Patrick Rhone's beautiful article "The Farmer" >

/

Too long it had been waiting on my reading list, but I just rediscovered this pearl by Patrick Rhone, who again shows why he is such a great writer. A quote, among many quotes:

This farmer realizes that the relationship with her work, like any good relationship is, and should be, reciprocal. That the work, the land, would not be as good without her commitment to it. And, in turn, it returns that commitment to her. And, because of her intimacy with it, it returns that much more.

Go read the whole post here now. Really.

Via Patrick Rhone

The Linked-In title inflation

/

Just an observation

I was just browsing through Linked-In, looking at what my peers and dears were up to in their professional lives, when it struck me that there’s quite some title inflation going on. But hey, who am I to speak, I’ve been at times senior manager, director, client principal, with really no fundamental job change other than that the pressure to sell-sell-sell increased with the title increases and the size of the car.

I eventually returned to the real fold where I belong, internal audit, and I drive a Mini now. and funnily enough, my title is the title that my function has carried for years: Chief Audit Executive. Sometimes referred to as the Head of Internal Audit. Not necessarily the brain, but that’s an entirely different post.

Do titles convey meaning?

I wonder. I quickly scanned through a couple of Linked-In pages and ended up with this interesting list. I then used that list to add my interpretation of the title and finally compared it to the actual function. Quite an interesting difference:

  • Administrator: I thought this person would be an administrative responsible. Far from it, this appears to be a high level function within a corporate environment;
  • Advisor: Based on my background, this would have been a junior profile. Imagine my surprise when I actually saw this was a person with 25+ years of experience in a specific field;
  • Supervisor: Here I thought this would be a coördinating function, but it turns out this is almost an entry position in a well known consuting environment. You become a supervisor after only 2 years of experience. I wonder who you get to supervise;
  • Manager: Here I was in the money: this is a position which translates to between 4 and 6 years of experience in a consulting environment. The person took a first responsibility in managing a limited client portfolio;
  • Expert: I was off on this one, in a bad way: where I thought this was a function where you needed 20 to 30 years of experience, it turns out this person has 3 years of experience, none of them actually relevant for the proclaimed area of expertise;
  • Senior Manager: A function I know well, I’ve been it. It appears, however, that there is a title competition going on between the Big 4 (which is where I plucked this title from) … whereas I required 8 years of experience at the time, you can now qualify after not even 6 years. Interesting;
  • Managing director: The big boss, the head honco … and it’s true, but of a one person business. It’s not misrepresentation per se, but it does confuse the issue. On the other hand, I’ve had business owners profile themselves as senior consultant as well, which perhaps balances out …
  • Business Plan owner: I had no clue when I read this, and I still have no clue after having read the job description.
  • Specialist: Again, before I would call someone a specialist, they would need to prove some measure of specialization to me. This is apparently a title given in certain consulting environments to people with 3 years of experience.
  • Account manager: He who manages accounts, or at least one account. They key client contact, although he can be easily put aside if the manager, the senior manager, the director or the partner (see also owner) choses to do so. It appears this profile is the buffer between an organization and its clients, charged with selling everything without any control over the delivery but all responsibility for maintaining the client relationship. Ouch!
  • Owner: The boss, the partner, the head honco, even higher than the managing director. Turns out this is one of 140 owners in this specific consulting environment. They are commonly known as partners, but what is in a name.
  • Front Office Officer: I loved the repetition in this one. An office officer. Waw! Quite a difference from the plain old receptionist. Probably not a significant pay difference, however.
  • Seasoned Human Resources Manager: This is where it got too much for me. I was wondering what they seasoned him in, and whether he was able to speak to someone afterwards.

This is where I had to quit, because I could not take it any more. I don’t want to insult anyone, but let’s look at this from a distance: I cannot make out the forest for the trees.

