Performance Risk Management for Auditors

This article was published in Thomson Reuters’ Internal Auditing in May/June, 2013 …


Charles D. Schrock, CPA, CIA CRMA
Senior Vice President
Inland Bank and Trust, Oak Brook, IL

Daniel J. Gaffney, CPA, CFF, CIA, CISA
Daniel Gaffney & Associates LLC, Chicago, IL

Auditors understand the fundamental value of risk management. Although ‘formal’ risk management may not be our day-to-day job, it’s always a part of what we do. That’s probably true for your executive management team also. We know that Audit Committees are vitally interested in risk management, even if they don’t know precisely what it is. (reference for the following)

According to the 2011 Annual Corporate Director Survey issued by PricewaterhouseCoopers, LLP, risk management remains at the top of the list of stakeholder concerns. Only 19% of directors measured their board as very effective at monitoring a risk management plan that mitigates corporate exposure. In an effort to enhance this performance, 57% of respondents reported they would like to increase their focus on risk. (reference for the following)

Survey findings from our latest KPMG Roundtable Series in more than 25 cities are telling: Only 39 percent of the 1,200-plus directors and senior management polled during the series said they are satisfied that their company’s governance activities are appropriately focused on the greatest risks to the company’s reputation and brand. Less than a quarter said they are satisfied that key governance activities are aligned with the company’s risk hot spots, and that the company’s governance activities are integrated into the strategy and add “real value” beyond simple compliance. (reference for the following)

As highlighted by the conference dialogue, internal audit can be most effective when focused on the critical risks to the business, including operational risks and related controls. Among the keys to fully leveraging internal audit:

  1. Challenging internal audit to take the lead in coordinating with other governance, risk, and compliance functions within the organization to limit duplication in coverage and, more importantly, to prevent gaps
  2. Maintaining a direct, open line of communication between internal audit and the audit committee
  3. Ensuring that internal audit has the resources, skills, and stature within the organization to succeed

Organizations want to manage risks. They want internal audit to be a part of the risk management process. The most common sources of guidance for risk management come from COSO and ISO. While both of these sources are strong on theory, they tend to fall short on practical guidance for implementing risk management. They provide even less guidance to us, as auditors, as we try to use risk management as a tool for our own purposes.

Performance Risk Management (PRM) is a new approach to risk management. It was developed in order to bridge the gap between theory and implementation. PRM is based on the sound fundamental ideas within the COSO and ISO models. PRM brings ERM into the real world. It aligns ERM with the way that organizations truly function.

Performance Risk Management is a process for addressing risk in a straight-forward and practical way that works for both management and auditors.  As auditors, we can use Performance Risk Management to develop the audit plan, the audit program, and the audit steps. By using risk management as a foundation for our own activities, we can help our organizations start to develop a risk management emphasis that our boards of directors want. Additionally, we can serve as a force for change within our organizations as the expert advisors to help implement practical risk management more broadly.

Performance Risk Management was developed as a tool for management. However, it also helps auditors in three ways:

  1. It helps auditors discuss objectives and risks in ways that are relevant to auditees, executives, and Audit Committee members;
  2. It helps auditors set high level audit plans and budgets by identifying what’s important to the organization and, accordingly, what areas most need assurance from internal audit; and
  3. It helps auditors design better low-level tests because it requires auditors to focus on specific risks within a particular process.

Before going further, it’s important to identify the three foundational ideas that make Performance Risk Management unique. It will then be easier to discuss in greater detail how it helps us as auditors.

  1. Objectives, not risks, are the most fundamental component of PRM.
  2. Each person in the organization ‘owns’ one or more of these objectives.
  3. Risks exist within the context of people trying to accomplish their objectives.

These foundational ideas help us, as auditors, in the following ways:

First, PRM provides a very straight-forward entry point for incorporating risk management into your audit activities. Without PRM, simply getting started with risk management can require a large top-down project to brainstorm and identify risks. PRM, on the other hand, does not require a global organizational initiative. It can be used in a focused way to understand the risks within a specific area. Because PRM focuses on objectives that are owned by a specific individual, you can choose which individual (and his/her objectives) you want to address. If, for example, you want to perform an audit of your Regional Accounts Payable function, you can begin by using PRM to focus on the objectives of the Regional Accounts Payable Manager.

