Is goal management in a public sector environment relevant?

/

Just finished a discussion with a friend on whether it's possible to do goal management in a public sector environment. But before we go into that, perhaps I need to define a goal first.

Defining a goal

A goal in a public sector context is, in my book, the object of your efforts, the aim, the desired result. A public organisation strives towards goals which are an operational translation of either the laws and regulations they are bound to uphold or of a strategic intent a minister has defined in a formal or informal set of policy objectives.

Managing goals

Hence, can you manage goals? I don't think so. You define goals at the start of your journey. You may re-evaluate the feasibility of your goals during your journey, when you become more aware of the capabilities of the team aiming to achieve these goals. What you should not do is "manage" these goals.

What management entails

When you are managing something, such as for example a risk, you are "using" your resources to optimize your exposure to risk. You are in effect changing the way in which you behave towards that risk in order to allow you to reach your objectives.

Herein lies the difference: your attitude towards risk changes throughout your journey towards your goals. You adapt your organisation (your people, your processes, your systems) to make sure the organisation reaches these goals.

Goals of a public sector organisation are not dynamic

The goals, on the contrary, are not dynamic. They are clearly defined at the outset. Imagine for a moment that we had the liberty to change goals. Reaching a goal which can be adapted becomes very easy, because you are in charge of what is defined as the goal. Flying to the moon becomes flying around the earth becomes reaching orbit becomes reaching space becomes building a functional prototype of a rocket ...

A concrete and SMART goal should be cast in stone for a public sector organisation. If it is not, it means it was either a bad translation of a law, a regulation or a policy objective or it was not adequately concrete to begin with.

The relevance of the strategic cells

Either way, the lack of specificity means that a lot of public means were lost in the process of making sure the administration is doing the right thing.

This is why the concept of the strategic cells under the Belgian federal Copernicus restructuring were so right: the strategic cells were charged with making sure the administration was doing the right thing. The administration needed to take care it was doing the things it was doing in the best possible way. And the ideal tool for that mission is risk management.

Just managing your risk impacts is rarely a good idea

/ CasMo HQ/

Risk impact management complements risk exposure management

Managing risk impacts is a common practice among risk practitioners. It is a recognized approach which, if used well, complements actions aimed at reducing the likelihood of occurrence of a risk. What is more disconcerting is finding out that risk impact management is all that is being done to manage risks.

Managing impacts is often easier than predicting occurrences

Quite often, managing impacts is the easier of the approaches. After all, managing the likelihood of occurrence requires us to consider, identify and establish controls related to risk root causes, in order to avoid risk occurrences to the best of our abilities. It truly requires the organisation to develop an in-depth understanding of the underlying dynamics of a risk. Given that risk management is not an easy subject to begin with, an upfront investment in deep risk analysis is quite often a hard sell in a lot of organisations.
To make the comparison to a common household situation: It's far easier to have a band-aid ready than to take the time and educate your kids on the dangers of running around with scissors.

The erroneous assumption of risk impact management

There is, however, an erroneous and potentially quite lethal assumption underlying this relaxed primary focus on risk impact management. That assumption is that the anticipated impact will likely fall within a manageable bracket.

When we are managing the impact of a risk, the implicit assumption is that the management of the risk impact will immediately avoid any knock-on effects. Such an approach assumes you can predict the range of outcomes of the risk event occurrence as well as the speed and depth of knock-on effects with reasonable certainty.

Risks are the consequences of the assumptions we make

By this definition, your reliance on what may be faulty assumptions is inherently risky, and should be managed as well. Not only should you take in account that you need to manage not only the risk you want to manage, but all potential downstream risks as well. Let's examine in a bit more detail why this is relevant.

  1. You may not be able to predict the impact of the event on downstream risks accurately: imagine you are managing the impact of a risk. Unless you can reduce the impact to a low enough level, the risk event may cause downstream, related risks to occur, hence creating a cascading effect. If you have no controls in place, you may have a significant problem even with your risk impact mitigation controls in place;
  2. You may not be able to predict the onset of the impact accurately: your risk mitigation actions are likely to be slightly delayed. Take a fire, for example. Before the smoke detectors go off, you already have a fire. Even if the fire extinguishers will go off, you will have some damage. This may be less relevant if the damage is to some replaceable asset, but it may be a disaster if for example you are protecting art;
  3. You may not have thought through the entire set of risks impacted downstream: your risk impact mitigation strategy should ideally extend to the risks directly downstream from the risk you are trying to manage. But what if you are not quite sure which risks will be impacted? What if you fail to identify a downstream risk that sets in motion a catastrophic set of events?