The quest for clarity

Trying to make my way through the nomenclature of different providers of services, I fail to see what those names actually contribute to my understanding of their competencies. Tell me what you do, and I will tell you what you are. Don’t make it more complicated or more scientific than it is. Don’t overinflate your title. If you call yourself liquefaction engineer, you are still a plumber. And that’s a good thing. Be proud.

What we need, more than ever, is less talk and more pride. So I’ll just shut up now.

P.S. And I know I’ve been guilty of this myself. Let’s be honest, people, it takes one to know one.

Bursting the "truth" bubble

/

Perception versus reality

I’ve recently become more and more aware of situations in which people, any people, are trying to interpret the truth to get their way. This may be that they want to be proven right, that they want a larger/smaller share of something, or they just want to save face. No doubt this has been going on for centuries, but it appears to become more blatant than ever. It just might be I’m a big naïve idiot. Who knows?

My beef is with people who are confidently predicting a certain outcome, are confronted with another outcome, and they spin their way out of the situation (best case) or force the final outcome to be different from how it would have been (worse). The worst among them load the dice to begin with.

It’s frustrating for a straight-forward person like myself because it becomes very difficult to anticipate outcomes.

And it’s all about perception versus reality. People create a perception, then force reality one way or another to align with perception. Or they manipulate perception in such a way that it appears for all intents and purposes as if they are right.

Let’s be clear, I have no particular axe to grind here. I’m just very aware of a number of significant risks that are being introduced by this way of reporting reality in the corporate context. Let’s look at an example.

When technically right is not right at all

Take a typical form over substance discussion in any organization required to report their financial statements. Especially quoted organizations will interpret the applicable rules as much as possible to their advantage. This is, of course, technically correct. But some of these positions will significantly misrepresent the reality of the organization. Any well executed due diligence exercise would require additional information to be provided to people considering a purchase of the organization. Ask yourself the question: is such reporting right?

The truth, the whole truth and nothing but the truth

Don’t embellish. Don’t willfully forget. Don’t lie. And don’t try to get your way if what is real is not what you want it to be. Because that is the sure way to getting people hurt. No one in his right mind would tell another person about to jump into a pool that the water is more than 10 feet deep if they know it barely goes down 1 foot. That is no longer misrepresentation, that’s murder. However, both corporates and quite often politicians get away with murder because they arrive at spinning the tale in just the right direction.

You don’t find spin doctors on Main Street

The current economic reality for the US and Europe is one of survival. While we may not formally be in a recession, we are not seeing job growth as required. News bulletins regularly inform us of plant closings and people made redundant. It’s very difficult out there, right now, for a lot of people. Most of them don’t have degrees, although some of them have. None of them has a spin doctor at the ready to spin the situation to their advantage.

An appeal for transparancy

Given that, perhaps it’s time to aim for more transparancy and less complexity. While I fully understand the drivers which make organizations do what they do in their continuous combat for access to funding and resources, this behaviour of denial of reality creates a bubble of its own. It inflates perception of organizations or of political reality in such a way that is sure to lead to collapse. If that is the road you, as a person, chose to take, be aware of the consequences. When the bubble bursts, it’s likely the proverbial soap suds will spill on us all.

Fear is good - continuing the Kaplan conversation

/

Fear is Good

Remember the Gordon Gecko character in Oliver Stone’s landmark “Wall Street”? His credo was “Greed is Good”.
I want to offer that “Fear is Good”. Fear has helped us surviving as humans, and fear - or its relevant equivalent - can make a survival difference for organizations as well, if we get it to function correctly.

Fear is an important survival mechanisms

It’s how we as humans got here, where we are today, on top of the food chain. Let’s be clear, we did not get to be where we are by being heroic and standing up to a hunting lion or tiger as a small ape-like being. That would have gotten us eaten.

On the contrary, our entire human system has been geared towards survival, avoiding the fast(er) predators with sharp teeth on the savannah. What guided us then is still guiding us now, even though most of us have moved away from the savannah. These are our evolutionary retained, succesfull reactions, which through the mechanism of evolution were programmed into our very being. The most important part of our brain involved in those reactions is the amygdala, one of the older parts of our brain.