Second, as auditors we want to assure that we are spending our time (and our audit budget) in the best possible ways. PRM supports this. As the Regional Accounts Payable Manager’s objectives are identified, PRM incorporates the idea of assigning an impact level (i.e., a rating) to each objective. In our example, after a little prompting, the Regional Accounts Payable Manager might tell you that her objectives are: i) paying the right vendors, ii) paying the right amount, iii) posting expenses to the right general ledger account, iv) paying within the right time frames, v) preparing management summary reports of accounts payable operations, and ,because she recently received a memo from HR as a reminder to all managers, vi) assuring that all human resource policies are fairly applied to her employees.

Each of these objectives may not be equally critical to the Regional Accounts Payable Manager, or the organization overall. The assignment of an impact level can help. PRM suggests assigning a factor (1 to 10, with 10 as most critical) to each objective. Together, the auditor and the AP manager might assign the following tentative values:

i) paying the right vendors – 6 (if you pay the wrong vendor, the money may be gone forever; however, the amounts involved won’t break the company)

ii) paying the right amount – 5 (not so critical – the company can typically make adjustments with a vendor later)

iii) posting to the right general ledger account – 4 (again, not so critical; the AP clerk can only post to a certain subset of general ledger accounts)

iv) paying in the right time frames – 6 (if not done in the right time frames, there may be a minor impact on either cash flow or discounts taken)

v) preparing management summary reports – ?? (as auditors, we may not be sure – how is this report used by senior management?)

vi) application of human resource policies – ?? (we know it’s important, but how important is it among this manager’s responsibilities?)

Understanding this relative ranking of the auditee’s objectives can help the auditor focus the audit on the more critical activities. What’s interesting is that this specific exercise yields two initial uncertainties that may need to be discussed with more senior people. Let’s consider the management summary reports. Unless we go through an exercise like this, the management summary reports may seem like an insignificant component of this person’s day-to-day activities. And that may be true. But, after discussing this with more senior executives, the auditor may learn that these reports are forming the basis for a major strategic vendor pricing initiative. Incorrect data could cost the organization $millions. If the auditor fails to specifically consider each task or objective owned by this Regional Accounts Payable Manager, he might miss the single most important activity that he needs to review. And, perhaps even more important, the Regional Accounts Payable Manager will now have a better understanding of the importance of this task.

Third, as auditors we need to design and execute audit tests.   PRM helps with this as well. From the prior step, we can determine what general areas should be the focus of our audit testing. Now, we can formulate specific tests. Part of the PRM process is to identify specific real-world risks that may be associated with these objectives. We can do this through several techniques.

First, we should simply ask the manager “what can go wrong when you are determining who to pay?” We typically get very solid answers like “The approved invoice copy that I receive is sometimes unclear on the ultimate payee.” Of course, as auditors, we follow up with the question “if you’re uncertain, or if there is an error in the named payee, how would you catch that?” and “how often does that occur?” The goal is to understand what the risks might be and how likely they are to occur.

The second way that we can identify risks is to use standard frameworks, if such frameworks exist for the area under review. Examples of a framework might be the COBIT or ITIL frameworks within the information technology realm. Another helpful source of information might be existing internal control questionnaires. As auditors, we should not use these documents to simply take someone else’s list of risks. Instead, we use these frameworks and questionnaires to help assure that we remember to discuss major areas where risks might lurk.

Finally, the third way to identify risks is to simply consider the typical high-level categories. We should ask our auditees “are there any risks that might impact financial reporting? compliance? the company’s reputation? what about internal or external fraud? etc.” Again, the goal is to assure that we haven’t inadvertently skipped over entire categories of risk.

Once we have a reasonable list of real-world risks and identified their likelihood of impacting the success of the associated objective, we can determine how best to test. As auditors, we have training, experience and professional guidance to help us design tests. What PRM provides is a clearly documented rationale behind which risks are worthy of our testing.