Conclusion

Sole reliance on risk impact mitigation activities may create a feeling of security that is not at all waranted. It pays to invest in carefully examining the interrelationships existing between the different risks in your risk universe, how they influence one another as well as the speed with which they can influence each other. In the back of your mind should be what is most mission critical to you, as this is what you would mainly be aiming to protect. Developing risk occurrence mitigation strategies for all risks impacting your mission critical elements is a wise decision for any risk manager.

Conducting a multi-location risk analysis for audit planning purposes in a small audit shop

/

The baseline

As CAE of a small audit shop in a complex environment, I have to comply with the IIA standards like any other CAE. The performance standard for planning purposes is of course "2010 - Planning", which states that "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals."

The context

Now, our internal audit department of two people is responsible for an audit universe consisting of an main office, country offices in 18 different countries and about 200 active projects per year, with give or take about 250 million euro in spend in these projects on a yearly basis. These projects are very wide ranging, from building roads to assisting foreign governments in developing strategic plans in certain sectors. As we work mainly in fragile states, the risk profile of our projects is often quite high. This is a signficant challenge for planning the slightly more than 400 mandays per year I have available to me.

So we had to come up with an efficient as well as effective way of complying with the IIA standard 2010 and ensuring our assessment was as relevant as possible as well, to make sure our focus is where it should be.

This is what we did ...

Phase I - Open online questionnaire

While my initial intention was to ask both project managers, country responsibles (equivalent to middle management) and headquarters based middle management for their opinion, we quickly determined this was not feasible from a practical point of view. Why? I decided to work with open questions, allowing all participants to voice their opinion on top five risks ahead of them in the coming two years. If we had to integrate all these open questions for more than 200 participants, it would have been too time consuming. In the end, we queried about 50 people in total, using the forms function of Google Docs as our system.

For each of the five most important risks, we asked the participants to evaluate the following three elements:

  • the likelihood of the risk occurring in the next two years
  • the impact the risk would have on the area under their responsibility if it were to occur
  • the current level of risk mitigation based on existing procedures and controls with respect to the risk

We provided only limited guidance on the quantification of these evaluations, but the evaluation was done on a qualitative, not a purely quantitative basis, but using statements such as 'very high', 'very likely', rather than numerical values.

As was to be expected, the results were quite varied. Some respondents looked at risks from a very high level, with a significant focus on external threats, while others approached it from a very detailed position.

Lessons learned from phase I

We learned the following two important lessons from phase I:

  • Although difficult to reconcile, this exercise brought us a lot of different points of view which were highly complementary. This information has become an important input in customizing the risk model which we will be using next year for the risk based audit planning.
  • We shied away from using a comprehensive risk model as the basis for questioning in our initial open online questionnaire. However, in order to involve more people in this initial assessment, we will be using a structured, closed questionnaire next year.

Phase II - Team meetings per department

After processing the information gathered in phase I, we followed up with meetings in which all middle managers were invited to participate. Some of them declined because they had already shared their considerations in the open online questionnaire. Others felt they wanted to further detail their considerations.

In the meetings, we steered the discussion towards the following three elements:

  • We started discussing risks related to processes in their area of responsibility;
  • we then moved to discussing the risks related to people;
  • and finally we discussed systems at their disposal and risks related to these.

Based on these meetings, which we conducted with each of the departments of our organization, we arrived at an enhanced list of 'risks' related to each of the departments.

Lessons learned from phase II

We learned the following important lessons from phase II:

  • We again used an open format. While this is valuable in the context of such meetings, providing the participants with some information on the structure we intended to follow may have focused the discussion more.
  • It remains a trade-off to be made between focusing the group and perhaps losing essential information on less clearly perceived risks and getting the group to be as broad in its scope and discussion as possible and perhaps losing focus on some key challenges to them.

Phase III - Delphi analysis within the internal audit department

Based on phase I and II, we now had quite some information on risk exposures of our departements. Now we needed to translate this to a comprehensive, internal audit owned risk analysis.

We developed a spreadsheet in which, for each of the departments and functions in our audit universe, we were to assess independently, as internal audit experts, based on the information gathered, the impact and likelihood of the risk and the perceived current risk management level. With respect to impact, we defined different types of impact, i.e. impact on finances, impact on reputation ...

We compared the results of our independent assessments, focusing mainly on those assessments that were significantly different, looking at the underlying scores we each attributed to the different departments and functions. In a very open exchange, we agreed on a final score for each of the departments and functions.