The amygdala has recently been put in a bad light as it is often blamed for preventing us from exhibiting risk taking behaviour. And risk taking behaviour is often linked to innovation. So, according to some great thinkers, amongst which Steven Pressfield, this built-in reaction prevents us from achieving greatness. That’s the result from hunderds of thousands of years keeping our heads lower than the surrounding tall grass.

Now, in cases where the amygdala fails to function properly, imagination appears disfunctional and fear is often notably absent. But that feat is what prevents us from getting killed. Hence, this part of our brains is a very effective risk management engine, continuously identifying, assessing, prioritizing and treating risk. And it errs on the side of caution. And it never needed reading ISO 31000 or COSO-ERM. Risk averse behavior has evolved and has aided us our survival.

The fear dynamic

Fear uses our imagination and our emotions, and emotions are, at least partly, governed by the amygdala. Fear provides our imagination with cues as to possible consequences of certain risks. We can visualize them, but we in case of strong emotional links to fear experiences, we do more, we “live” them.

The link between emotion, fear and risk aversion is often very hard and very confrontational. Hence the intensely emotional reactions to 9-11, or to the recent bus accident in Sienne, Switserland, in which 22 children lost their lives. It’s a combination of proximity and direct relevance for us which creates a deeply emotional reaction, leading to fear. To illustrate, I know quite a few people who no longer felt safe in tall buildings. I also did not feel happy about putting my own children on a bus days after the Sienne accident.

The possible consequences of this imagined risk manifest themselves in imagined pain or loss which in turn leads to an overall activation of all key survival systems and the related de-prioritization of all other activities. Again, this is not a considered reaction. No, it’s an automatic, intuitive reaction, powered mainly by the amygdala but rationalized ex post by our brain on the basis of fear. It’s not perfect risk management either, as you get the tendency to prioritize the recent and close risks to the more distant risks in time and space. But that’s a subject for another post.

Organizations lack brains and imagination

All of this puts us in a bit of a hard place. Organizations do not have brains, so they don’t have an amygdala. In addition, they don’t have imagination. So pretty much all requirements for effective risk management are not present in organizations. Hence organizations have no inherently present systems for risk identification, assessment, prioritization and treatment.
Organizations exhibit no fear. But is that entirely true?

Organizations have lots of brains and imagination

While organizations themselves have no brains, nor imagination, they are made up of - and actually by - people. Lots of people bring lots of brains and imagination to organizations. They also bring lots of fear. But this is not enough to make organizations act like good risk managing environments. What is required is the deep identification, a deep link between the individuals and the organization. And that, exactly that, is what we are moving away from. And that’s a problem.

Long term self preservation

Let’s look at mechanisms of basic self-preservation and their scope. Our survival reflex extends beyond our own body, our own life. It also extends to our children and to our children’s children. After all, they are a genetic mix of ourselves and our significant other. Our genes literally live on in our children. Self-protection and structural preservation of our (genetic) heritage result in risk averse behavior.

This is all good, but there is no (longer) such self-identification with the organizations we work for. Rather, people tend to treat work more and more as an obligation, and no longer own, care for and manage the risks inherent in their responsibilities. Because of this lack of identification, fear does not enter into consideration when executing a responsibility. And that is problematic.

I’m wondering whether an important part of this disassociation with the employer has not been the latest result of the permanent reengineering and down-sizing or right-sizing drive of the ’90s and early ’00s.

Fewer and fewer people are willing to truly commit to the organizations they work for. Because their organizations do not commit to them.

The parent-child relationship between employer and employee is broken

The parent-child relationship is not a wrong way of illustrating the employer-employee relationship. Employees often come to an organization with the full engagement and commitment to really make a difference. Some organizations allow and even support that. A beautiful example is this welcome message new Apple employees get on their first day.

