More Italian risk management

 

My Italian holiday was a cornucopia of risk management material. On Sunday morning I was woken up by the bed, whole hotel and indeed city, shaking violently, in what I instantly recognised was an Earthquake (at this point I want to express my concern, condolences and thoughts for those more badly affected by the quake). I instantly recognised it, because as a child I went to the Natural History Museum in London and experienced their earthquake simulator.

I want to draw a parallel between this event, my response and organisational risk management. Whilst I recognised the risk and the issue my response was not to run under the table, but more to freeze and wonder if it was really happening. So relating this to organisational risk management it was an understood, but unplanned for, risk with no contingency plan. I had not modelled the risk or prepared any specific or series of options of response.

Events such as earthquakes are, therefore, in the category of high impact, low likelihood events. As such, the type least likely to be managed in most organisations. The one most often dealt with by insurance only. Most organisations though, fail to undertake disaster recovery or business continuity risk management actions, much like me for the earthquake. To be fair to me, earthquakes are rare in the UK and in areas where they are more likely, like Japan and California, training and plans are in place for the general populace and embedded within building controls.

There is, however, in my view a point here. It is that these categories of risk are difficult to get adequate audit and management focus on. They are risks that can be managed though, through scenario modelling, contingency planning and, where appropriate and no other alternative exists, insurance.

These risks are things that can be managed and can also be audited. It is something that internal audit in particular can make a contribution to putting on the board and management agenda. So look to the bottom right hand corner of your risk map and consider whether insurance is playing a disproportionate role. Is there a business ‘earthquake’ in your clients’ risk maps?

Branding and money

In another post from my holiday I have been struck in both Florence and Venice about the importance of brands. Whilst all of the brands are in London, they are in the context of a large city with lots of, sadly, less fashionable Londoners surrounding them. In Florence and Venice both cities are achingly fashionable with an intense glitterati of the highly sophisticated European jet set.

It has struck me in both places that the real big purchasers of the designer bags and clothes are not European elites but Chinese and Indian tourists. This shows, for me, where the real global wealth is. It also shows the importance of brands to the far east which in some ways is counter cultural to their strong societal identities.

The Europeans meanwhile, whilst still wealthy, seem to be more savvy and less brand hungry than the far eastern fast growth economies. As an example, the free boat taking me to my hotel was delayed by 40 minutes. Not a single European was willing to pay additionally for a water taxi to take them to the hotel. Yet the Chinese guests were straight to the adjacent taxi rank.

Perhaps these are anecdotal observations but I think they show an important risk that organisations need to consider, that if your brand is reliant on far east customers, how well is the risk in that market, as their economy slows, being identify, assessed and managed? What would a fall (or at least a slowdown) in Chinese economic fortunes do to your business? How well risk managed is the response? Worth adding to the audit plan perhaps?

Italian risk management

I have had the pleasure of being in Italy for a short break. Now anyone who has been to Italy can only marvel at the miracle of luck that is Italian driving. A driving culture with seemingly no rules yet also seemingly leads to not excessive accidents and trauma to pedestrians cars and mopeds that me, is something that me, as an English person can only marvel at.

This got me thinking about risk management. Italy does have a rules based culture. The ban on irons in hotel rooms seems to be rigidly enforced for example. Whenever you approach a historical monument there are reams of rules to follow. Yet Italians seems to be pragmatic about rules. No photos? Well, if no harm, why not? Dangerous steps at the top of a leaning tower? Well just take care. Steep steps on trains, well use common sense and be careful. Not like London’s now incessant ‘mind the gap’!

It is this pragmatic application of rules I as a risk manager and auditor like. It speaks to human nature, being meaningful in a human way. This is so counter to legalist controls and prevention. It is a cultural thing that finds a natural cultural home and balance.

I would, as a auditor, prefer this culture to be captured and documented, not in granular detail, but in principle. Principle based rules only work where the principle is established and then clear examples given. This is invaluable when fraud or other malpractice is involved. I don’t like prescriptive and proscriptive rules, the rule maker will always miss an eventuality and rules date quickly in a way principles do not.

