Welcome to Spring (southern hemisphere)
Thanks for taking time out to read our seasonal update for Audit & Risk leaders.
As usual this time of year comes on the back of audit committee season, annual reporting and all things to do with year end wrap-up for companies with a June year end. This year’s spring update comes from the warmer climes of the Sydney basin where I’ve been enjoying the things that a Sydney winter often brings as well as working closely with a number of clients to help them up the ante on risk and assurance. More on that later.
This newsletter highlights a few of the patterns and recurring themes we’re seeing across our portfolio of committees, boards, advisory and coaching clients. In this edition we focus on two themes – fondue and custard (yes, you read that right).
We hope you enjoy the read, and as always if you’d like to understand any of these ideas more deeply or need a sounding board on what you’re doing, give us a call to schedule a time.
Deep dives and hot seats
Risk committee deep dives (also known as hot seat sessions) are very much flavour of the month in corporate Australia at the moment, and something we’re implementing, driving or assisting with at most of our current clients with particular vigour in the last six months.
The concept is fairly simple – an area is considered worthy of deeper discussion and exploration at board level (usually by the audit or risk committee). The executive and their team prepare well on this subject and the committee is satisfied that the management is completely across their brief, the risks and issues are in hand, any gaps are understood, flagged and scheduled for resolution to get them to a target level.
Of course, depending on the maturity of the organisation, management’s understanding of what’s required of these sessions and the perceived importance of getting it right, these experiences are mixed. In a worst case scenario there is poor analysis or a fuzzy presentation with nice PowerPoint slides. In the absence of a clear presentation the committee swings and misses in amongst the fog, having all of the impact of being flogged with a wet lettuce, or even worse, thanks the presenter for coming, allowing this behaviour to perpetuate and complacency to set in. Both parties misunderstand each other and soon afterwards something goes BANG.
In better cases the team is well prepared, there is meaningful discussion from both sides, the executive gets value from the exercise and the committee has an opportunity to bring their perspective and share their expertise. In well run organisations this is the norm, but is not as well done or as widespread as should be the case.
In the past six months I’ve been driving the deep dive process on all of my ARCs, and helping several organisations get “hot-seat-ready” through analysis, executive coaching, stress testing and mock Risk Committee hot seat sessions. This has been interesting and rewarding work – the fog is lifting, management capability is lifting, confidence is increasing to seek bolder ambition and there is less fondue. (Yes, you read that right, read on).
Bow ties and fondue
After spending a number of years immersed in complex adaptive systems where cause and effect is not king, it’s been really nice to dust off an old faithful tool – the risk bow tie – which is firmly grounded in the realm of cause and effect.
The theory is really simple – each headline risk area will have a number of possible causes and possible effects. Causes go on the left, effects go on the right, illustrated as a bow tie (or bow tie fighter if you’re working in cyber security) – see simplified example below.
To receive the full report, please complete the form below.
Custard revisited
Ten years ago I developed “the custard chart” – a new colour on my assurance map that illustrated that previous assurance was null and void during a period of heavy restructuring. In short, all bets were off.
Of late I’m struck by a recurring pattern that seems to be widespread in many large organisations in Australia. The pattern goes like this:
To receive the full report, please complete the form below.
Why I want inherent risk back
Don’t get me wrong, I do like risk-based internal audit. I should, after all I helped codify and spruik the idea worldwide for one of the big-4 accounting firms in the late 90’s.
It’s just that its so poorly understood.
Ask 10 audit teams if they do risk-based audit and they’ll tell you they do. Ask them what they mean by this and you’ll get about eight different answers, many of which in my view are technically flawed and way off the mark. (Most of which result in a pass mark under an external quality review, maybe even passing off as best practice).
Despite the popular (and nearly 15 years late) view that the audit plan should hang off the risk profile, this view is is often inappropriate.
To receive the full report, please complete the form below.
Risk culture and root cause analysis
Risk culture is definitely flavour of the month at the moment (or more accurately, flavour of the decade). Leading companies are now dedicating around 30-35% of their staff culture and engagement survey questions to risk culture, and with good reason.
I’ve been musing with one of my clients about Groundhog Day (or more accurately, Groundhog Decade) in the land of auditors and audit committees – the prevalence of custard, recurring audit findings and the standard response to audit findings of “oh yes, we’ll remind people.” This response is a pet peeve of mine – in effect it says “don’t do it again or I’ll write a memo at you” – not a great deterrent by any means, let alone an improvement in the system of control.
I thought I’d share a quick and dirty bow tie we did together on why this might be – why people don’t comply with rules and process.
To receive the full report, please complete the form below.
Shift in focus for TDA
In 2012 I scaled back the business to focus on setting up our two young boys for success and to be very actively involved in their formative years.
To receive the full report, please complete the form below.
**
Thanks for taking the time to read our news and occasionally provocative views. We hope that some of our ideas spur you to take a slightly different approach or increase your conviction. If they make sense or you’d like to understand them better I’d love to hear from you.
I look forward to hearing what’s happening in your world.
Best regards,
Todd Davies and the TDA team