizations. And if this is the case, if a consultant has invested so much in your organization, where is his independence? How independent can you remain if your goal is to be paid by this organization?

But what about experts? Experts working for a service provider are most often no longer actively involved in the practice. They have an expiration date.

Even the best technical auditors cannot make up for a lack of knowledge about the specifics of the business and the organization.

What works

In order for internal audit to be relevant, to be able to provide adequate assurance on due diligent behaviour by the collaborators of an organization, requires deep expertise in the business or the possibility to develop this expertise. An external party often does not have the means nor the intention to invest adequately in building this expertise.

Deep expertise needs to lead to good risk assessments and the development of efficient, effective and economic audit activities focused on relevant audit objectives and audit areas.

When using external support at all, this external support can at the earliest be asked to assist in developing audit work programs. Their aim should be to optimize the audit approach, not the objectives nor areas.

The actual audit execution should, where possible, remain with the internal auditors, supported where required by ad hoc expertise which can then be acquired at the best market value.

Final reporting should always remain with the internal audit responsibles.

Providing assurance on due diligent behaviour

is a core responsibility of internal audit. The audit committee needs to have adequate assurances that the work done is not determined by the available budget for outsourcing, but rather by a deep understanding of the need of the organization to function at the best possible level, an understanding most efficiently developed from the inside.

The Three Laws of Due Diligence

/

The emptiness of due diligence

Looking around in current day to day business, I see less and less evidence of due diligence in its core meaning. At least the core meaning I learned but mainly understood based on practical experience. The idea of due diligence has been replaced by a number of elaborate governance frameworks which did not necessarily add to the practice of due diligence. On the contrary, these frameworks often created an escape mechanism for culprits aiming at formally complying with the concepts while at the same time ensuring their direct responsibility was as limited as possible. We can have a long discussion on due diligence, but this being New Year's Eve, I wanted to give you my interpretation of due diligence. For me, due diligence is inextricably linked with a set of core "beliefs" from my youth: the three laws of robotics as defined by Isaac Asimov.

My definition of due diligence

To convey what I refer to when referring to due diligence, I'll try to define it. In order to go to a good, applicable and pragmatic definition, let’s first look at the two words individually:

  • Due: owed or owing as a debt, either as a natural or moral right or according to accepted notions or procedures.
  • Diligence: persevering application, or the attention and care legally expected or required of a person The adjective related to diligence is “diligent”, which Merriam-Webster defines as “characterized by steady, earnest and energetic effort, painstaking.

And what does due diligence mean according to Merriam-Webster?

  • Due diligence: the care that a reasonable person exercises to avoid harm to other persons or their property

A dutch translation

In Dutch, we translate “due diligence” by “goed huisvaderschap”, which can be loosely translated as “behavior equal to a prudent family man”. I like this translation at an emotional level because it links behavior in the context of a firm to a subjective but intuitively well understood moral high ground in the personal context. It's a lot closer to home, a lot more concrete. Most of us understand what being a prudent family responsible entails. However, let’s return to due diligence.

Interpreting the definition

Based on the Merriam-Webster provided definitions above, due diligence as a key requirement in the context of good governance is the persevering application of care and attention owed as a result of the responsibility entrusted upon a group of individuals. When you are bestowed with that responsibility, you immediately owe a very high level of care and attention to those who bestow this responsibility on you.

I’ll go further than that. Those who bestow this responsibility upon you are not only your shareholders, who come in with means and ask for a return. No, it’s all of your stakeholders, your collaborators, your clients, your environment and in a wider sense society. But how could you, as a responsible, manage this? You need to exhibit on a continuous basis a behavior equal to a prudent family man. But what does that mean? What are stakeholders, for that matter? They remain so abstract. Here I want to make a very long stride and perhaps risk injury in the leap … let’s look at science fiction literature ...

Using Asimov’s “Three laws of robotics” to provide a baseline for due diligence

When I was young, I voraciously read science fiction. One of my favorite authors was Isaac Asimov, and of his work I adored his novels and short stories dealing with robots. Now, in his 1942 short story “Runaround”, Isaac Asimov introduced a set of laws which were to provide a framework for the behavior of autonomous machines.By rephrasing these, we can have a guiding framework which serves as a baseline for due diligent behavior of a company. I’ll always start with Asimov’s original law and then rephrase it for the due diligence baseline. After this definition, we'll explore how these baseline rules, if applied, could have influenced organizational behaviour. Again, this comparison may not work for you, but it works for me:

  1. First law of robotics: A robot may not injure a human being or, through inaction, allow a human being to come to harm - First law of due diligence: An organization or its management may not injure human beings or, through inaction, allow human beings to come to harm.
  2. Second law of robotics: A robot must obey the orders given to it by human beings, except where such orders would conflict with the first law. - Second law of due diligence: An organization or its management needs to account for its actions to real human beings representing stakeholders, not other organizations, and needs to respond to these human beings, except where such response would conflict with the first law.
  3. Third law of robotics: A robot must protect its own existence as long as such protection does not conflict with the first or second laws. - Third law of due diligence: An organization or its management must protect the existence of its purpose as long as such protection does not conflict with the first or second laws.

Applying the laws

What would the application of these simple but at the same time accessible and complete laws have influenced recent socio-economical events?

Law 1 would have prevented a number of precursors to the 2008 financial crisis. It would not have allowed selling of derivates of subprime loans to other parties. That would be a clear violation which would have resulted in the harming of human beings. Pushing up a market for own profit until it starts to default in massive numbers, chasing millions of people out of their homes? A clear violation of the first law.

Law 2 would have reshaped current power concentrations in certain markets, would ensure appropriate levels of quality in delivery and production and would have influenced environmental impacts as well, in as far as these are not covered by the first law. If management, charged with continuous behavior consistent with a prudent family man, had to explain, on a regular basis, what they had engaged in and how this contributed to their purpose, to a group of people which were a true representation of all of their stakeholders, I dare to assume the critical questioning would have been more stringent and more relevant, potentially leading to early changes in organizational behaviour.

Law 3 would ensure a focus on continuity and shareholder value as well as long term contribution to a wider group of stakeholders, but only after the conditions under laws 1 and 2 are met.

In absence of these laws

I believe internal auditors need to dare ask the hard questions. They are, currently, after all, the prime guardians of due diligent behaviour by the organizations they audit.