We gave advice to leading companies on their governance practices. We helped them make the case for an approach to integrated assurance. We saw through a category strategy for internal audit services for a major listed company which ultimately led to one of world’s largest tenders for internal audit services. We spent time with executive teams scanning for material business risks and the elusive black swans. We helped a leading company transition to an in-house internal audit team. We advised on audit, risk, self assessment and issues tracking software. We gave advice on how to structure audit & risk functions. We went through a full year’s cycle with five audit & risk committees.

It was an amazing year for the TDA team. Ralph Crook, Timothy Ong, James Quick, Matthew Ralph, Anthony Holland and Marissa Zamora joined the team at our offices in Kent Street in Sydney. We worked with amazing people from our expert panel – Tim Leech, Michael Rasmussen, Michael Fogel, Larry Quick as well as the teams from Emergination and Emergent Form. Our pool of alliance partners continues to grow.

And while doing all of this we managed to continue to give back professionally with a regular column and cover stories in Risk Management Magazine, on the editorial panels of Risk Management Today and IIA Australia’s Technical Newsletter, as well as giving talks with Telesis, Lexis Nexis, and squeezing in the occasional blog for good measure on our website and also with the Institute of Internal Auditor’s global flagship publication.

With a solid team now in place in Sydney and our Melbourne-based work continuing to grow, Todd and family will be moving to Melbourne early in 2012. He will continue to service our clients nationally with particular focus on Sydney and Melbourne.

2012 will also see a new website and expanded thought leadership publications and media available for our clients and subscribers.

We’re proud to be associated with some amazing people – our clients, associates, staff, suppliers, supporters and followers.

On behalf of the entire TDA team, we give our deepest thanks for your support during 2011 and look forward to working closely with you next year.

We wish you a safe and happy festive season for you and your families.

Festive greetings,

Todd, Sue, Dominic, Ralph, Tim, Matt, Anthony, Marissa and the extended TDA team

To subscribe to this series of occasional articles and case studies, please click here.

In 2008 I wrote a piece for Risk Management Magazine called GRC –TheGreat Risk Con.

Much to the chagrin of many readers, my article went on to make a number of inflammatory comments ranging from an inference which suggested that anyone who uses the GRC term doesn’t know what they’re talking about, through to GRC being a term created by the major IT players in order to create and capture a new market segment.

I painted the term as unhelpful and mischievous and in the process I’m pleased to say that this caused great debate in this magazine.

Three years later, little has changed. The GRC software market remains immature. Like other immature markets it’s characterised by small and medium-sized IT vendors rapidly acquiring each other while the major players wait for this to settle down so they can pick the winners and buy them. The Great Risk Con has become the Great Risk Consolidation. It’s been this way for years.

My main contention with the GRC category is it lumps things together which don’t necessarily belong together. Risk assessment with compliance; issue tracking with audit work papers; continuous control monitoring with continuous transaction monitoring, with audit work papers, e-rooms and collaboration tools, CAATs 2.0, knowledge management, control-self assessment and anything else you can think of thrown in for good measure.

The lines have been blurred, and the research analysts seem to like the tools that do a bit of everything. Good for them.

The reality is there is no one size fits all solution. The field is too dispersed and the segment is still characterised by a number of niche players who are good at what they do.

One leading GRC analyst estimates that there are over 400 GRC vendors, spanning 19 categories. And this is before considering our local batch from Australia, many of which are quite good. He concludes that in most cases it is more important to ensure your specific needs are met rather than trying to boil the ocean or buy a one-size-fits-all fully integrated solution.

At this stage we’d concur. The market is still immature. There still is innovation happening, some new niches being created and some interesting developments being made. This is why the user bases are still fragmented. It’s why systems are still being bought and junked regularly.It also explains why so many systems continue to be built in-house.

When embarking on a decision to buy, replace, build or configure, time spent up-front on being really clear on your user needs and requirements and nailing those in the first instance is the key to getting this right.

For now, best of breed trumps best in class. I suspect it will be this way for many years.

Todd Davies & Associates assists organisations with GRC systems strategy, design and selection.  This article first appeared in the final edition for 2011 of Risk Management Magazine.

To subscribe to this series of occasional articles and case studies, please click here.

Given my comments on black swans in the 2010 Christmas edition of this bulletin, I figured I’d better make a prophecy of my own about 2012 before it arrives. So here it is.

I hereby pronounce 2012 as the death of the industrial age.

Lets face it, it’s time to recognise that the industrial age was the greatest ponzi scheme of all time.

