This is a transcription of our interview with Tim Leech, founder and Managing Director at Risk Oversight Solutions.
You can watch the original video interview here or tune in to this episode on our Risk Management Show podcast here https://globalriskcommunity.libsyn.com/tim-leech or via iTunes, Spotify and other podcast apps by searching "Risk Management Show"
Boris: Welcome to our interview with Tim Leech. Tim is a founder and Managing Director at Risk Oversight Solutions. He is one of movers and shakers in the Risk Management space, thought leader and entrepreneur, helping organizations implement strong OBJECTIVE CENTRIC RISK MANAGEMENT.
He has an outstanding career in the field of Risk Management. He was founder and CEO of CARDdecisions Inc and launched the world's first integrated risk and assurance software back in 1997 named CARDmap, took it to the cloud and offered it as a SaaS solution in 2000. Tim sold CARDdecisions to a leading GRC software vendor, Paisley/Thomson Reuters.
Since that time he has focused on building his second generation of disruptive innovation to help organizations transition from traditional strategy, risk and assurance methods to strong management driven objective centric risk and certainty management.
He has provided training and advice to major corporations around the world. Tim, Thank you for coming to our virtual interview today.
Tim: It's my pleasure, Boris I appreciate the opportunity to chat with with you and spread the word a little bit more.
Boris: You are a prolific blogger as you’ve published a lot of thought leadership content . Let us discuss one of your recent articles “Are we using weak first line risk governance?”
In this article you noticed that there is growing consensus around the globe that boards and CEOs are responsible for overseeing the ‘effectiveness’ of risk governance in organisations they oversee. Regulators, powerful institutional investors and credit rating agencies expect it. Even the courts and regulators are increasingly holding directors to account when massive risk oversight failures occur during their watch.
But, there isn’t much practical guidance available to CEOs. What is the single most important question boards and CEOs should be asking risk officers?
Tim: Well, the reality is there is lots of talk about boards being accountable for Oversight of Risk, particularly in the financial services sector and particularly after the 2008 global crisis. So we've seen a big uptick in the notion that boards are accountable. There's a fundamental problem though. Very few have agreed what the word of “effective risk management” mean. So in the absence of a widespread consensus on what the term means, It leaves you wondering how are boards overseeing it since nobody’s really.
When you ask a board, what do you mean by “effective risk management”, a lot of times they can't answer you. So they acknowledge they're responsible for it, but they can't tell you what it means. So the IIA had a couple of goes at it. It's important that people realize that in the year 2000 the IIA professional practice standards said that Chief Audit Executive should assess the effectiveness of risk management processes in their company.
So that's 20 years ago, in the year of 2010, after the 2008 crisis, they actually changed the professional practice standards. In 2020the say that internal audit must assess the effectiveness. Now I'll go back to what I said before. There's no widespread agreement what “effective” means. So the IAA has put a standard in place, they do have a little three or four sentences in the standard that says what they think of effective is what their most recent guidance in 2020, actually they refused to say what effective was.
And they said, Chief Audit Executive should evaluate the maturity of a risk management framework, risk management maturity and effective are not synonymous. So the irony is if you read the IAA guidance and unfortunately you have to buy it if you're not a member, but it was issued in 2020, they defined five levels of maturity. The approach we promote is the optimized level five in that strategy.
And I believe the whole thing effective risk management is a framework that delivers a materially reliable picture of the state of risk and certainty linked to a company's top value creation objectives, and value preservation objectives to the CEO in the board.
So that's my definition of effective. So I believe that that's a simple, straight forward definition.
And then it's a question of how well are companies delivering on that? How many boards are getting materially reliable pictures of the state of Risk certainty to all of their most important objectives that will make them successful, or if you don't achieve them, it could seriously erode value.
So that's the key. I'm not convinced yet that all boards around the world have acknowledged responsibility to oversee management's risk-taking, but it's certainly is being promoted as something they should acknowledge by regulators, powerful institutional investors are also increasingly telling boards that they expect the board to oversee strategy and the risks to strategy.
Boris: Interesting. What is the one commonly held belief as it relates to risk management and audit that you are a strongly or even passionately disagree with?
Tim: Well, I strongly disagree that the risk management profession is decided that creating a risk register and sending a risk heat map to the board constitutes Enterprise Risk Management. So I write about that at length. In many places, I actually suggest in a very strong terms that they are doing the world a disservice by convincing people that risk management means managing a list of risks.
The definition of risk is the effect of uncertainty on objectives, it's not about managing a list of risks that have been plucked in isolation, away from their objectives and have been divorced or completely removed from the performance on the objective that risk is affecting the certainty of. So there is no risk management standard that says the profession should done that.
The only people are regulators that have actually caused the world to believe that enterprise risk means creating a list of risks and discussing it and assigning risk owners and evaluating individual risk tolerance. That is not what ISO says. That's not what COSO ERM says. So I'm at a loss to wonder how did all of these Chief Risk Officers decide? Well, the only conclusion is they did it to comply with regulators who are well-intended, but misguided.
