Norman Marks on Governance, Risk Management, and Internal Audit

If you have been reading this blog or my books, you know I have significant reservations about the concept of “an amount of risk” that would be acceptable in pursuit of objectives.

However, I recognize the need for limits and policies when it comes to risk-taking. They help guide decision-makers on what risks and outcomes are desirable to leaders of the organization. We could call them ‘risk criteria’ (ISO), while some refer to them as ‘risk appetites’ or ‘risk tolerances’ (COSO). I prefer to avoid those terms as they focus on ‘risk’ with the inevitable negative connotation (i.e., we must manage or mitigate risk) instead of guiding people to take the right level of the right risks in the circumstances (such as the potential for reward). Let’s use ordinary business language instead of risk technobabble.

For example, these are useful:

• Spending approval authorities
• Credit limits
• Policies on the level of credit that can be given to customers, with escalation to more senior individuals or even the board as needed
• Approval levels for capital expenditures, including reserving certain expenditures to the CEO or the board
• Policies of who can approve journal entries, purchase orders, inventory write-offs, etc.
• Policies with limits on the use of derivative instruments
• Policies on commodity or currency hedging
• …and so on

My point today is that all of these, whatever you call them, need to be “agile”.

The environment within which organizations function is volatile – as or more volatile than any prior period.

There is uncertainty about:

• Local and global economies
• The supply of raw materials and components
• The speed of the supply chain
• The availability of personnel, both in specialist positions and minimum wage jobs
• Disruption caused by sanctions
• Consumer confidence
• …and more

In these times, organizations need to be agile. They need to be able to adapt intelligently and at speed, without sacrificing the long term at the altar of the short.

If policies and limits, etc. don’t change as business needs change, you are highly unlikely to be taking the right level of the right risks.

I am reminded of a real-life situation that I wrote about in World-Class Internal Auditing.

The Treasurer at Tosco was a senior member of the Finance team, highly respected by company leadership. He had been a key member of the management team during the lean years at Tosco; shortly before I joined when the company was “leaking cash”, he had led twice-daily meetings of the financial team to ensure there was sufficient cash to make it to the next day!

So it was important that we make a good impression when we performed our first audit of his area.

At the same time, he was a gruff curmudgeon (he reminded me of the late, great Alastair Sim as Scrooge in “A Christmas Carol”) that scowled every time I saw him – and other executives told me that he shared that disposition with everybody except the CFO.

So, I set the auditor, Laura Morton (now Nathlich), two tasks: the first was to perform an audit and provide an objective assessment of whether the Treasury function was meeting the needs of the corporation; the second was to get the Treasurer (Craig Deasy) to smile!

Laura exceeded my expectations (something she went on to do regularly).

As I had expected, Craig’s area was in very good shape. It reflected his personality as a disciplined, careful individual that had a deep understanding of the business and its needs.

But, Laura identified one issue that only deepened Craig’s frown.

She pointed out that the company’s investment policy limited overnight investment of cash to the safest of all investments, which had the lowest of all rates of return. While this was the policy that had been approved by the board, the level of risk being taken (clearly a very conservative one) was inconsistent with the general attitude of the company to taking risk!

The company was a significant “player” in the commodity derivatives market, not only to hedge the price it would pay for its raw materials (crude oil) and the price it would obtain for its refined products (gasoline, diesel, jet fuel, and so on), but it also had a truly speculative position. (The manager in charge of our derivatives trading desk was permitted to make speculative trades of several million dollars, subject to supervision by Pete Sutton, a Vice President. Over the years, he was consistently profitable.)

So it was taking millions of dollars of risk in the commodities market but unwilling to take any risk in its overnight investments?

Laura recommended that the investment policy be reconsidered. That was a wise move. Only management can decide how much risk it is willing to take, but we (as the independent and objective internal audit team) can challenge them when appropriate.

Craig reluctantly agreed that Laura had a point – not on technical controls philosophy but on business grounds. He discussed it with the CFO and they agreed to change the policy.

I met with Craig and Laura to review the final report before it went to the audit committee. He gave Laura a reluctant smile and acknowledged that it was a professional audit.

Since then, when I talk to groups of internal auditors about ‘world-class internal auditing’ and ‘how internal audit can add value’, I ask “Do your audit customers smile?”

But the other lesson for me was that internal auditors should not try to eliminate every risk they see.

In my early years, we would identify “findings” and assess the level of risk they presented. The level of risk (high, medium, or low was the typical scale) would drive the sense of urgency when we reported the issues and recommended corrective action by management.

This audit was one of the first where I applied the lessons I had learned in line management, that it is not about eliminating risk – it is about taking the right risk, based on understanding the potential downside, the potential upside, and the cost of any actions.

When the policy was developed, it was the right policy for those times. But times had changed, without the policy being updated.

Some will tell you that policies and other guidance should be reviewed on a regular basis. They will suggest an annual review.

That’s fine, but is it fast enough in these turbulent times?

Are we being agile if we only update policies and practices annually (if that)?

Let’s recognize that agility requires being flexible, with appropriate reviews and approvals, with our risk criteria and other guidance.

Let’s encourage everybody to challenge existing policies and procedures, drawing the attention of management to guidance that used to be but is no longer best for our business.

Don’t accept “we can’t do that because of our firm’s policy” if that is holding us back from success.

I welcome your thoughts.