It was an age where resources and growth were abundant and limitless. It was an age powered by fossil fuels, which helped us tap into the earth’s natural capital.

It was an amazing era, where average human beings could do things which the gods themselves would have been amazed by. We could eat strawberries in winter. We could control the climates of our homes. We could heal the sick and travel from Sydney to Melbourne in just over an hour.

We could do this all by digging up old dinosaur remains and converting them into fuel. These are all nifty tricks. The gods, magicians and alchemists would have all been impressed.

Of course, all good things come to an end, and we are now hitting natural limits.

In the early industrial days the planet could heal itself quicker than we could damage it, and damage was localised rather than systemic.

This is no longer the case.

In 2012, the world’s population will be seven billion and climbing.

Peak oil will have arrived.

Ocean, ecosystem and atmospheric governance are fractured and ineffective. By a series of measures, we currently need 1.4 planet earths to sustain us all. And that’s before economic growth or the industrialisation of developing countries if factored in.

All good ponzi schemes pay great dividends to those who get in early. It’s a pea and thimble trick which distributes future capital within that system and pretends it is income.

And this is what the industrial age was. Economic growth was driven by consumption of the planet’s resources and our reserves of natural capital, consuming capital faster than it could be replenished. Clearly, this can’t go on and the myriad of emerging risks is enormous.

Converting risk into opportunity

Having said that, I never met a risk that wasn’t someone else’s opportunity. The trick will be getting in early enough to make those opportunities yours.

There are many weak and strong signals on what the post-industrial era will look like, and there’s still time to get on the ground floor.

I like the idea of renewal. It sounds so much better than change or Armageddon. I look forward to joining you for a bit of renewal in 2012.

This article first appeared in the December 2011 edition of Risk Management Today.

To subscribe to this series of occasional articles and case studies, please click here.

The single thread in nearly all of these cases is simple — the conditions changed and the organisation failed to keep pace with that change.

When thinking about the most significant business risks facing an organisation, failing to keep pace with change is the biggest. It outstrips anything on your risk register. It is a death sentence waiting to happen.
In some cases the decline will be rapid, but in many cases, without a big intervention it will be slow and painful. Other risks will hurt; they may cause embarrassment, legal recourse, short-term financial loss, or the loss of a few executives, but they probably won’t kill the organisation.

The most recent analysis from the ASX Corporate Governance Council tells us that 95% of the ASX 200 companies believe they have the systems in place for their boards and management to be across their most material business risks.

In reviewing the risk reports from of a range of organisations, we see that the most material business risks — the risks arising from external change — are often not explicitly stated or well understood.

In part, this is due to narrow time horizons used in framing their risk assessments. In part, this arises from being unable to distinguish weak from strong signals. In many cases, it’s an inability to think beyond business as usual.

Often, the only way to tackle a strategic risk is to take a big risk and change course. Many organisations shy away from this and, in doing so, will end up on the scrap heap.

While it is risky to change and adapt, not hedging your bets is even riskier.

Ironically, for many organisations, a conservative approach to risk in the short term is likely to be the greatest risk of all.

Three questions you should ask:

• What could cause our business model to be defunct or unviable?
• What weak signals do we need to be paying attention to today?
• What risks are apparent now which could take several years to unfold?

This article first appeared in the December 2011 edition of Risk Management Today.   Part two of this article is linked below.

2012 Prophecy – The End of the Industrial Age

To subscribe to this series of occasional articles and case studies, please click here.

 
Todd Davies asks if a changing environment is a new norm – and explains how risk professionals can cope

Change is happening at a greater scale than ever before. We see it every day. This creates great uncertainty for the organisations that we serve, and should be a boon for us as risk professionals. After all, we’re in the business of managing uncertainty, or at least that’s what ISO 31000 tells us.

But the reality is that most people in the audit, risk and compliance fields aren’t dealing with uncertainties at all. We know that most of the risks that we anticipate are going to happen at some point in some sort of predicable manner. The only thing we don’t know is when or on what scale.

So as we merrily trundle along addressing these known-risks with known methods we add checks and balances. We add layers of approval. We write policies and procedures.

This is all great stuff in a steady-state environment. The only problem is that a steady-state environment isn’t the norm any more. In fact it hasn’t been for some time. Maybe you’ve noticed.

And in a non-steady state environment, the best risk response is the ability to adapt at short notice. This means scaling up capability quickly and dismantling it even faster. It also means the ability to innovate, scale and adapt could become more important sources of competitive advantage than existing assets and infrastructure.A truly frightening idea for most of us.