How can auditors apply this in their work? I think through really documenting, unpacking (I hate this word but it helps to explain what I mean), and auditing culture, as well as controls.  It can, in my view, aid understanding of real control. As auditors we should point out the ‘soft’ cultural elements as they will have impact on the non usual, non routine, transactions and risk events that do go wrong at a strategic level.

Reports should not be exceptions to performance and design of actions but be a persuasive analysis and commentary of the whole control environment, including culture. Auditors as independent of the organisation are also well placed to make objective cultural views.

So when did you last audit culture?

Marketing

Anyone who knows me will say ‘oh no, not more marketing talk!’. I’ve bored my clients to death with this topic. Well, in my defence I am undertaking study for PhD in the subject, so I think blogging about it, thinking about it and challenging myself about it, is all legitimate and reasonable.

Why blog about marketing here? Well I think it the biggest challenge that modern businesses, public sector bodies and not for profits face. Why is that? Well a majority of the value of businesses, the competitive position is built up through that businesses’ brand. But let’s not be narrow about what that means. It does not mean a logo, a name, a type font or logo. A brand is a genuine consumer (let’s use that term – I know it’s troublesome for public sector and not for profits) loyalty.

I have worked with many clients in a non executive capacity. A particular one, it’s an educational institution, asked the board and other non executives what they thought about their planned strategy. Yes the strategy seemed sensible. It was a technical answer to a technical question, but in my view the wrong question. The questions answered were: what are we going to do? what are we going to prioritise? Yes the actions (in broad terms) seemed reasonable but there was no narrative. There was no feeling, no evocation of what this institution would represent to a human being. Now I hope regulars to my blog will not think I’ve lost my hard-nosed, can I see it, touch it or read it, audit edge, but for me how I feel about any experience as a consumer or customer matters.

When I buy I Louis Vuitton bag or a Mercedes car, a large part of it is about how that makes me feel. It is this intangible element that makes the brand above the accounting book value. Otherwise you head down the commoditised track – how the does the car drive? What size is the bag? or even how much leather or metal (intrinsic) value does it have? Education, particularly higher education, seems to be commodifying around hours taught and intrinsic elements of the ‘student experience’ rather than more meaningfully about the long term gains made by students and the brand and feeling of being a graduate of X college.

So after some discussion I suggested that the institution should focus its strategy on developing a meaningful brand and market position as this is the biggest risk in a competitive education and training market. After all, the curricula for various subjects, certainly at a trainee or undergraduate level, has to, by definition cover the basics of the subject. It is hard, therefore, to differentiate the service on intrinsic content. If you think about it in other market terms, a hoodie is a hoodie. An M&S and Topman hoodie is not, at its core, much different from a Superdry or Jack Wills hoodie. Why do people pay three, fours times as much for the latter? The answer is brand.

So, therefore, I entreat auditors across the world to consider, for their clients, what I consider to be the next battle for competitive advantage, brand and brand management. How do your clients manage theirs?

 

 

 

Audit follow up

I’m sure I cannot be the only CAE that finds follow up to a chore and hard work. First there is the theory. The client receives the original assurance report, then responds with a clear action plan that clearly addresses all of the risks. This plan is neatly agreed by the Audit Committee and all parties are happy. These plans are clearly ascribed to named officers and individuals and the overall senior or overseeing manager ensures that these are kept to time schedule and implemented. When it comes to periodic follow up these senior managers then present their collated plan of actions that clearly show progress. The auditor can then sample test the items and place assurance on the process of management follow up of audit actions.

Does this seem recognisable to anyone? Not to me with my clients and in the real world. First the theory fails to allow for the fact that risks change and the original response may not be far too much, too little, or just wrong. Second I am generally disappointed by clients’ ability to respond with an action plan to the risks presented rather than the auditor’s narrative in the report. If only as much effort went into problem solving as providing ‘context’ or excusing errors, poor performance, or generally arguing with reports.