Lessons learned from phase III

The results were quite nuanced. The independent internal audit risk assessment is but one input in the overall planning, which we will detail in a later post. We will continue to own the final assessment ourselves, as this is required if we want to remain entirely independent and objective.

Overall conclusions

In short, we will be using a more structured approach for the first two phases, in order to both involve more people in the exercise in phase I and provide better guidance for the discussions in phase II. However, the two step approach will remain in force.

Using the informatiion gathered to develop an independent audit centric risk analysis, in which we use a Delphi technique, has proven to work very well. It aligned with the risk profile the external auditors estimated for our organization, which was an additional validation for us.

The advantages of risk and evidence based reengineering

/ CasMo HQ/

I've expanded on a post I wrote for my old reengineering blog in 2010. Enjoy!

I’ve seen a lot of failed reengineering attempts. There are a lot of reasons why reengineering exercises fail and it’s not the purpose of this blog post to evaluate all possible reasons. What I do want to discuss, briefly, is why evidence based reengineering is a relevant, different and I believe more successful approach.

Reengineering 101

Traditionally, the top line activities in reengineering are executed according to the following pattern:

  1. the assessment of the current, or as-is situation
  2. the establishment of a wanted, future, or to-be situation
  3. the analysis of the differences between what is now and where we want to be, or the gap analysis
  4. the development and execution of an action plan to change the current into the wanted, future situation.

For anyone who has ever looked in awe at a consultant, well, this is pretty much what reengineering experts do. They’ll tell you it’s much more complex than this, but in essence, this is what it really boils down to.

Reengineering failures

Among the reasons why a project potentially goes awry is the very blatant one of starting from the wrong assessment of the as is.

How is that possible? Lack of validation is likely to be one, but a more likely one is a situation where the findings were validated by the management, but ultimately proved to be wrong anyway, because management did not have all information or was not aware of certain issues. After all, management is not deity (although behaviorally, this tends to be assumed in some cases) and therefore management can fail.

This is exactly where evidence enter the picture.

What is reengineering evidence and how do you use it?

Evidence is most certainly not interviews, especially not internal interviews. Most as is assessments are based on interviews with management and close collaborators of management. Consultants often assume that this information is complete, accurate, relevant and timely, but often this is anything but. Especially interviews with internal collaborators tend to confirm whatever it is that the collaborator thinks his management thinks or wants to hear.

Now, any auditor can tell you that internal evidence is the weakest of all evidence material, and reengineering interviews confirm this. Therefore, if interviews are the only information source, execute interviews with multiple independent sources with a clear view on the actual situation of the enterprise. Think clients, suppliers … even competition.

Oh, by the way, interviewing competitors to learn better practices under the guise of "research" is a common practice among some of the better known consulting organisations.

Relevant evidence

Better yet, start gathering hard data. Payroll data, other direct and indirect cost data, information from internal systems but also information gathered from banks, other lenders or financiers when it concerns financial information.

Go outside to clients and suppliers. A supplier will tell you if there are payment delays. A client will inform you of quality issues with products or services, of delay in delivery, of issues with execution … former clients are often a source of highly relevant information.

I remember a reengineering project I was involved in a couple of years ago where, in response to a simple request for information on payment terms and reasons for late payment by the specific client, we received an envelope full of evidence on very operational and quality issues. Following up with this third party, we finally understood what management was reluctant to share with us: significant quality control issues after a production line moved to a new location with lower labor cost and more manual interaction in the production process. None of the managers, afraid for the resulting backlash, was willing to share this.

Risk models as a basis for evidence gathering

A good means to structure the work is around risk models. I am a very big fan of risk based reengineering, and using risk models as a basis for reengineering is a good way to approach this exercise. Risk models allow for structuring of potential exposures in an organization, and will result in targeted exercises where the cost of reengineering is balanced as compared to the added benefit it entails.

Why sum formulas better reflect the risk appetite in calculating risk levels

/

How to determine a risk profile and calculate a level of risk?

Introduction

This is a significant rewrite and a first time write-up in English of an article I published in Dutch in May of 2009. I'm revisiting it because I had an interesting exchange with my ERM class at Solvay Brussels School last week, where we discussed the issues related to risk calculations.

As is always the case in this area of risk management, there will be both proponents of the approach and people contesting it. For me, a large part of the value of these posts is in the discussion that follows. For that, I refer to the ERM group on Linked-In, where I will post a link to this post.

Finally, I understand that the number of readers of a post halves with each formula you put into an article. This may actually mean I will be the only one reading this one to the end.