And the last part was what do I get upset about internal auditors around the world. There are five major approaches to give assurance: Compliance centric, Risk centric, process centric, control centric and objective centric. So the reality is very few internal audit departments in the world assess and report on the state of Risk certainty related to their companies most important objectives.
I have literally had hundreds and hundreds of clients. I would warrant right now, the number of internal audit departments that go anywhere near their company's top strategic objectives is less than 5% in any serious way. And yet they all claim to be Risk based. So how can they claim they're evaluating the top risk to an organization if they are not assessing the risk certainty of achieving the company's top strategic objectives?
Now I don't have a problem that they want to say we're risk-based but only related to value preservation. Fair enough. So now we're talking about financial statement, reliability, IT security, continuity of operations, compliance with the law. How many audit departments give the board a nice, concise summary of the state of certainty, of complying with the law? How many of them give a nice, concise statement on the Risk certainty of publishing reliable financial statements?
So unfortunately of the major methods, let me go through that again. So you got control centric, process centric, compliance centric, risk centric and objective centric. Now since 1985, I've been a huge advocate of objective centric. I believe that it is the methodology that boards and senior executives best relate to. It is the least used approach.
Now there's good news. The IAA three lines model issued last summer finally has said that internal auditors should be all about objectives. Now the IIA has also published, we call it Sawyer's. Sawyer was one of the founders of internal audit in the forties. So IIA’ seventh edition of Sawyer's auditing book has five generations of the internal auditing, the fifth generation, which they claim started in about 2015 is the objective faced auditor.
So there were signs of hope, unfortunately, the vast majority of internal audit departments are back in generation 1 and 2. So that started in 1940. It was the first generation as an extension of the external auditor defined internal auditing. And then it became process centric and then it became Risk centric, then it became Risk Management centric. And then the fifth generation is objective centric. The sad part is the vast majority of internal auditors have not progressed past the third generation.
So there are signs of hope, but the IIA needs to aggressively promote the idea that internal auditors should be all about helping the company to achieve the most important objectives while operating within acceptable certainty Risk levels.
Boris: Could you give us some example based on your recent engagements, where you were surprised by as a result, without dropping the names?
Tim: Oh, well, over the years you can go onto our website ar http://RiskOversightsolutions.com on the resources page, you can download a UK case study. It's a four year case study. So when I arrived there, the CEO brought me in, she has been a big advocate of objective centric, a strong first line risk management for a long, long time dated back to when Mobile brought me in the mid nineties to deploy the methodology through the world.
And when she brought me in, she showed me, there was a stack of 40 pages, we called them 11 by seventeens, but in Europe there's a slightly different, but there are a great big, large size paper. So they had brought in a big four firm and they had charged them quite a lot of money. And they developed the risk register. The risk register had been updated for three years, the board and her founded completely useless.
So what surprises me though, is how many companies are still doing that in spite of overwhelming evidence, that very few of them integrate that approach to Enterprise Risk. They don't integrate strategic planning. So, you stop and you say, okay, what are you using that 40 pages of risk register for? They said we do it for the regulators so we can get a tick on the UK governance code so we can say we comply.
UK governance code says the board supposed to oversee risks. Path of least resistance - create a list of risks and show it to the Board. The Board can now say they oversee risks. What they're not overseeing is the certainty objectives will be achieved. And the definition of risk is the effect of uncertainty on achievement of objectives. So does it surprise me? No. 95% of the world is still delivering that and don't bother with risk management at all.
They still create that risk register. They update it and they show it to the Board. The Boards are okay with it, CEOs are okay with it and regulators have actually caused it. So it's shocking to me that so large percentage of the world is actually okay with wasting a lot of shareholder money, creating things that aren't used in any serious way for important decisions.
Now on the audit side, pretty much the same situation. The audit plan is claimed to be risk-based. They're not really looking at the most important value creation objectives. So there is a miscommunication there, they should at least say risk-based except for the important value creation objectives, which we don't look at. So they should at least be clear on that. Very few are. The most recent IIA guidance on how to create an audit universe was to create a schedule with a bunch of risk categories and say, how well are we doing on risk categories?
So as long as both the Internal Audit profession and the Risk profession avoids delivering information to the C-suite or the Board, on the certainty of achieving the most important objectives, I think we're going to continue to have sub-optimal at best Risk Governance and both professions, the Institute of internal auditors and the Risk profession, which is PRMIA and GARP and RMA and IRM, they all should take stock.
They are taking their members down this Risk centric road, which is killing the profession. You ask many Boards, how much great information did you get out of this year's risk register report? What did you do after you found that out that was a material in terms of the success of the company? So the IIA and all of those Risk associations, they better seriously take stock and think about whether they need to herd their members towards objective centric Risk methods.