In Summary

This article begins to touch on the value that Performance Risk Management can bring to an organization and, more specifically, to internal auditors. The main benefits to us, as internal auditors, are:

  1. We are speaking with the auditees in ways that are relevant to their day-to-day activities. We build rapport when we can step away from “auditor-speak” and talk about what is really happening in their department.
  2. We have a systematic process (and associated documentation) to support our audit program and specific audit tests.
  3. Audit recommendations are linked to specific risks which, in turn, are tied to specific (and agree upon) objectives that exist within the audited area.

But there is one more benefit that demonstrates the value that internal audit can provide. You can become a model for organizational improvement. Through your use of PRM you are demonstrating the value that a straight-forward implementation of risk management can bring. Through your experience, you can help articulate the benefits of risk management as part of the organization’s overall risk management environment.

This article has described only some of the benefits of PRM. Additional benefits accrue when you add other well-integrated concepts such as Key Performance Indicators (KPI), Key Risk Indicators (KRI), risk assessments, and clear linking of individual objectives to higher level strategies. You can read more about Performance Risk Management at

© 2013 Thomson Reuters/RIA. All rights reserved.


A practical approach to reputation risk

Every organization has some desirable public image. Does it want to be perceived as environmentally sound? Family friendly? Political activist? A ‘high roller’? Cutting edge? Traditional? Or, perhaps it simply wants anonymity in the public eye.  Reputation risk results from strategies or actions that conflict with the desired public image.

Rather than wait for reputation risk issues to arise, it is important to be proactive. Let’s take a step back. Organizations are constantly developing strategies at all levels. Whenever someone is assigned a new task or objective, a strategy needs to be developed to accomplish it. The process of selecting or creating a new strategy can include the evaluation of whether that strategy is consistent with the organization’s public image.

In risk management, I use the term “risk attitude” to describe which strategies management would, or would not, feel comfortable with. A “low risk” attitude indicates that management expects assurance that the proper results will be achieved. A “high risk” attitude indicates that management is willing to take its chances and would be comfortable with a strategy that might deliver results ranging anywhere from wild success to total failure. Neither is necessarily good or bad and can vary not only from one objective to the next, but also with different components of a single objective. It’s possible, for instance, to develop a desirable strategy that is high risk in some areas (e.g. financial returns) while low risk in others (e.g. worker safety). But nearly every organization wants very low risk when it comes to protecting its public image. If that’s the case, then it’s reasonable to have a specific question that needs to be answered as part of every new strategy — is it consistent with our public image?

Of course, this assumes one very critical component. The organization needs to define and be able to describe its preferred public image. If that’s not the case, then reputation risk is increased simply because it may be unclear what to embrace or avoid during strategy development. If employees don’t know that the organization is cultivating a worker-friendly image, then a cost reduction initiative may include a strategy that includes massive worker layoffs.

That’s the first part — making sure that the organization understands how to develop appropriate strategies that will, at least initially, be consistent with your public image.

There is another part. An organization needs to be generally perceived as trustworthy and competent. For example, while an organization may not be explicitly cultivating a public reputation for good customer service, excessively poor customer service will still create a public image problem. The same would be true for any normal business activity if it is executed poorly to the level where the public perceives the organization as being incompetent. Even something as mundane as an inability to pay its bills accurately could grow to the extent that it creates a public perception of incompetence.

To avoid this, an organization also needs a general performance and risk management environment where expected performance levels are defined. Performance levels that don’t meet reasonable expectations need to be elevated to management long before such “incompetence” becomes a subject of public discussion.

Please share some stories about how your organization is addressing reputation risk.

Performance Risk Management – the practical approach

Performance Risk Management is my new and immensely practical approach to integrating performance management and risk management. This is the breakthrough that finally allows the “good ideas” behind enterprise risk management to shine through.

I have written about many aspects of risk management in the past. I find the topic fascinating because it offers such great promise to help organizations of all types accomplish their goals better, faster, and more completely. Unfortunately, for years, I was frustrated by all of the static surrounding risk management. This static has made it virtually impossible to convey a clear picture of the benefits of risk management.