The controversy

Risk analysis tasks you with "measuring" risks. To date, we most often use qualitative information. There are a couple of reasons for that.

First, quantitative information is most often not readily available in sectors other than banking or insurance. Even if it were available, it can cloud rather than clarify the issue. Look for example at risk management failures in the banking sector over the past years.

So, we start with qualitative information. My implicit assumption here is that definitions of scales are agreed upon with all evaluators and are consistently applied in the evaluations. Everyone evaluating should be very clear about what "high", "medium" or "low" risk actually means.

In some cases, simple scoring along the axes of probability of occurrence and impact on objectives is not enough. Some analysis requires a roll-up from these "traditional" scores for impact and probability of occurrence to a single dimension, which we will refer to here as the "risk level".

Now, most of us, risk management nerds, agree that the risk level is a function of impact and probability. However, the controversy starts right after. Traditional risk management usually uses a product formula to calculate the level of risk:

Level of risk = I(mpact) x P(robability) = I x P

The problem with this approach becomes apparent pretty quickly. Risk related events with a high impact and low probability are scored in a similar manner to risk related events with a low impact and a high probability. The assumption these events are comparable in "risk level weight" is an unfounded assumption. Let me give you a concrete example:

The likely low impact even of a fly hitting your vehicle has an overall lesser level of risk than the luckily unlikely high impact event of a deer hitting your vehicle.

However, traditional risk management will yield a same risk level for a event with P=6/6 and I=1/6 as for an event with P=1/6 and I=6/6. Both are valued at 6.

See the problem? Right. Now, what can we do about it?

Alternatives to the product formula

Using a sum formula rather than a product formula allows us to attach a numeric weight to the dimensions impact on objectives (which we'll call impact or I) and probability of occurrence within a certain time frame (which I will refer to as probability or P). This weight is a function of the relative importance of impact and probability to the organisation where we are performing the risk analysis.

How does that work? Well, depending on your risk appetite as an organisation, you can give more weight to one dimension over another, which allows you to tweak the risk analysis to the risk profile of your organisation. This is where product formulas fall short. They cannot be used to integrate this aspect:

W x (I x P) = (W x I) x P. However, W x (I+P) does NOT equal (W x I) + P

You could rightly remark that weighting in the product formula can be realised when applying exponential values to the dimensions. However, it's exactly that exponential nature that will quickly reduce the relevance and weight of the not-weighted dimension to virtually nothing as compared to the weighted dimension. Hence, it makes little sense to take the non-weighted parameter in account. But as it is valued, we do need to take in account the scores that have been attributed to that dimension for the different risks evaluated.

In short, applying a sum formula to calculate the risk level ensures a more transparent calculation which allows the management to better reflect their risk appetite … provided the dimensions are weighted in a manner that reflects the risk appetite of the organisation.

But what do these weights mean?

Weights are applied to a dimension to give that dimension more importance in the calculation of the risk level of the specific risk. If the risk appetite calls for the avoidance of high impact events, impact will be weighted heavier than probability. If we want to reduce the probability of event occurrence, we will put more weight on probability.

There is some, but not a perfect, correlation between impact preferences and organisations with a preference for proactively managing the consequences of risks and probability preferences and organisations with a preference for proactively managing the sources of risks. That however is the subject of another blog post.

If we let W be the weight factor, we can distinguish three different profiles, which depending on the value of X can be more or less extreme.

impact oriented profile

This profile weighs impact as more important than probability of occurrence. This organisation will prefer to work on high impact risks with less attention given to the probability factor. Coverage of frequently occurring, low impact risks, such as clerical errors, is less important.

The risk level calculation is RL = (W x I) + P) / (W + 1)

probability oriented profile

This profile weighs probability of occurrence as more important than impact. The organisation wants to avoid the frequently occurring risks, but sacrifices coverage of high impact, lower probability risks.

The risk level calculation is RL = (I + (W x P)) / (W + 1)

indifferent profile

This profile does not weight probability or impact. Risks with high impact and low probability are treated in the same manner as risks with low impact and high probability.

The risk level calculation is RL = (I + P) / 2

Who gets to determine these weights?

Well, management does. It's there responsibility to determine weights as these represent the risk profile of the organisation. They need to translate the mission and vision into a strategy which is supported by a risk profile. That decision is theirs and theirs alone.

An example

Let's assume we have two situations for which the impact and probability of occurrence have been established. Let's further assume that the impact score for the first situation equals the probability score for the second, and the probability score for the first situation equals the impact score for the second. The traditional calculations using the product formulas will of course show these risks to be at an equal risk level to one another.