Heresy you may say. But have a look at the top 50 list from any stock exchange from 20 years ago and compare it to today. You won’t recognise much. A lot of change can happen in a very short time.

So back to today. With all of this change this in mind, does adding checks and balances add agility, or reduce it? How about layers of approval, or layers of policies and procedures? Or are we calcifying our organisations and making them less able to adapt?

Risk management is about allowing for success under multiple scenarios. In everything we do we must remember that steady-state is only one scenario, and possibly an unlikely one at that.

Charles Darwin said ‘It is not the strongest of the species that survive, nor the most interesting, but the ones most responsive to change’.

When we can manage risk by creating greater agility then risk management will stop being part of the problem and start becoming part of the solution.

This article appeared as a cover story in the inaugural web-based version of Risk Management Magazine.

To subscribe to this series of occasional articles and case studies, please click here.

Could the internal audit team at News Corp have identified and clamped down on the illegal activities of their journalists?  Todd Davies doesn’t think so.

The News of the World scandal is causing ripple effects around the world, with commentators in Australia and abroad beginning to ask questions about News Corp’s corporate governance. They are also starting to ask questions on the role of independent directors, audit committees, risk management and internal audit which could have broader implications outside the media sector.

Challenges with News Corp’s corporate governance

It’s no secret in Australia that News Corp’s governance has been controversial for some time, although usually for the likes of poison pills rather than risk and assurance.

However, now in light of the phone hacking scandal, international commentators are beginning to ask about News Corp’s audit committee, the composition of it and whether internal audit was truly independent of management. While these are all important issues for any director to consider, in our view, the focus needs to be on the newsroom itself.

How do you audit a newsroom?

People might be surprised to hear this – in fact, I’m surprised to hear myself saying it – but I’m standing behind News Corp on this. Well, I’m standing behind their internal audit team anyway. I’ve met many of their people. I like them all. I trust them and respect them and a lot of what they do. Many of their practices are upper quartile and are an exemplar of modern practice. So the reality is, if they’ve got problems, we’ve probably all got problems.

The bigger issue is how you audit a newsroom. It’s very different to the usual audit procedures. We can audit back office functions – accounts payable, accounts receivable, treasury. We can chase the money trails and see where they lead. We can audit logistics, distribution and supply chain. We can audit IT systems, business continuity and the like. But auditing a newsroom is hard.

The challenge with newsrooms is that journalists need to protect their sources, in the same way that auditors need to protect their whistle blowers. They have a long-established culture, a code of ethics that looks very much like the code of ethics of an accountant – and a barrage of case law to support it.

There’s been no shortage of controversial cases on this in Australia where media companies have stood side by side to allow journalists to protect their sources. It’s a place where confidentiality is everything. As such, it’s really hard to get to the heart of the matter as an outsider. Or even as the editor.

You may be able to get a sense of the culture by spending time in the newsrooms. Some titles are methodical and measured. Some are like lunatic asylums with people hanging from the rafters. You might be able to let the people upstairs know that you don’t like the culture in the lunatic asylum and that the editor of a certain title may need some coaching in management 101. We’ve all done this.

The reality is that in a newsroom you end up auditing their payroll, overtime and contributors. You also go through their expenses so that they know someone is watching.  You check a sample of them, ask a few probing questions, make sure they were authorised by the right people.  The reality however this is about as effective as having the occasional patrol car drive down a troubled street. It’s a deterrent at best, but unlikely to find much.

In other words you do the normal stuff and if there was a scandal like this happening, it’s almost impossible to know unless you already suspect something and go looking for it specifically.  No doubt all media companies will go looking for this specific circumstance now, but it will be after the fact. If anything was an issue you can almost guarantee it’s now been shut down.

How do you audit your newsroom?

So, the big issue in a lot of organisations is that while internal audit capabilities keep on evolving, their capabilities are still focused on back office functions. While they understand the core business, they struggle to get at the heart of it.

Internal audit functions in news organisations spend a lot of time auditing in the newsrooms, but they don’t always get to the heart of what’s happening in those newsrooms. Internal audit functions in health organisations spend a lot of time auditing in hospitals and wards, but they don’t get to the heart of what’s happening in clinical governance, in patient care or the culture in those wards. Internal audit functions in manufacturing companies spend a lot of time auditing at mine sites, but it’s hard to get to the heart of what’s happening in the culture of what’s happening on the shop floor.  In short, even being on the floor most of the time, things pass right by us.

These are not isolated examples.  Every company has it’s equivalent of a newsroom – something we audit, but only scratch the surface. From my perspective the big question for audit committees and heads of internal audit coming out of the News Corp scandal is around the scope and capabilities of the internal audit activity and whether they’re getting to the heart of matters or just doing a superficial patrol.