However, more and more organizations, due to free rider behaviour of some shareholders and some members of management fail to honor that commitment of their collaborators. Which leads to loss of engagement, loss of identification and loss of true risk management capability.

Organizational fear lives with those accountable

Because, and this is essential to understand, any fear reaction exhibited by an organization is the manifestation of a risk averse reaction by its accountable collaborators. Hence, any lack thereof means there is no risk averse reaction by its accountable collaborators.

The accountable collaborators may have lost their link, their identification with the organization. They may no longer consider themselves accountable. Worse, they may start to exhibit free rider behavior themselves, often a corruption and fraud indicator or precursor. Rather than protecting the organization from exposure, they may point it on a road to higher and higher exposures which result in big upside risks for themselves and long term, almost certain downside risks for the rest of the organization.

So what’s next

I hope I’ve gotten everyone depressed enough.
The key question then is, is it worth considering risk management in organizations? I believe it is, I believe it is essential for long term survival, but I believe it will require a significant adaptation to traditional organizational structures.
I don’t think it needs to be the end of large corporations, but it will require a decentralization of power and management structures to make organizations more nimble and, let’s face it, more personal. People need to be able to identify with their organization to be able to exhibit good and relevant risk responses. So how do we do that? That’s fodder for another blog post.

A reaction to "Kaplan's heresy"

/

I just found this very interesting blog post on the blog of Peter Bonisch. You can find the post here and I suggest you read the post in full.

I’ve reacted to this post with my own thoughts on the subject matter. You can find my reply below.

Hi Peter, Mike, Matthew,

Just wanted to jump into this quite interesting discussion. First, when I read heresy, I hear “against dogma”. Now, let’s be clear that dogmatic behaviour is not good under most circumstances. Especially in developing areas such as risk management, which Matthew called the new Wild West only a few years ago (Matthew, I’m paraphrasing, but I really liked the snake oil salesmen reference you made ;-)) we need to make sure that we don’t hold on to dogma’s that are unproven.

However, and this is important as well, what I feel that Kaplan fails to address is the error in expectations we all appear to have with respect to risk management. While not by far the perfect risk management approach, we need to look beyond the limitations of ISO 31000 and look at what it does bring to the table. However, it’s easy to dismiss an approach based on the problems perceived by the experts, while within certain limitations COSO ERM, ISO 31000, AS/NZS 4360 assist in developing a better and better view on what good risk management should be.

Compare this to physics, for example. Any theory which explains even part of what we see and internally and externally shows consistency is considered as a valuable addition to the overall body of knowledge. It explains perhaps only part of the issue, but at least it does that. It may be wrong but it will give us a basis to sharpen our insights. The steady state theory, for example, even while mainly wrong, has significantly contributed to our understanding of how elements were created in the early universe.

This being said, I believe that COSO ERM, ISO 31000 and other risk management approaches will gradually make way for newer approaches that build on the lessons learned from these approaches. Pretty much like Sarbanes-Oxley showed us what not to do to avoid future Enrons or Worldcoms.

Just kicking them to the curb as irrelevant is an easy and even cheap trick which is unworthy of an academic heavyweight such as Kaplan. He certainly has a number of points where he makes a case, but he should look at how each of the current frameworks contributes and how it can be adapted, amended or even completely turned around to be used for the better of risk management.

For the record, I am a reformed list-maker. I don’t agree that ISO 31000 is all about making lists. For me, and how I teach it, it is more about an awareness that there are issues we know, issues we are aware of and issues we are completely unaware of. And that communication and consultation, in whichever form is relevant for your organization (cfr. some of Matthews excellent surveys, by the way) is a key factor in truly treating risk.

That said, we still like to use our little checklists to make sure we have not forgotten anything. They are no longer risk models, they are just simple risk checklists. By ‘relegating’ them from model to checklist we aim to clarify to the users they are merely one of a set of tools we use to assist them in thinking about and discussing risk on a regular basis.

