IBM CEO Survey Insights On Customer Focus

The 2012 CEO survey conducted by IBM gives some interesting insights. Seventy-three per cent CEOs are gearing their organizations to gain meaningful insights from customer data. This is the area of highest investment.  The traditional approach to segment customer data to calculate statistical averages has been replaced with understanding the attitudes and tastes of individual customers.

The main aim of gathering holistic customer information is to devise services and products targeted at the customers and improve the response time. As stated in the report – “The challenge for organizations is two-fold: can they pick up on these cues, especially if the information comes from outside? And can the appropriate parts of the organization act on the insights discovered?” The graph depicts the main reasons for capturing customer information.

Further, the report mentions, that though most of the CEOs focus on capturing information, out-performers excel at acting on insights. The difference is innovation and execution. A quarter of the CEOs reported that their organizations are unable to derive value from the data. Speed of action is required to capture data, analyse, prepare strategies and respond to customers. As one CEO stated the most crucial characteristic is to “organize a major wake-up call.” The customer obsessed CEOs are driving the organizations to more contextual customer insights.  The graph below highlights the marked difference in under-performers and out-performers.

Risk managers can play a pivotal role in helping CEO’s achieve these objectives. They can focus on the following.

1.     Organization Culture and Process Change

A customer oriented organization culture is required to leverage the opportunities. Secondly, the organization needs to align the processes towards customer relationship management. Risk managers can conduct organization culture survey to assess customer orientation. Moreover, they can review processes to determine risks and controls to mitigate risks.

2.     Security of Data

The activity requires accumulation of extensive customer personal information. Generally, companies use separate data centres to collect and analyse the data. However, the risks of loss and theft of data is huge. As in the recent case of Facebook 1.1 million users’ data was sold for US $5. Therefore, it is a good idea to review security polices and test data centre security.

3.     Return on Investment

Data collection requires huge investments in technology and resources. As the CEOs are saying the failure rate is quite high. A review of projects, plans and strategy would identify the pain points and misdirected activity. Calculating return on investment on various programs might steer the investments in the right direction. Timely identifying failing projects and reasons for failure is critical to maintain cost effectiveness.

Closing thoughts

Technology and social media has brought customers closure to companies. The face-to-face customer interaction is gradually shifting towards social media. The companies that are able to navigate this transition successfully will outperform their peers in the industry. Hence, risk managers should support this CEO initiative to enable the organization to leverage upside risks.

What is your organization doing in this respect? How do you think risk managers should facilitate CEOs in this initiative?


Leading Through Connections – IBM CEO Survey


Is Doing Nothing A Reputation Risk?

Tim Cook, CEO of Apple, recently issued an open letter on Apple website, publicly apologizing for the shortcomings in the Apple maps. The first paragraph reads:

“To our customers,

At Apple, we strive to make world-class products that deliver the best experience possible to our customers. With the launch of our new Maps last week, we fell short on this commitment. We are extremely sorry for the frustration this has caused our customers and we are doing everything we can to make Maps better.”

The purpose was to pacify the angry customers who found inaccuracies in the Apple maps. The words of the CEO mattered.

Now let us assume that none of the customers knew who the CEO of Apple is. They have not heard of the CEO before. The CEO visibility was zilch in media, social networks, business conferences etc. Would the words have mattered then? Wouldn’t the customers say – “Who is this guy? We never heard from him before and now he is giving excuses for horrid products?”

Managing an organization’s reputation is part of CEO/CXO job. When reputation risks occur, their communication is part of the risk mitigation plan. Hence, the effectiveness of risk mitigation plan is dependent on the CEO/CXO profile. Until here, I think you will agree with me.

Now let me ask you the difficult question. If the senior management of the organization does nothing to add to the brand or reputation of the organization, is it a risk?

Here is my argument. Normally, we take the following criteria for reputation risks.

Source- ICAI ERM Training Material

This measures only the negative impact. We talk about negative coverage in the media, but what about no coverage in media. In India, most of the CEO/CXOs have no media visibility and unlike the west, 90% do not give interviews etc. in the media. They even don’t have a social media presence and one can hardly find them directly interacting with customers. That is, except for traditional advertising of products in newspapers, magazines and television, there is no coverage of the organization and the senior management in the media.

Now let us see from risk management perspective. One of the strategic objectives of the organization is to build brand and reputation of the organization. The purpose of enterprise risk management is to give an assurance to the board that the entity is moving in the right direction to achieve its objectives. As risk managers, we focus if something goes wrong, but what if, the company is not moving at all in any direction – positive or negative – in meeting its objectives. Should we capture that as a risk?

Closing thoughts

Negative viral messages in social media tarnish a reputation in a span of few hours. It takes just one tweet to go viral. It will be very difficult for a company to defend itself if a company does not have a twitter account and reputation management plan. The same applies to executives. Now the thought process is either develop a brand or get branded. Silence gives an opportunity to others to put labels and develop negative perceptions. Continuous positive messages at a personal level need to go out about the brand for customers to have a favorable opinion. Doing nothing may become a huge risk.

Industry Disruption Risks

The biggest risk of all is industry disruption risks. One fine day the competitive landscape of the industry transformed and it caught us by surprise. Ouch, the world changed while we were sleeping. It is a CEO’s recurring nightmare, and the risk managers do not focus on it much. Reason as I mentioned in my recent posts is that risk managers assume they do not have the right or duty to question the strategy or strategic objectives. Let us discuss this in detail.