The static

I have spent many years thinking this through. I have always known that the core message of risk management is profound. It just seemed that there was so much static surrounding risk management that the message was always hidden in irrelevancies. I needed to understand which pieces of risk management theory were creating this static. What did I need to strip away for this message to come through loud and clear? I have come to the realization that much of this static resulted from two fallacies:

  • An improper primary focus on risks, themselves
  • Useless attempts to categorize risks; focusing on the artificial differences between risks rather than finding the universal similarities

As I started recognizing these two ‘static generators’, I was able to develop an approach to risk management that suddenly accomplished two things.  

First, risk management could be intuitively aligned with an organization’s performance objectives. More than that – risk management works only if it is aligned with performance objectives.  It suddenly started making obvious, practical sense to executive leadership. It’s not just a “nice theory”; it can help achieve bottom line results in a real and practical way.

Second, it became clearer why so many organizations have prematurely abandoned their risk management implementation projects. I understood that the mind numbing real-world complications that these organizations experienced were, actually, irrelevant.

Eliminating the static

The first clear realization was that risk management starts with objectives, not risks. It’s always about accomplishing objectives. Managing associated risks is simply an additional technique to help accomplish your goals. Everyone knows this intuitively. The problem was that risk management theory made, at most, a passing reference to objectives. That’s why risk management never felt right. It never actually aligned with what we knew to be true. An organization doesn’t want to expend efforts to “manage risks”. It will, however, expend effort on better techniques that help it accomplish its objectives better, faster, and more completely.

The second clear realization came to me when I recognized the waste in categorizing risks among “Strategic Risk”, “Compliance Risk”, “Legal Risk”, “Financial Reporting Risk”, etc., etc., etc. Risk management theory loves to focus on these categories. This disguises a lack of deeper understanding – the similarity among all risks. This similarity flowed from the first clear realization – a focus on objectives, not risks. While there may be many types of objectives, there is only one type of risk – an inability to effectively execute.

When you logically extend these two clear realizations, the results are profound. Once you do away with the process of classifying risks, you can focus on actually identifying the risks. Not only that, you actually have a practical framework to identify those risks – real world things that could go wrong relative to a specific objective. Useless theory melts away and practical understanding takes its place. It has allowed me to better communicate not only how an organization benefits from risk management,  it has also allowed me to develop a practical way to (i) initially implement risk management within an organization, and (ii) enhance management processes to deliver results better, faster, and more completely.

These are the two basic components of Performance Risk Management. Many benefits flow as a result which I will continue to address in subsequent posts.



Risks have attributes, not categories

People like to categorize as I wrote in my prior post. But a question was left hanging — are there categories of risk? That depends on what we mean what we talk about categories.

One way of thinking about categories is to envision a number of “buckets” and every risk must fall into one of these buckets. This was where people think about whether a risk is a “Strategic Risk”, “Compliance Risk”, “Reputational Risk”, “Financial Reporting Risk”, etc. The problem with this approach is that there is an underlying assumption that the risk must be exist in only one category. Unfortunately, no matter how many buckets you come up with, sooner or later you’ll come up with a new item that doesn’t fit neatly into one of the buckets. So you create a new bucket. But then you discover that a risk that you earlier dropped into a different bucket now fits better in this new bucket. In short, this is an approach that simply doesn’t work very well because it is very difficult, probably impossible, to create a complete and exclusive system of categorizing risks in any meaningful way.

A better way of thinking about risks is through “attributes”. Rather than going through a mental process of depositing each risk into a specific bucket (which requires a sense of mutual exclusivity), consider instead what practical questions you might want to answer about your risks. What “knowledge” do you want to create?

Perhaps you will, in the future, want to know which risks occur simply because a computer is used as part of the process (e.g. “garbage in / garbage out”). Or perhaps, you want to know which risks occur simply because you choose to outsource a process to a third party (e.g. “insecure storage of sensitive data”). Or perhaps you want to know which risks might occur because of internal fraud (e.g. “expense reimbursement for the wrong amount”).

Notice that one or more of these attributes might apply to any particular risk. So, you can’t simply drop the risk into the “third party risk” bucket. It also needs to exist in the “IT risk” and “internal fraud” buckets. This is where it becomes necessary to eliminate  the idea of “buckets” think of “attributes”. Attributes are like standard sticky notes that you can attach to any risk, or perhaps  many risks.