[…]

Where to put your internal auditors?

/

Imagine the following theoretical scenario: you have an organization which has a significant number of different activities. It looks a lot like a typical Japanese supercompany, with diverse activities across the entire activity spectrum, not necessarily related to one another. You have one audit committee you need to report to. Where do you put your auditors and how do you ensure they remain as objective and as relevant as possible?

Physical localization of the audit team

Your team or part of your team needs to be as close as possible to the actual operations. Just visiting audit teams are not really enough to develop a thorough understanding of the activities if the width of activities is very large. Being there makes sense for two reasons:

  • First, your auditors will have their finger on the pulse of the management team responsible for that activity. They need to be able to interact, both formally and informally, on a regular basis, with the accountable people in the organization;
  • But not only that … just being able to tap into the discussions on the workfloor allows an auditor to quickly pick up on important issues. Note, this is not being the Gestapo at all. After all, our role is to provide reasonable assurance and advice.

Local team sizes

It really doesn’t pay to have just one person present, who interacts with the organization and calls in semi-external support when audits need to be done. That would be like getting married and having your friend taking your wife out for date night. While ad hoc support in specialized aspects is important, note that the trust which is so essential in tapping into the vein of an organization is quickly lost if responsibilities of auditing are outsourced. And while you may argue that calling in support from a central team is not outsourcing, trust me, it is in the eyes of the auditee. If it is not their trusted team, it’s “someone else”.

Loading the team members and cross-training

Of course, it does not make sense to have full teams with overlapping competencies and too much time on their hands present at all locations. Rather, on the contrary, it makes sense to have specialized people available within the organization to ensure that all specific audit issues can be dealt with. There are two models here:

  • Model 1 proposes a centralized audit service where specialized competencies, such as IT audit skills or governance audit skills or multiple use skills such as public sector budget skills are present. While this may make sense from a theoretical point of view, I don’t believe this is the best possible solution. After all, you get resources which are in essence idle unless they are being called in for specific assignments. The usage of these resources will traditionally be lower than the usage of other, dedicated resources. Their depth of knowledge will be traditionally lower as well;
  • Model 2 proposes embedding expertise, specialized competencies, in the teams themselves. While available for a specific audit, these auditors are planned and used as traditional auditors if not required to exercise their traditional skills. If the planning system is developed well, this should allow for better planification.

Honestly, I’ve seen a number of “expertise” cells in different organizations. As long as they are not actively deployed in the field to engage in work and develop their understanding, their advices remain theoretical. They may be well written, but they make little to no sense.

What should be centralized?

Ideally, planning of the specialized resources should be dealt with at a central level. Exchanges of approaches and methodology is relevant as well. People can be rotated between teams during the early years of their employment as internal auditors, to develop a broad view, but need to be dedicated to one organization at one time. This creates an engagement and a responsibility which will be lacking if you are one step removed. Appointment and rotation of audit directors can be centralized as well. However, audit execution responsibility needs to remain decentralized.

In conclusion

Where to put your auditors is an important decision which, if not well considered, may cost you a lot more than just idle resources. Failing to properly position your people can lead to loss of confidence in your capability to execute an audit and jeopardize the timely execution of the audit plan.

Stakeholder consultation in risk management

/

One of the elements COSO-ERM does not thoroughly address is stakeholder consultation in risk management. Sure, there is the required communication capping stone on top of the COSO pyramid, but the activities described therein fails to adequately address the needs and complexity of interacting with your stakeholders on a regular basis in the context of risk management.
ISO 31000, born out of the ISO practices of often and frequent consultations, does not fail to address it. Consultatin is a part of the quality cycles. Inspired by AS/NZS 4360, it gives consultation and communication a key position in the entire process. Just look at this visualization.

But how would you go about consulting your stakeholders in the risk management process? And more importantly, what can they contribute to your risk management?