Let's further assume that the weighting factor applied will be W = 2. In essence, the parameter it will be applied to will be considered to be twice as important than the other parameter. In this case, we chose for an environment which values impacts more than probability of occurrence, as stated with a factor of 2.

Let's finally assume that the evaluation of each dimension is done on a five point scale and that the final risk level score needs to be normalised to a five point scale.

  • Situation 1 is a collusion between a responsible and a supplier to perpetrate a fraud damaging the organisation.
  • Situation 2 is a clerical error in the administrative registration of a demand for a service of that same organisation.

We first perform the calculations to get a non-normalised result, which then needs to be brought back to a score on an axis from 1 to 5. We then normalise to a five point scale.

Evaluation of situation 1

the weighted product formula yields: (2 x I) x P = (2 x 5) x 1 = 10

the non weighted product formula yields: I x P = 5 x 1 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 5) + 1 = 11

the non weighted sum formula yields: I + P = 5 + 1 = 6

Evaluation of situation 2

the weighted product formula yields: (2 x I) x P = (2 x 1) x 5 = 10

the non weighted product formula yields: I x P = 1 x 5 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 1) + 5 = 7

the non weighted sum formula yields: I + P = 1 + 5 = 6

Normalisation

As all risk scores need to be brought back to a five point scale, we need to perform a "normalisation", which is just a fancy way of saying we are bringing the score back to a reference scale. Depending on the formula used, the normalization calculation is different.

For the product formula, we divide by the maximum possible score (normalisation to 1) which we then multiply by the maximum value on the scale, in this case 5. This leads to:

2 x Imax x Pmax / 5 = 2 x 5 x 5 / 5 = 50 / 5 = 10

In other words, the normalized risk level for situation 1 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

The normalized risk level for situation 2 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

For the sum formula, we divide by (W + 1), where W is the weight given to the dominant dimension. This yields the following normalized results for situation 1:

  • for the weighted calculation: 11 / 3 = 3,66
  • for the non-weighted calculation: 6 / 3 = 2

For situation 2, this becomes:

  • for the weighted calculation: 7 / 3 = 2,33
  • for the non-weighted calculation: 6 / 3 = 2

In other words, where the product formula fails to distinguish the two very different risk events, the sum formula distinguishes the risk events and considers the risk with the higher impact as of a higher priority.

The example demonstrates the sum formula better answers the needs of management to reflect its risk appetite in the calculated risk level of individual risks.

Reducing the effort of risk based internal audit planning

/

Risk based internal audit planning

The IIA's standards require us to prepare a risk based internal audit planning. However, if risk assessment and management is not (yet) embedded in your organization, it requires a concerted effort from the auditees to provide you with the relevant information. Given this is not necessarily a priority to them, are there more efficient ways to gather more relevant information you need for risk based planning without overburdening your auditees?

Defining the auditable space

In the end, our assurance role as internal auditor is to provide assurances to the audit committee, the board and management. We developed the risk control matrix to properly segregate the responsibilities of management and the responsibilities of internal audit:

  • internal audit is responsible to provide assurance in the high risk areas where management considers the risk management measures to be adequate;
  • internal audit is responsible to assess the relevance, appropriateness and effectiveness in the low risk areas where management may have provided too many risk management measures;
  • management is responsible for developing actions plans for high risk areas where risk management measures are considered inadequate;
  • management is responsible for monitoring issues in low risk areas where risk management measures are low, to ensure timely identification and management of emerging risks;

The risk control matrix is a good concept, but how do we ensure completeness of identification of all elements that need to be included in the matrix? In talking with the both the actual and the ad-interim head of internal audit at the Belgian federal government service Mobility & Transportation, we came up with the following ideas.

Identifying risks related to action plans

Action plans are developed when management deems specific risk management measures inadequate. Action plans are prioritized, ideally as a function of the risks they aim to cover. Hence, the identification of risks in quadrant I comes down to the identification of which risks the current action plans aim to cover. A good approach would therefore be to either ask management which risks they aim to cover with a specific action plan. An alternative would be to read the action plan and identify the risk which should at least be referred to in that action plan.

I am aware completeness of identification is not assured if the budgets are not adequate to fund all required action plans. I would at least expect management to have developed a list of future actions to be taken, which can be traced back to the risk we need to identify.