Then, when you want to understand your risks better, this approach allows you to see see those risks that have the “internal fraud” attribute attached. Or, you can see those risks that have an “IT” attribute. Some risks will be in both lists.

This approach provides much more flexibility than going with an exclusive bucket approach.

If you don’t agree, I would love to hear your views.

Are there “categories” of risk?

People love to categorize — to group things together. I think it’s one of our deepest psychological activities. I’m sure it helps us create  sense in a very complex world.

Risk management is certainly prone to categorization. It’s a good idea. When you do it correctly. When you do it wrong, it simply confuses some of the essential concepts. Allow me to explain.

When I talk with business people about risk management, categories often are the first thing that jump to their minds. They don’t do it intentionally, it’s just the way we are often urged to consider risk management. For instance, when I asked a colleague (a finance and accounting professional — smart guy) about his view of the major risks to a company, he stated quickly “liquidity, credit, reputation”.

This caused me to take a mental step back. This isn’t how I identify  risks. I’m sure it’s because I operate down in the trenches but I identify risks much more distinctly. To me, a risk isn’t “liquidity”, it’s “insufficient or unreliable credit relationships to assure short term funding needs”. Are they the same thing? More or less — sure. But “liquidity” is a general concept while the other is more easily understandable and actionable. In my mind, liquidity is (one of many) potential categories … but not a risk, itself.

However, I suggest going one step further. In my approach to risk management, liquidity isn’t even a category of risks. Instead, it’s a category of objectives. Let me explain.

To “do” risk management, you should start by identifying what you’re trying to accomplish. These are the objectives of the organization and, more distinctly, of each individual person within that organization. Organizations can surely have “liquidity” objectives and “credit” objectives. They also have “strategic”, “operational”, “financial reporting”, “compliance”, “legal”, “reputational”, and potentially dozens of other types of objectives. This is where the categories come in handy. They serve as a road map when brainstorming and identifying objectives. This road map helps the process by forcing the question “Hey, don’t we have compliance objectives? We haven’t identified those yet.”

You should use whatever tools are helpful, including these categories, to help you identify real and practical objectives. Once the objectives are identified, the risks are relatively easy to identify.  The only question you need to ask in order to identify the risks is “For this objective, what could reasonably go wrong?” Now you’re discussing real risks, not pseudo-categories.

Here’s a very simple example of why it’s more practical to work with risks within the context of specific objectives. If you’re considering the risks for an upcoming party that you’re planning, is it easier to brainstorm “operational risks”, “financial reporting risks”, etc? Or, is it easier to come up with the risks if you consider what can go wrong relative to “invitations”, “entertainment”, “food”, etc.? Once these objectives were identified, real risks come more readily to mind, right?

My advice use categories as a framework to help you brainstorm objectives, not risks. Identifying and understanding objectives must always be the first step in managing risks. Then, once real objectives are identified, the risks flow readily to mind. This is efficient and productive. My experience confirms, for me, that any other approach simply doesn’t work in the real world.

But this advice doesn’t really answer the question … are there categories of risk? I’ll address that in my next post.

Defining risk appetite – a major stumbling block

Others are recognizing, to various levels, what I’ve been writing about for a while. Risk management as a stand-alone activity has much less value compared to what it can provide when it’s properly integrated into an organization’s performance management activities.

I just read a paper from Professor Regine Slagmulder and Maria Boicova from the Vlerick Leuven Gent Management School. Its title is Integrating Risk Into Performance (1) with copyright by the Chartered Institute of Management Accountants.

This paper addresses their research into risk reporting to the board at a number of European companies. Many of their findings and observations are common sense; what you might expect if you’re at all  involved in risk management or working with a managing board.

There are, however, a few findings that I thought were interesting and want to address. These findings are, I believe, absolutely right but they go against the flow a bit.