Boris: So if we go further, how does some one hearing this for the first time take action based on what you said? Or what is one thing that the risk managers should start doing right now, based on your theory?
Tim: I think they should first reflect. I said, my definition of Risk is that the senior executives and the Board are getting a materially reliable picture of the state of Risk certainty linked to the company's top value creation objectives, and value preservation objectives. I think first they have to say, is Tim right or is Tim wrong? Is that in fact, a very good definition of what an effective framework should accomplish as a result?
If they accept what I've just said, I would encourage them to say, okay, how well are the methods that we are using right now, delivering on the outcome of the senior executives on the Board, getting a materially reliable picture of the state of Risk certainty of achieving the company's most important objectives? And I would warn you that when they take stock about the traditional approaches to internal audit and traditional approaches to risk management, which I've already referred to, they do not deliver well on that and result outcome.
So if they disagree with my definition of effective risk management, what's their definition, go ahead. But whatever it is, and I've written LinkedIn posts, I've said to Boards demand that the Chief Audit Executive in the Chief Risk Officer tell you their definition of what is an effective risk management framework like literally chairman of the audit risk committee demand the CAE and the CRO, tell them what is your definition of effective?
And once they get that done, and quite frankly, very few boards have have asked that question, as shocking as that may be. You know, I've worked all over the world, hundreds of clients, those that are listening, has your board ever asked the question? What does the CAE and CRO believe the definition of what an effective risk management framework should accomplish as an outcome? Start with that.
So the blog post was well-received. It went out around the world, start with that. And if you disagree with my definition, fair enough. But at least tell the Board, what is it you think it means, and then measure yourself against it. But I'm going to tell you right now, once you start having these dialogues, the Boards may not be happy.
If your definition is having an audit plan and producing forty audit reports to do a scratch on the surface of the total universe and go nowhere near the top strategic objectives.
Fair enough that the Board doesn't want the internal audit going anywhere near the most important risks. Let's get that on the table. And apparently they've been okay with internal auditors not going anywhere near the most important risks. And that goes to the history way back in generation One of Internal Audit.
The job of Iinternal Audit was to act as an extension of the external auditor and focus on financial internal control. Many internal audit departments are still stuck on that. Fine. Well then let's at least say the internal auditors are only responsible for a narrow band of objectives. But they should still be delivering useful information on the state of Risk certainty of achieving those objectives, not writing reports on compliance centric audits, or process centric audits, or Risk centric audits.
Let's start writing about the Risk certainty of the company will obey laws, protect client information that's confidential, ensure continuity of operations and publish reliable financial statements.
If the Board doesn't want Internal Audit going anywhere near a strategic value creation objectives, lets have the dialogue and get that out there. But let's stop Internal Auditors saying they're covering the top risks when they don't go anywhere near the top strategic objectives.
Boris: This is a good thinking material for risk managers. Let's finalize. I’m a founder of Global Risk Community a social network that connects risk managers around the world. I wonder from your perspective, how can we contribute to a better understanding of this complex world of risk management?
Tim: I think you have to ask the members of the kind of tough questions I'm asking you right now. Have they agreed with the board of directors? What the definition of an effective risk management framework is in terms of outcomes, not in terms of activities, but in terms of what does an effective risk management framework produces as an outcome. And I think if you challenge everybody on that, that's a simple start.
You're going to find that very few have agreed what we should look for as an outcome from an effective framework. Now, of course I'm fully familiar the closest regulators have come to it is that in 2013, the Financial Stability Board published a paper on principles for effective risk appetite framework.
This is the overarching regulator of all regulators in the world. So all of the major countries are a part of the Financial Stability Board and they published principles for a fact of risk appetite frameworks. I don't agree with everything in it, but a strong message when you read through it says Board should be responsible for overseeing Management risk-taking. Now I would argue though, what we needed to say is Management Boards are responsible for overseeing how well management is monitoring the Risk certainty of achieving the most important objectives.
It's a slight nuance, but I think they actually meant to say that, but the regulators are still very Risk centric in their mindset. So if you've heard of cognitive biases, if you have decided that Risk management means managing a set of risks, it's difficult to get a broader mindset. Now that was a major wrong turn in the profession. It doesn't say it should be about managing a set of risks, COSO, ERM, doesn't say it should be managing a set of risks.
It says it should be about managing uncertainty that the company's objectives will be achieved. I prefer to save Managing certainty instead of managing uncertainty, but literally the profession's primary guidance says that's what it should be about. The profession took a serious wrong term. All of the Risk Associations went down the wrong road. The IIA has gone down in the wrong road.
So as long as the world thinks risk management means managing a list of risks, we are in a deep trouble in terms of the value proposition.
Boris: Well, this was very revealing and interesting interview. Thank you, Tim, for your time and I wish you a great success with your thinking and further enlightening our community with your approach.
Tim: Thanks a lot, Boris it's my pleasure.