This article first appeared in Issue 87 of Risk Magazine, August  2011.  Todd Davies was formerly head of audit and risk of Fairfax Media – Newscorp’s main newspaper rival in Australia – and a member of the ASX Corporate Governance Council.  A summary of the News Corp scandal can be found here.

To subscribe to this series of occasional articles and case studies, please click here.

I’ve been deleting the word strategic from a lot of documents lately.

And it’s assisting immensely.

You see I’ve got this idea that the more times a person uses the word strategic, the more likely it is that the person is puffing or bluffing.

In the risk and assurance space using the word strategic usually does little to aid understanding.  In most cases it’s just misleading.

Take the term ‘strategic risk management’ (SRM) which is cropping up everywhere these days.

Somehow SRM has ended up in the accountabilities template for NSW Government agencies.  Apparently they’re now supposed to be responsible for strategic risk management as rather than good old fashioned risk management.  Now this would be fine if anyone knows what SRM is.

I know what risk management is, I even know what enterprise risk management is, but strategic risk management?  Is it the management of strategic risks perhaps?  Or something other than tactical risk management?

The Risk Management Society in New York had a go recently at defining SRM.  They’ve got a discussion document out on it in fact.  The discussion document is useful.  It says that SRM is an evolving discipline – in other words, they don’t know what it is either.

And then take the term ‘strategic audit plan’ which I still see regularly.

These documents are usually a standard audit universe spread over three years.  They tend to ignore external conditions or do other things that strategic documents tend to do. But because their focus is on more than this financial year, the documents must be strategic.  The reality is that it’s often anything but.

So when I see the term strategic appear in a charter, article, brochure or job title I get wary.

So the simple solution, delete the work strategic.  I do.  It adds amazing clarity.

Better still add the letters ‘un’ to the front – ‘unstrategic’, or delete and put ‘tactical, but with a time horizon of slightly longer than 12 months but not longer than my current tenure or bonus timeframe’ in front of it.

I think you’ll find this clarifies many things immensely.

This opinion piece was one of the cover stories in Issue 86 of Risk Magazine, July 2011.  Todd Davies has been championing a better understanding on strategic risk for many years and taught the IIA’s first courses on this topic.

He contends that strategic risk is a class of risk in it’s own right and needs a dedicated identification process involving external viewpoints.  TDA’s other articles on this topic can be found here.

To subscribe to this series of occasional articles and case studies, please click here.

The transitory nature of the internal audit profession means capabilities in practices are always on a slippery slope, taking two steps forward, one step back.

In this month’s column in Risk Management Magazine I tease this out a little with some views on what needs to be done.

Please click on the image above to read the article (no registration required).

To subscribe to this series of occasional articles and case studies, please click here.

Starting this month I’ll be doing a regular column in Risk Magazine on leading practices and recent developments in internal audit, risk and assurance.

In this month’s edition, I endeavour to make the case for why we need regulatory change in Australia.  It’s amazing how a 400 word limit forces you to be concise.

To read the full article click on the image above (no registration required).

To subscribe to this series of occasional articles and case studies, please click here.

Thanks again to Lexis Nexis for making my most recent article available from the latest issue of Risk Management Today.

As the ASX Corporate Governance Council gears up for its next round of review, the IIA has got on the front foot with their list of demands.  This brief article gives Risk Management Today readers a brief sense of what’s happening, where practices are lagging and the importance of risk assurance.

Key points

• The 2007 revisions to ASX Corporate Governance Council Principle 7 (in particular) Recommendation 7.2 shifted the emphasis from process to content
• This requires management to provide a full and frank view of the group’s material business risks to the board
• Material business risks at the group level tend to be strategic in nature and wouldn’t normally be expected to be identified through a bottom-up process
• IIA suspects that practices in this area are lagging outside the ASX/S&P top 50 listed companies (a view I agree with)
• Providing a comprehensive view on material business risks is a challenge for most companies, it is outside normal skill sets
• Internal auditors will also need to up-skill to fulfill their role in this

Material business risk (in particular strategic risk) is a complex topic and one which I’ve touched on many times on at todddavies.com.au.  Articles and presentations are tagged for those who are interested and can be found here.

Please feel free to download the current RMT article. (Download, pdf, 1 page, 100kB).  More information on this publication can be found here.

And of course, if you need assistance on determining where your company is at, feel free to call.

To subscribe to this series of occasional articles and case studies, please click here.