The assurance function of internal audit in this risk control matrix quadrant is limited. We can assess the relevance and adequacy of action plans, however, given it is the discretion of management to manage the business, and given they know there are issues, our assurance contribution would be limited. We can act in an advisory capacity, as long as this does not influence our independence and objectivity now and in the future.

Risk Control matrix

Identifying risk related to measures deemed adequate by management

Quadrant II and III of the risk control matrix is where the core assurance function of internal audit is situated. Again the question occurs how we can best (as complete as possible with minimal disruption of day-to-day activities) identify the relevant risks? A suggested solution to bring the questioning our of the theoretical realm of risk to the level of day-to-day operations is to ask management to provide us with a list of risk management measures they deem adequate. The measures need to be linked to processes (elements of the audit universe) in order to allow for development of risk based, process related audit programs. We would identify risk by asking management to explain why they have taken these measures. The why is often the relevant response to which risk a control aims at covering.

Our assurance function then needs to focus on both assessing the adequacy of the risk management measure as it relates to the risk as well as the completeness of risk coverage. But how are we sure that all relevant risks under responsibility of the different members of management have been appropriately identified, assessed and covered?

Closing the risk gap

Based on the above, we now know which risks management covers with its action plans. These are reactions to risks the consider inadequately covered. We also know which risks they consider relevant and adequately covered as they offer these to us for auditing. But what about the risks not identified.

Here, we need to revert to the risk identification model, but not as a full-blown identification tool, but rather as a trigger list. A trigger list is a list which a manager reviews on a regular basis to assist him in jogging his memory on exposures known but not formally identified. If by going through the risk trigger list a manager would discover a risk not formally identified in the prior assessment, there are a couple of possible outcomes:

  1. The risk is known, managed, but not formally identified. This is an issue linked to formalization which does not necessarily leads to a specific exposure.
  2. The risk is known, not formally identified and not managed. This could indicate an exposure to be managed. Risk severity will impact the urgency.

Conclusion

Rather than having management and their collaborators go through a theoretical exercise each year, we can use information generated by them in the course of their day-to-day activities as a good basis for risk identification and prioritization. This would allow us to reduce the effort required from management in risk identification as well as reducing the effort we need to put in risk assessment for audit purposes.

This approach does not alllow for identification of the so-called Black Swans. I am a taker for any good solution that would not influence the efficiency of my audit planning process.

Working with inherent and residual risk

/

The internal audit perspective

To an internal auditor, a risk analysis is relevant because it provides information on the priorities within an audit universe. The auditor will look at all he has right to audit (the audit universe) and ask himself where his task, providing assurance, is best executed. You need to think this through: it’s not in the areas where management knows they have issues. If he audits there, he will get in the way and management will respond with a resounding „So what, we knew that already” hence no added value through reasonable assurance. What the auditor should focus on are those areas where the risk is high but according to management appropriately mitigated. A residual risk overview will do him no good, because management will score adequately mitigated risk as a low residual risk. There it gets confused with non essential risks or risks with a naturally low residual value. So, the internal auditor wants an inherent risk overview.

The risk management perspective

Residual risk is very relevant for the risk manager. He needs to focus on what remains to be managed. His area of attention is not (necessarily) the inherent risks. He wants and needs to take in account what has already been done, otherwise he will be focusing his attention on those issues already under control, which is not an economic use of time and means.

How to combine both needs?

People in the organization are not willing to spend twice the significant amount of time in a risk assessment exercise, once for the risk manager, once for the internal auditor. Both need the information, also because it is required by the applicable standards, such as the IIA standards on internal auditing. Can we create an assessment which answers the questions of both the risk manager and the internal audit? I believe it’s possible, but in order to better explain I first need to clarify the traditional definitions of residual and inherent risk.

What is residual risk?

Residual risk is most often defined as the risk that remains in an organization taking in account all mitigating actions that have been taken - within burget constraints - in order to optimally manage the risk. It consists of a number of composing factors. Like any risk definition, residual risk is defined as a function of the factor impact and the factor likelihood.

These are well known concepts. But, let’s focus a bit on them.

Impact is a rather generic definition. Impact on what? I often define impact relative to the mission, vision, objectives and goals an organization has. In case an event impacts an organization in a way that it hinders the organization in achieving its objectives, the risk of that event is a significant risk, and needs to be taken into account in a risk management exercise. Impact is also relative to the organization. The organization defines its objectives, and a risk will be more or less significant depending on the influence it has on the objectives and the importance of those objectives for the entire organization.