I stopped making recommendations a long time ago. It is management’s responsibility to respond to the risks highlighted, not mine. I do, of course, make ‘suggestions’. I try to make reasonable appropriate solutions that break often ‘wicked’ problems into meaningful action plans and activities. This is why I believe an internal audit qualification (not a financial auditing qualification as a proxy) supported by a specialist professional qualification (perhaps accountancy, but more likely MBA, or other technical profession) is required. The ability to provide meaningful internal business consultancy advice (which is what good internal audit should be).

So if one does not make recommendations, what does one follow up? Well I would suggest that it should be a reported-risk follow up. The task is, therefore, to follow up unmitigated business risks previously reported in audit reports. This has the benefit that it allows for a number of actions to be taken rather than just the auditor’s suggested one. It allows flexibility in response, to change tack according to the nature of the risk. In today’s constantly changing business environment this seems to me to be more realistic and sensible. It also allows the overall objective of audit to move away from a myopic preoccupation with audit and focus on the overall goal of assisting in the reduction of unmitigated business risk, therefore more organisationally aligned to delivering value to the business.

This does present some practical issues though. Risks take longer to mitigate, especially strategic ones. They can take years. Thus a typical follow up list could run into 100s of reported risks to be followed up. Thus a digital, item-by-item reporting to senior management and audit committees would not be appropriate in this setting. It also means that far from being the junior staff member’s nightmare task, it becomes a senior auditor’s task with the strategic overview. It will require higher skills to re-assess the net risk arising after the actions taken have been made, a ‘re audit’ if you will. That is a big ask. The output is more ‘real’ than the follow up reporting I have seen in my career. It is possible that any size of organisation can possibly have an outstanding ‘tail of risk’ that numbers in the tens? Really?

Just because something is difficult should not stop it being done in my view. I suggest all CAEs really take a step back from their follow up and really make sure that it is not a myopic audit-focused activity. How do you do yours?

Why external audit is not internal audit

Here’s a statement that the IIA and others need to actually understand and react to. Internal audit is not external audit. Or for my international (American) audience, financial statements audit is not either internally, or externally, provided internal audit.

Sure internal audit emerged as an internal in-year form of financial controls checking to make sure that the financial accounts and the external audit of them went well at the end of the year. Sure some elements of the skill set are similar, an appreciation of finance is needed (at least for private profit-making businesses) interview techniques, audit evidence, disciplined evaluation of control objectives and systems of control, the ability to weigh and evaluate evidence, and the capacity to report to audit committees of non-executives assurance opinions. But they are not (I emphasise again) the same.

I think it is worth considering what external audit do. Well their objective is to tell the non executives of the business that one document, the financial statements are true and fair. This is captured in the auditor’s ‘opinion’.  If we break this down, true means essentially accurate and fair means presented appropriately to the reader of the document, free from bias if you prefer. Note that ‘fairness’ of presentation has increasingly and now essentially means presented in line with accounting rules or standards (which in theory are designed to ensure fair presentation of financial results and also now increasingly the same the world over). The other task is to ensure that the members’ statement or corporate governance statement is, broadly, right. This is much less defined as these are more qualitative. This is fine though that the requirement is merely to report by exception. That is the auditor is not saying it is true or fair, merely that it is not outright ‘wrong’. One final bit is that they need to tell you about going concern, that is whether the business will go bust within 12 months of their opinion in their view.

Now let’s think about how the external auditors go about this task. Well first they find, the globe over, that businesses and organisations are all clear  about the objective of producing this one document for each period (usually a year) and that they have designed processes and staffed an entire arm of the business to produce these accounts. In fact finance functions historically and current unmodernised ones are still the ‘accounts’ department.  Modern finance departments should produce lots of financially oriented value beyond the accounts but many still just ‘account’.

