2011 was an amazing year for us and for our clients as we helped them get the most out of their risk and assurance functions.

We gave advice to leading companies on their governance practices. We helped them make the case for an approach to integrated assurance. We saw through a category strategy for internal audit services for a major listed company which ultimately led to one of world’s largest tenders for internal audit services. We spent time with executive teams scanning for material business risks and the elusive black swans. We helped a leading company transition to an in-house internal audit team. We advised on audit, risk, self assessment and issues tracking software. We gave advice on how to structure audit & risk functions. We went through a full year’s cycle with five audit & risk committees.

It was an amazing year for the TDA team. Ralph Crook, Timothy Ong, James Quick, Matthew Ralph, Anthony Holland and Marissa Zamora joined the team at our offices in Kent Street in Sydney. We worked with amazing people from our expert panel – Tim Leech, Michael Rasmussen, Michael Fogel, Larry Quick as well as the teams from Emergination and Emergent Form. Our pool of alliance partners continues to grow.

And while doing all of this we managed to continue to give back professionally with a regular column and cover stories in Risk Management Magazine, on the editorial panels of Risk Management Today and IIA Australia’s Technical Newsletter, as well as giving talks with Telesis, Lexis Nexis, and squeezing in the occasional blog for good measure on our website and also with the Institute of Internal Auditor’s global flagship publication.

With a solid team now in place in Sydney and our Melbourne-based work continuing to grow, Todd and family will be moving to Melbourne early in 2012. He will continue to service our clients nationally with particular focus on Sydney and Melbourne.

2012 will also see a new website and expanded thought leadership publications and media available for our clients and subscribers.

We’re proud to be associated with some amazing people – our clients, associates, staff, suppliers, supporters and followers.

On behalf of the entire TDA team, we give our deepest thanks for your support during 2011 and look forward to working closely with you next year.

We wish you a safe and happy festive season for you and your families.

Festive greetings,

Todd, Sue, Dominic, Ralph, Tim, Matt, Anthony, Marissa and the extended TDA team

“Use caution with Forrester Waves and Gartner Magic Quadrants.” Leading GRC Analyst.

In 2008 I wrote a piece for Risk Management Magazine called GRC –TheGreat Risk Con.

Much to the chagrin of many readers, my article went on to make a number of inflammatory comments ranging from an inference which suggested that anyone who uses the GRC term doesn’t know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment.

I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine.

Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by small and medium-sized IT vendors rapidly acquiring each other while the major players wait for this to settle down so they can pick the winners and buy them. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years.

My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, with audit work papers, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure.

The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything. Good for them.

The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do.

One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than trying to boil the ocean or buy a one-size-fits-all fully integrated solution.

At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. This is why the user bases are still fragmented. It’s why systems are still being bought and junked regularly.It also explains why so many systems continue to be built in-house.

When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right.

For now, best of breed trumps best in class. I suspect it will be this way for many years.

Todd Davies & Associates assists organisations with GRC systems strategy, design and selection.  This article first appeared in the final edition for 2011 of Risk Management Magazine.

2012 is a year which comes up in a range of mythology as a period of great change. It seems everyone from the Mayans to the Mesoamericans and even Vishnu herself allude to a period of transition and renewal.

Given my comments on black swans in the 2010 Christmas edition of this bulletin, I figured I’d better make a prophecy of my own about 2012 before it arrives. So here it is.

I hereby pronounce 2012 as the death of the industrial age.

Lets face it, it’s time to recognise that the industrial age was the greatest ponzi scheme of all time.

It was an age where resources and growth were abundant and limitless. It was an age powered by fossil fuels, which helped us tap into the earth’s natural capital.

It was an amazing era, where average human beings could do things which the gods themselves would have been amazed by. We could eat strawberries in winter. We could control the climates of our homes. We could heal the sick and travel from Sydney to Melbourne in just over an hour.

We could do this all by digging up old dinosaur remains and converting them into fuel. These are all nifty tricks. The gods, magicians and alchemists would have all been impressed.

Of course, all good things come to an end, and we are now hitting natural limits.

In the early industrial days the planet could heal itself quicker than we could damage it, and damage was localised rather than systemic.

This is no longer the case.

In 2012, the world’s population will be seven billion and climbing.

Peak oil will have arrived.

Ocean, ecosystem and atmospheric governance are fractured and ineffective. By a series of measures, we currently need 1.4 planet earths to sustain us all. And that’s before economic growth or the industrialisation of developing countries if factored in.

All good ponzi schemes pay great dividends to those who get in early. It’s a pea and thimble trick which distributes future capital within that system and pretends it is income.

And this is what the industrial age was. Economic growth was driven by consumption of the planet’s resources and our reserves of natural capital, consuming capital faster than it could be replenished. Clearly, this can’t go on and the myriad of emerging risks is enormous.

Converting risk into opportunity

Having said that, I never met a risk that wasn’t someone else’s opportunity. The trick will be getting in early enough to make those opportunities yours.

There are many weak and strong signals on what the post-industrial era will look like, and there’s still time to get on the ground floor.

I like the idea of renewal. It sounds so much better than change or Armageddon. I look forward to joining you for a bit of renewal in 2012.

This article first appeared in the December 2011 edition of Risk Management Today.

If you compare today’s stock exchange list with the same list from 10 years ago, you’ll see some big players missing. Some collapsed. Some lost relevance. Some lost value, and were gobbled up before their market value could be regained.

The single thread in nearly all of these cases is simple — the conditions changed and the organisation failed to keep pace with that change.

When thinking about the most significant business risks facing an organisation, failing to keep pace with change is the biggest. It outstrips anything on your risk register. It is a death sentence waiting to happen.
In some cases the decline will be rapid, but in many cases, without a big intervention it will be slow and painful. Other risks will hurt; they may cause embarrassment, legal recourse, short-term financial loss, or the loss of a few executives, but they probably won’t kill the organisation.

The most recent analysis from the ASX Corporate Governance Council tells us that 95% of the ASX 200 companies believe they have the systems in place for their boards and management to be across their most material business risks.

In reviewing the risk reports from of a range of organisations, we see that the most material business risks — the risks arising from external change — are often not explicitly stated or well understood.

In part, this is due to narrow time horizons used in framing their risk assessments. In part, this arises from being unable to distinguish weak from strong signals. In many cases, it’s an inability to think beyond business as usual.

Often, the only way to tackle a strategic risk is to take a big risk and change course. Many organisations shy away from this and, in doing so, will end up on the scrap heap.

While it is risky to change and adapt, not hedging your bets is even riskier.

Ironically, for many organisations, a conservative approach to risk in the short term is likely to be the greatest risk of all.

Three questions you should ask:

• What could cause our business model to be defunct or unviable?
• What weak signals do we need to be paying attention to today?
• What risks are apparent now which could take several years to unfold?

This article first appeared in the December 2011 edition of Risk Management Today.   Part two of this article is linked below.

2012 Prophecy – The End of the Industrial Age