The establishment of formal Risk Appetite 

Risk appetite is a formal concept within risk management. The idea behind it is that the level of risk in any endeavor is neither too high nor too low by a purely objective assessment. It is only too high or too low when compared to the level of risk that management believes is appropriate. This appropriate level of risk is often referred to as “risk appetite.”

This study found that most companies are “at the lower end of the spectrum” when it comes to formally defining risk appetite. In other words, they found that companies do not necessarily make a big effort to formally define an all-encompassing level of risk that is appropriate for the organization. Certainly my experience indicates that this is true. The issue, though, is the reason behind this. Often, this situation is bemoaned as a failing of organizations to step up and address risk management correctly. I’ve always disagreed on the grounds that risk appetite, while it may be a foundational concept, is far from the starting point when an organization actually implements risk management. In fact, early in a project, it often is an unnecessary stumbling block.

This study indicated that in “those companies that favoured a more integrated view on risk, the attitude towards formalisation of risk appetite remained fairly reserved.” The key, here, is the reference to an integrated view of risk. The report goes on to say “One potential reason could be that companies might prefer to stay flexible and adjust their risk appetite based on the particular project and/or strategic initiative at hand …”.

Since flexibility is extremely valuable when starting up any new and unfamiliar endeavor, it follows that formal establishment of a risk appetite at the early stages of risk management implementation may be detrimental to success.  It simply adds too much rigidity to the project at a point when not only are the unknown variables too great, but the process itself is often poorly understood.

To be clear, risk appetite is not irrelevant. But the term, itself, implies rigidity. I like ISO’s phrase “risk attitude” better. I believe that it more correctly references the real need – to align human action with certain ideals.

There are some other good points in this study that I’ll address in my next post.


Risk management is a performance tool.

Risk management, when done correctly, creates a more effective performance management environment. Let’s look at one example of how it can help.

Our example – Strategy setting

When setting a strategy, there are always several strategies that could deliver the needed results. One very common approach is to accept the first strategy that seems reasonable. In fact, people do that very regularly. That’s typically a very cost-effective approach.

However, sometimes the stakes are big enough you need to do more. You must move beyond simply selecting the first strategy that could deliver the results. You need to know which is most likely to actually deliver the results. It’s important to understand the often-hidden assumptions that may exist within a particular recommended strategy.

You are now stepping into the practical world of risk management.

How risk management helps support strategy setting

Risk management is primarily an exercise in comparison. It helps focus the decision on which strategy is the best one. That implies that you need multiple alternatives … always a good first step.

Let’s take an example of a new sales expansion strategy. Your goal is to increase sales by 35% through expansion. One strategy (Strategy A) could be to ask half of the existing sales team to relocate to a new territory in order to move into that market. Another strategy (Strategy B) could be to hire a small number of sales staff who already reside in the new territory and train them on your products.

The first step is to examine the range of possible results from each strategy.

Strategy A might deliver results that range from:

WORST:  -50% (net sales will decline because the sales people relocate from existing territory)
BEST:  +75% (sales team will hit the ground running with great success)

Strategy B might deliver results that range from:

WORST:  0% (newly hired sales team is totally ineffective)
BEST:  +40% (this is the best that anyone can reasonably imagine)

So, you have now developed a reasonable belief that either strategy could deliver the needed results.

Now let’s move beyond that. Risk management helps identify specific issues that could impact the ability for each strategy to actually deliver results that will actually meet the goal (35% growth).

Risks for Strategy A

Sufficient sales people will refuse to relocate (your team believes this has a 25% likelihood)

The challenge of developing a new territory will cause sales people to leave the company (25% likelihood)

And so on …

Risks for Strategy B

Unable to find sufficient qualified sales people within required time frames (50% likelihood)

Unproven new hires will fail to execute sales strategies (30% likelihood)

And so on …

This process helps on several levels. This might point out to management that some combination of strategies eliminates the weaknesses found in each one individually. Perhaps one strategy has a potential catastrophic risk that the other does not possess … and you need to avoid at all costs. Perhaps it becomes clearer that several strategies could deliver good results, but none of the strategies is actually likely to deliver the required results; this implies the need to come up with a more realistic goal.


This shows one example of how risk management helps an organization become more effective. I’ll explore this further in my next post.