Let’s look at likelihood for a moment. I often read that likelihood is a function of how likely it is a risk will occur. But the problem is that that definition does not truly define likelihood. You just use other words to say the same thing. What influences likelihood? I follow Bill Sewall when he states that likelihood is a function of two other aspects. I call these vulnerability and (situational) exposure (Sewall uses vulnerability and threat). Let’s make that more concrete.

Defining vulnerability

In any situation, your organization, your department, your process or you, yourself, can be vulnerable. If the risk would occur, there will be damage. Vulnerability reflects how significant that damage would be. Sitting under a tree during a thunderstorm: very vulnerable. The point is, whereas sitting under a tree is indeed very dangerous, the vulnerability, or at least that kind of vulnerability, gains relevance only during a thunderstorm. It is there all the time. You are human, lightning can hurt you. But lightning can only hurt you if you expose yourself to a situation where lightning is present.

About situational exposure

Hence, the situational exposure is important as well. Let’s take another example. Imagine you are driving a car while blindfolded. Not necessarily a good idea, because you can hit something. You are vulnerable. However, if the situation is such that you are driving a car blindfolded in the middle of a salt flat with kilometers and kilometers of space on all sides, you are less exposed than if you were to be doing this in the middle of a densely wooded area or a city.

Likelihood of occurrence is therefore not only a function of the inherent vulnerability but also of the exposure, which depends on the situation. When assessing likelihood, you need to assess both vulnerability as well as exposure.

Inherent risk

But what then is inherent risk? Let’s reverse traditional definitions and look at it starting from the definition of residual risk. Residual risk is a function of the vulnerability, the situation and the impact of the risk. Now imagine that if the risk event would occur, no mitigating factors would be in place. What would that mean for the definition? In essence, the vulnerability would be total. The impact would be there under all conditions, without the mitigating effect of a reduced vulnerability.

To illustrate: a car drives through a pitted landscape. Some cars have been built to be less vulnerable to the shocks and jilts of the holes in the ground. Their residual risk is lower than that of other cars, which still provide some mitigation by means of their shock absorbers. However, in the extreme case there is nothing, just an engine, a chassis and wheels. The first pit you encounter will be the last, and the impact will be total.

Inherent risk can be defined as a function of exposure and impact, not taking in account the aspect of vulnerability.

Relevant risk questions

What then are the relevant questions that should be asked during a risk assessment to provide both internal audit and the risk manager with relevant input? I distinguish four different questions.

  1. How vulnerable are you now to a certain risk? (Factor A) Considering the risk would occur, how vulnerable are you, here and now, to this risk? In an extreme situation, you are entirely exposed to a risk. If it occurs, the full impact will be felt. At this point, the inherent risk equals the residual risk. At the other end of the spectrum is a situation where you are completely covered. You are untouchable, invulnerable, you have almost Superman-like protection.
  2. How exposed are you (here and now)? (Factor B) The second question assesses the situation in which you, the process, the department or the organization as a whole is with respect to this risk. How often do risk events happen, here and now? It’s the question assessing whether or not you are in dangerous territory. Not knowing how to swim is a vulnerability, but if you are not exposed to water, you should break a sweat. If you are in the middle of the ocean in a small boat, that is a very different story. The answer can be highly exposed on the one end and not or barely exposed on the other.
  3. How much effort do you put in mitigation? (Factor C) This is an essential question for risk management. It queries the investment to date in the mitigation of a specific risk. Imagine you are still driving the car, blindfolded, in the middle of the woods. As a mitigating strategy, the organization decided to let you be assisted by an - also blindfolded, of course - psychic. They have found the most expensive psychic in the world, with the best reputation ever. They throw all at it but the proverbial kitchen sink. The put a lot of effort in the mitigation. Likely, it will not really work, and the effort will not have yielded the desired effects. For a risk manager, this is an indication to start doing something different. The scale can range from a high level of effort to no effort at all.
  4. If the risk occurs and mitigation fails, what will be the impact? (Factor D) What happens when disaster strikes? What happens when all defenses are breached? What if all controls, all systems fail? What will be the worst possible outcome? This is the final question asked. The answer can be catastrophic, or may be - at the other side of the spectrum - immaterial.

The question NOT to ask: How effective is your mitigation? (Factor A’)

Mitigation effectiveness is a relevant question from the point of view of internal audit. I call it factor A’, or A inverse, because it is the exact inverse of factor A. Vulnerability is a function of mitigation effectiveness. We can use the inverse of vulnerability as an indicator of the effectiveness of the risk mitigators. A low to non-existent vulnerability matches a high mitigation effectiveness, whereas a high degree of vulnerability indicates a low level of mitigation effectiveness.