Andrew Grove in his book “Only the Paranoid Survive” described the strategic inflection point. He said – “An inflection point occurs where the old strategic picture dissolves and gives way to the new, allowing the business to ascend to new heights. However, if you don’t navigate your way through an inflection point, you go through a peak and after the peak the business declines.” The strategic inflection point disrupts the industry completely and can wipe out old companies in a few years.

1.      The Intel Story

Fascinatingly, Intel itself missed the strategic inflection point of mobile computing. Intel controls 80% of the world’s PCs chip market. It failed to make a timely dent in the handheld devices. Nvidia, Texas Instruments, Qualcomm and Samsung rule the ARM chips market for smartphones and tablets. Intel is now positioning itself in this market with its x86 chips. With the shrinking in the PC, laptop and server market, let us see whether Intel can re-position itself as the smartphone and tablet chipmaker. IPhones and IPads disrupted the technology industry; and surprisingly the giants of the industry – Intel and Microsoft – both missed the boat.

2.      The India FDI Retail Story

Closer home, the opening up of foreign direct investment in retail industry has shaken the complacent industry from its roots. Expected entry of Wal-Mart is causing havoc in the minds of established players. Most of the food retail sector in India comprises of Mom-Pop local stores that supply at low costs. Some organized chains as Reliance, Bharti, Nilgiri’s etc. have started catering to the upper middle class requirements; however have not wiped out the smaller stores. The opening of the retail sector to foreign investment is indicative of industry disruption. The industry is gearing itself to deal with the new risks to retain the competitive advantage.

3.      The ERM Perspective

COSO ERM –Integrated Framework, 2004 defines ERM as:

Enterprise Risk Management is a process, effected by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide a reasonable assurance regarding the achievement of entity objectives.

 Going by the definition, identifying industry disruption risks comes under risk managers’ purview. However, we tend to take strategy as given and don’t challenge the strategy and strategic objectives. We need to change our perspective. Building and retaining competitive advantage is a strategic objective. The industry disruption events can wipe that out. Hence, include identifying disruption risks as part of risk assessment.

Closing thoughts

Industry disruptions occur due to external forces – regulators, competitors, suppliers, customers and society. To identify strategic inflections points risk managers must meticulously track the external environment. Understanding external environment is difficult and requires extensive industry knowledge. Therefore, I know, some of you would be wondering whether it is part of our job. Let us check with the readers.

Should Risk Managers Re-use Last Year’s Strategy?

Let me ask you a question. For 2013 planning, are you thinking of updating the 2012 annual audit plan or risk management plan? Alternatively, do you think major changes are required, and you need to start from scratch? While preparing 2013 strategy of plan, you cannot afford to just tweak your previous plan and get by. You need to do the whole works and start with a plain sheet of paper.

Exactly why am I making such a bold statement? Let me explain. You must have read various surveys in which business teams state that risk managers and auditors are not addressing the business concerns. The thing is risk management practice is changing at a much slower rate than the external and internal business environment.

Below is a simple graph. The lines in real world would not be straight; I have just used it for the sake of convenience to illustrate my point.

1.   External environment

The external environment is going through a rapid change. This includes the social, cultural, political, legal, economic, technological, financial and competitive environment. The speed of change is so high, that most organizations are failing to keep up to speed. Hence, there are a numerous upside and downside risks in the external environment that organizations are clueless about.

2.    Internal environment

Organizations attempt to make sense and adapt to the changes, however at a slower rate than the external environment. During a year, many organization changes take place. Changes occur in business strategy, objectives, policies, procedures, organization structure, roles and responsibilities, governance models, products, knowledge, processes, systems and technology. Due to these changes, the risks within the organization change. Numerous risks remain un-addressed when we do not consider the changes for preparing a risk management strategy.

3.    Risk management function

The risk management disciple as such is changing at a slow pace. If you recall, COSO issued “Internal Controls – Integrated Framework” in December 2011 for public comments. The internal control definition had not changed and only some areas were improved though this was the first revision issued after 1992. COSO received so many comments, that now it plans to issue the final version in 2013.

Within the organizations, the situation is the same. Risk management and audit functions are the last to change. While CEOs are demanding that they advise on strategic risks, very few are rising to the occasion. Even with five-year of financial crises and slow down of economy, the surveys show limited improvement in performance of risk management and audit functions. They haven’t leveraged the opportunity, leaped forward or made great strides. They are cribbing about the same old issues of lack of top management support instead of focusing on the changing business landscape.

Hence, the gap in knowledge of risk managers and auditors of business risks is huge. If they are not tuned into the internal business environment, they leave some risks unaddressed. If they haven’t focused on the external environment, they are a number of unknown risks that can affect the organization any time. Therefore, the annual risk management strategy and/or plan is ineffective if these aspects haven’t been considered.

Closing thoughts

The business environment risks can be best described in the words of Donald Rumsfield, the former US Defence Secretary. He had stated at a press briefing relating to the increasingly unstable situation in post-invasion Afghanistan: “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know.  But there are also unknown unknowns. There are things we do not know we don’t know.” Risk managers and auditors are in the same situation. Hence, strategy and plans have to be devised keeping this in mind. