Thanks to Lexis Nexis for making my most recent article available from the current issue of Risk Management Today to my clients and readers.

The article reviews the latest benchmarking study from IIA and Protiviti of 160 heads of internal audit from around Australia and draws out three key themes of interest to those charged with oversight of internal audit and risk management.

Key points

• It is now the norm for internal audit to be independent from management. If you are not in line with the IIA’s Policy Agenda, you may be an outlier.  Given that these are simple mechanical mechanisms, we recommend benchmarking your function against these areas and taking action accordingly.
• Internal audit still struggles to demonstrate compliance with professional standards.  Given that these matters are relatively straight forward, organisations should insist that their internal audit functions and outsourced providers comply with the IIA’s International Professional Practices Framework.
• Quite rightly, strategic risk has entered the top 5 priorities for heads of internal audit, however the reality is that capabilities in this area are embryonic at best. Organisations should assess whether have this capability in-house, and if not take steps to develop it, or periodically engage professional assistance to fill this gap. The first step is to understand what strategic risk is, and this article takes some initial steps towards defining this.

Please feel free to download the article and pass it on. (Download, pdf, 3 pages, 113kB)

For more information on this publication can be found here.

Todd

Related links

Strategic risk and emerging risk capability assessment

The good folks at Lexis-Nexis have been kind enough to invite me to be on the editorial panel of their new magazine Risk Management Today, and to have the lead article in the inaugural edition.  They’ve also been kind enough to make this article available free of charge to my clients and readers for a limited time.

The article aims to get beyond the literature and standards, and give insights on some of the key things to look for when assessing the adequacy of an organisation’s risk framework.  It is pitched at those who are not necessarily experts in risk management per se, but rely heavily on an organisation’s risk management framework.

Key points

• Despite organisations making significant investments in risk management, they still fall short in dealing with disruptive change.
• Regulatory changes seem unlikely to get to the heart of what really matters in avoiding significant destruction of shareholder value in the future.
• Seven key areas of risk management areas are discussed that investors, boards and the C-suite should be looking for.

Please feel free to download the article and pass it on.

Download the article (pdf, 3 pages, 86kB)

Also this publication is shaping up to be a very good one, and I’d encourage you to have download the inaugural issue and have a look (free download for a limited time).

Todd

As the developed world pulls itself away from the abyss of the global financial crisis, many around the globe are breathing a sigh of relief. Having dodged a major bullet, organizations are now returning to business as usual. But if the crisis was a wake-up-call for the world, did business leaders and internal auditors pay attention or just hit the snooze alarm? What’s the next “black swan,” or significant unforeseen risk, and what should internal auditors be doing about it?

In this free feature from IIA’s global magazine, Todd summarises several key areas should be on all company watch lists for 2010 and beyond.

http://www.theiia.org/intAuditor/free-feature/2010/february/a-look-ahead-top-risks-for-2010/

This week I was fortunate enough to join with some of the leading minds on governance at a joint meeting of the International Corporate Governance Network (ICGN), World Economic Forum (WEF) and the UN Principles of Responsible Investment (PRI) to discuss a range of issues on where governance needs change in order to avoid another Global Financial Crisis (GFC)… or worse.

The length and extent of debate was extensive ranging from the structure of the financial system, through to regulatory structuring, regulatory arbitrage, global regulatory frameworks, rules vs principles vs supervision and enforcement, Australia’s twin peaks and quadruple peaks model, ESG and a range of other useful debate, as well as the old chestnuts of shareholder input into executive remuneration.

I was encouraged by comments early in the meeting by Jules Muis, former Vice President and Controller of the World Bank saying that there are really only two key issues which need attention – strategic risk and systemic risk, and if we can get accountability for assessing and managing these at different scales, then we will be set for success in the future.

Lindsay Tanner, Federal Minister for Finance explained that conditions had changed and global markets can only be regulated through global coordination, while Anne Simpson, from CalPERS representing one of the largest pension funds in the world told us simply, that “we needed more joined up thinking”, eluding to the need for a wholistic, multi-faceted approach to systems thinking.

Al Gore reminded us that “we often confuse the unprecedented with the unlikely”, and Professor Mervyn King SC reminded us that “companies do not operate in a vacuum.”

Despite this sage counsel that we need an approach which allows us to think properly about strategic and systemic risk, and predict the “unprecedented but increasingly likely”, unfortunately these threads were not actively picked up, perhaps because this is an area which is not yet well understood.

In the area of risk management, boards are concerned about false comfort in risk systems – whereby companies hire a small army of risk experts who go away and implement risk frameworks such as COSO ERM, A/NZS 4360 or ISO 31000, and assure them that everything is okay, that their risk systems are sound, and the board and management can sign off.

The problem of course is that while routine bottom-up approaches to compliance, operational and reporting risk are good at managing the bread and butter of businesses, it’s rarely these areas which cause the material problems. Despite strategic risk and systemic risk now starting to be recognised globally by policy setters as the daddy of them all, people don’t have the capabilities in place to understand what these are, let alone manage them. Intuitively, boards know this.

The result is that a significant proportion of companies which experienced significant value destruction and earnings surprises in the last 18 months came out with the standard rhetoric “no one could have seen this coming”, leading to an inference that either the risk systems are not as we’ve been told (deceptive conduct) or the boards were incompetent (negligence).

I’ve been giving briefings and training on these areas internationally, including in public fora around Australia and the United States in order to help companies govern responsibly. In my mind, strategic and systemic risk are the elephants in the room which are still being overlooked and not understood.

I asserted in a public session at the meeting in front of some of Australia’s leading directors and experts that it might take someone to launch a class action in a move to get traction on this issue. After the session, one of the leading shareholder class action lawyers from New York suggested to me that being his expert witness could be very lucrative in the short term as long as I had no intention of ever being employed again, and perhaps I should stick to helping companies rather than suing them.

In Australia, internal auditors are being asked to give advice to boards on whether their company’s risk management framework is effective, and whether the risk profiles prepared by management give a true and complete picture. The advice I’m giving my clients is that if the organisation doesn’t have good capabilities around strategic and systemic risk, then the answer has got to be no, and therefore their public statements on this issue have to be qualified.

In an effort to raise awareness of strategic risk internationally, I’ve been speaking in public fora around Australia and the United States as well as through the Resilient Futures Network (RFN). The good news is that I’ve been getting traction with industry associations, community groups, pension funds, boards and large companies… and we’re beginning to prove that strategic risk doesn’t have to be difficult as long as you’ve got a good model and a diversity of perspectives (thanks to the RFN for their involvement with that).

If you’re an internal auditor trying to get your head around this, the Institute of Internal Auditors in Australia is running half-day training workshops on this topic nationally, which means you can get your head around this and bank some CPE credits at the same time. If they aren’t running near you, or if you want to run a session in-house, get a group together and The IIA will be happy to organise these.

If you’re a non-executive director and want to find out about the strategic risks which aren’t on your radar and should be, I’d be happy to give you a briefing. Please feel free to watch this primer and get in touch.

Todd

Todd Davies & Associates
Specialists in strategy, governance and step change

Web: www.todddavies.com.au
Email: todd@todddavies.com.au
Tel: +61 (0) 422 000 913

It seems that my piece in the June edition of Risk Management Magazine caused some contraversy, and even drew a letter to the editor from the President of the Risk Management Institution of Australia.  This is all healthy debate as it forces us to assess whether learned approaches are still relevant, or whether we’re just keeping a wary eye on the deckchairs (while forgetting to look out for icebergs).

To see the rebuttal, have a look at page 3 of the July edition of Risk Management Magazine here.  And to see the original article which caused the contraversy, click here for page 3 fo the June edition.  (Now locked down, here’s the web version).

For more information on how strategy, risk, governance and assurance come together, please click here.

Governance Risk and Compliance – The Great Risk Con, Todd Davies, Risk Management Magazine, June 2008

GRC as a term is popping up everywhere. It seems that all companies that used to sell audit software are now “GRC companies”, recruiting firms that used to hire auditors and company secretaries now have a “GRC practice” and GRC conferences are popping up all over the place.

So what is GRC? Is it something new that we need to be across? Or is it the latest bit of marketing spin used by software companies to lure new buyers?

Read the full article on Risk Management Magazine’s website here.

Key points

• GRC is an amalgam of a range of different disciplines and functions which don’t always sit nicely together.
• The term seems to stem from “big software” who are keen to create, consolidate and capture new markets.  It blurs lines and does little to aid understanding of the various segments and providers in this space.
• When selecting GRC software it is important to understand exactly what you want to achieve before looking at GRC solutions.  One size does not yet fit all.
• Compliance is only a subset of risk and governance.  By lumping GR&C together there is an increased chance that compliance will dominate, and that strategic risk will continue to be overlooked
• An alternative construct could be to link risk, governance and assurance together with strategy.  This aligns with the intent of ASX Principle 7 and broader shareholder and stakeholder interests.

Related links

• Navigating the GRC Maze – Understanding GRC Solutions and Software Selection
• SRGA – Strategy, Risk, Governance and Assurance
• Enterprise Governance – bringing strategy, risk, governance and assurance functions together

I’m really pleased to announce that the Resilient Futures website went live today.

Resilient Futures was formed in April 2008 as a result of a number of practitioners in various fields believing that the current thinking in their respective professions was inadequate in dealing with the problems of tomorrow, and that resilience thinking and the concepts underpinning it provide much needed clarity in a rapidly changing interconnected world.

The Resilient Futures partnership consists of a divergent practitioners in strategy, risk, urban planning, leadership development and networked systems.  There is a range of innovative but practial thinking coming out of this one and I encourage you to have a look around, read a few articles, download a whitepaper or two, and subscribe to the RSS feed.

I particularly encourage you to have a look at my recent article Are you being a reckless leader without realising it? which gives a feel for where some of the thinking is heading, or our offering on emerging risk analysis here.

Resilient Futures can be found at www.resilientfutures.org.

There have been several articles recently indicating that agricultural practices are not going to be able to keep up with demand for a range of reasons including climate change, less predictable weather patterns and now the use of crops for fuel instead of as food.  There was an excellent article in this in this week’s Financial Review and this has also been a lead story on the ABC tonight: http://www.abc.net.au/news/stories/2008/01/17/2140619.htm?section=world.

I’ve been working with a client on a business which rejuvenates landscapes and implements sustainable agricultural techniques to dramatically increase the productivity and drought resistance of land.  While it’s gratifying that a lot of the assumptions in his business plan are proving to be highly accurate, it’s alarming also.

If you have an interest in investing in degraded land and seeing it recover and prosper, feel free to get in touch or read more here: http://www.agricominvestments.com.au/.  The concept is an exciting one.

If you are looking for our futurecasting presentation on global trends, please click here.