Using matrices

The question then remains: based on these four questions and five parameters, of which one is a derived parameter, which matrices can be generated?

  • Residual Risk Effort matrix (Risk Management) - From a risk management point of view, we have all required information to generate a residual risk effort matrix, the matrix used by risk managers to focus their activities on mitigating the risk areas with the highest exposures. On the vertical axis, we show the residual risk level. This residual risk level is a function of vulnerability, exposure and impact, or factors A, B and D. On the horizontal axis we show effort, factor C.
  • Inherent Risk Control matrix (Internal Audit) - The information gathered also allows us to present an inherent risk control matrix, such as the ones used for internal auditing. On the vertical axis, we show the level of inherent risk. We calculate this based on exposure and impact, again, assuming the vulnerability is total (i.e. there are no mitigations). For this, we use factors B and C. On the horizontal axis, we show the level of current risk management, which can be presented by the mitigation effectiveness, or factor A’ or A inverse.

The impact of simplification on residual risk

/

Red tape increases risks

Red tape is likely to lead to increases in residual risk profiles of organizations. These organizations are overburdening their external and internal customers with these increases in rules and regulations they need to comply with. Contrary to their expectations, this will not lead to more care. The more rules exist, the more this will lead to less care. Less care will reduce the risk awareness of the customer facing employees because they too are jumping through the hoops. The reduction in risk awareness will result in a higher residual risk profile because the assumptions are not checked nor questioned and may turn out to be false.

Past relevance of red tape

Introducing red tape in organizations was initially done to ensure that operations ran smoothly. A lot of the operations in larger organizations in the industrial era were 'standardized' to reduce costs. This approach was copied in service organizations and public sector entities as well. This led to productivity increases, which were a good thing from a cost side. However, the more you standardize a process, the more difficult it will be to provide deviations to the standard product. As Ford (presumably) has said: "You can have any color of car, as long as it's black." The choice in the Model T was limited. You had the choice of black, black or black. In addition, people on the work floor were discouraged of showing initiative and thus did not take ownership of the process. This part was also mirrored in different organizations.

Assymetrical information availability influences risk

A risk profile of an organization is a view on the risks to which an organization is exposed. A risk profile is specific to a company but heavily influenced by the industry in which is operates as well as the overall business environment in which the organization lives. A lot of different elements can influence a risk profile. First, there are risks external to the company. These risks in the organizations environment will influence its risk profile. The organization can do little about these risks, which can include the business environment, demographical evolutions, weather, disasters such as the Deep Water Horizon ... but they will impact it, and may impact it severely. A risk profile also consists of operational risks. These risks occur in everyday operations of the organization. One of the possible risks which can influence or worsen other risks is the red tape. More on that later. Finally, we see decision making risks. Information out of the external and operational environment is reported to the decision making levels which are not necessarily intimately aware of the situation on the ground. They base themselves on decision information. Any errors in the assembly and presentation of this information can lead to faulty decisions. Therefore, these risks influence the risk profile as well. These risks in turn can be significantly influenced by the red tape risks.

What happens if you leave red tape unchecked?

Imagine a situation in which an organization continues to develop red tape procedures beyond the point of marginal returns, i.e. the point where the procedure stops making sense. Compliance, if reached at all, will be reached with minimal care as the users do not see the relevance or the benefit of the additional requirements. More rules lead to less care.

Now, imagine a situation in which an organization is run based on rules and only rules, with any remarks or dissenting opinion ignored or punished, because its deviant behavior. New hires will very quickly stop caring. This is exactly what is witnessed in this type or organization, often hierarchical organizations. Now, if your collaborators no longer care, they will not be aware of will not mention elements influencing risk profiles. In essence, their risk awareness will be significantly reduced.

And when the risk awareness in an organization reduces, the likelihood that risk exposures are identified, flagged, assessed and managed reduces. What happens is that the real residual risk profile of the organization will become higher. Now, every increase in risk has an associated cost, all other elements remaining equal. So, either the organization accepts the higher cost of the risk management, therefore losing the assumed benefits of red tape increases, or the organization will be exposed to more risk.

The simpler the process, the lesser the risk

Introducing simplification projects which aim to reduce red tape will likely bring terror to the corporate identity. They are not used to these exercises, and they are counter-intuitive to much of what they have learned. However, think about the following: you will introduce more care in the execution of the activities of your organization, which will be appreciated by your customers. The increase in care will lead to an increase in risk awareness, which should lead to a reduction in the residual risk profile of the organization.