Stakeholders as sources for the unknown unknowns

As Donald Rumsfeld put it, the most challenging elements in any situation are the so called unknown unknowns. The problems we aren’t even aware of we have. The exposure we don’t know exist. It was an unknown unknown that made Challenger explode, that sunk the Titanic … And it’s likely to be an unknown unknown which will result in you failing to reach your objectives. More on that in another post.
However, stakeholders a great sources for unknown unknowns. Because they look at our activities, operations, actions from a different vantage point, because they come to the table with different objectives, they often see issues where we see none.

Any organization which fails to recognize that it needs to comply with or at least listen to and validate concerns of an important stakeholder, fails to understand that this stakeholder, through his actions or inactions, can revoke its license to operate, killing any chance of the organization reaching its objectives. For those familiar with history, the initial “hearts and minds” strategy the United States followed in Vietnam was a recognition of this essential element. Without support from the villages and villagers, the conflict was bound to go against the US. The abandonment of this strategy influenced the outcome, as there was no longer an implicit license to operate. (the matter is mo complex, but this was an important contributing factor)

Gathering the information

Gathering the information is as simple as asking the question. Asking the question is however not the challenge. What is the challenge is creating an initial environment of trust where stakeholders do not feel exploited of used for the greater good of the organization which may adversely affect their lives. So you will need to establish real trust. And establishing real trust takes time. You cannot buy that trust, you need to earn it. Which basically means that you can throw any ideas of window dressing out of the, well, window.
I believe that an important step to building real trust can be achieved by transparent information sharing. Communication needs to precede consultation, as it builds rapport and it shows the intent to share. You want the information, you need to initiate, you need to cross the bridge first.
What I would not share upfront is the risk analysis conducted inside of the organization. Not because you don’t want to share that information, but rather to avoid influencing the risks identified by the stakeholders. After all, just like you, they can be influenced in their view on the subject matter. Better to get their information without prior contamination.

First open, then closed questions

The stakeholder risk identification needs to be as broad as possible. Remember, we’re mainly looking for the unknown unknowns.
I would start off with interviews which aim to identify their objectives with respect to the organization (remember, no risks without objectives) and the threats they see to these objectives, as well as the current confidence they have in the organizations ability to deal with these issues and achieve the objectives.
A number of risks will likely be similar. Another set of risks will new. As in a traditional ISO 31000 approach, you need to not only identify, but analyze and then assess these newly identified risks. D’uring the first or if necessary a second open interview, each of the risks needs to be revisited for further clarification. We try to ensure we clearly understand how the stakeholder perceives the risk. In a second or third interview, or by means of an online voting approach, the risks are then evaluated (current level of risk management, probability of occurrence, consequences).

Visualization, interpretation and treatment

As to visualization, a good visual representation of an analysis, if it is done in an objective manner, provides a good basis for discussion. I would use different colors to look at different scoring of the same risk. This will take some time to develop (although you could probably automate it) but discussing a clean visualization brings a lot more to the conversation than a cluttered whole.

First, you are likely to find risks which score can be compared to the scoring by the organization. This can be interpreted as a validation of the internal risk assessment.
Second, you will find risks which were not identified in the internal assessment. These risks need to be reassessed by the internal responsibles. If they turn out to be considered to be a real risk, they need to be included in the risk assessment (risk update) and treated.
Third, in case their scores are significantly different from the internal assessments, there is at least an interpretation difference, which needs to be managed.

Let’s imagine for a minute a situation in which the organization fails to deal with a risk it considers minor, but the stakeholder considers very important. If the stakeholder is not adequately recognized in his concerns and the time is invested in explaining why the risk treatment is done the way it is, this may lead to stakeholder protests and eventually the revocation of the license to operate.

Throughout the entire risk analysis there needs to be a continuous communication with the relevant stakeholders. Failing to do this properly may create the most significant threat to the achievement of organizational objectives ever.