So as the auditor you have a shared understanding with your client finance department about the objective, the rule and expected format of the output, the detailed best practice processes about how the finance department should go about it. The external auditor and the finance department have a shared common experience (as most FDs probably trained as an auditor or have done audit when training) and may even have come from the big four background and culture.

So the external auditor will approach the audit by identifying control systems (the detailed processes through which the accounts are produced). These are so similar the globe over that the professional services firms will have a single audit approach to all clients. This will be granular in detail and will even specify sample sizes and approach. A controls based audit will look at the design of these systems, assess whether they can be relied upon (based upon sample testing) and then enable a small sample of transaction testing to confirm that the systems will produce the correct answer for the overall document, the accounts.

Now let’s compare to internal audit. First internal audit is opining on something far more complex, business risk. Second the organisation or business is not at all set up around managing risk (most risk hits organisations an businesses horizontally across departments and structures, not vertically within them). Third businesses do not always have clear objectives. Fourth, as consequence, processes and systems are not at all clearly designed and operated for the objective of managing business risk. Fifth the opinion given is more bespoke. Sixth there are no detailed rules about the one internationally best way of achieving a particular business objective. Sixth, an appreciation of finance may, or may not, be required to audit a business risk.

Why then is external and internal audit thought so interchangeable? Why do so many internal auditors think that they need not hold an internal audit specific qualifications? Why do the firms use their financial statements audit colleagues to in-fill with work on internal audit? Even externally-provided internal audit is often imbued with all of the narrow and two-dimensional thinking of a financial statements audit.

For me the internal audit profession needs to stand up and come out as being different from external audit. Apples compared to  oranges. Perhaps we should rename internal audit as business risk audit rather than continue with the now inaccurate historical anachronism of internal audit’s birth from financial statements ‘external’ audit?

Branding

I read this week a Harvard Business Review Blog entry about the ‘commoditization of scale’ (we’ll brush over the conversion of an adjective into a verb as is business academia’s wont). What this was trying to say was that even the smallest of companies can now, with modern media, the web and technology, appear ‘big’. Having scale and large assets applied in a business is itself no longer a protection in the modern competitive world. Sources of competitive advantage have to be located elsewhere.

A similar trend and argument was made in a book called The Brand Bubble. This essentially stated that although the difference between cost and sales price (the margin) and the then related difference between the book value of assets and stock value of the company as a whole is based on some notion of brand value (look at Apple’s stock value compared to book value, the difference is well over 100 times); most companies do not have a robust brand. This is the next big bubble in their view to burst globally. This is the idea that consumers trust fewer and fewer brands and that brands no longer perform the function they once did. Brands no longer guarantee quality and reliability and enable choice amongst a few oligopolistic providers. Anyone can manufacture to a level which meets most consumers’ needs. Most products are safe. Most markets have many 100s of alternatives for consumers.

Thus competitive advantage cannot be secured via size and use of barriers to entry, nor through long-standing brand awareness. In a disintermediated and atomised business world, brand I would suggest, is a necessary element for companies to have margins above a commodity value product or service, but is also much harder to maintain and keep (though not develop as social media can create brands very quickly and cheaply)

Yet how many internal audit plans really have brand management in them? How many really have a good hard look at the competitive position thinking and management’s assessment of that in macro, risk, terms? Very few I suggest. Why is that? Well I think many internal auditors are simply not strategic. They have spent too long looking at the operational ‘how’ to look at the strategic and theoretical ‘why’. Also the general knowledge and awareness of strategic marketing concepts and the marketing concept as a whole I have found in my career to be weak. This is true not just of internal audit but of senior management as a whole. Finally that brand management is often quite intangible and difficult to audit. Not impossible, but difficult, to audit. Actions do not always lead to related results and actions are not all equally weighted. Take as a classic example of Gerald Ratner’s blunder over being critical of the quality of his jewellery product. Overnight the brand was destroyed and sunk from one single action.

But just because something is difficult does not mean it should not be done. In fact quite the opposite, because it is difficult it should be done. So will branding be in your next assurance and audit plan?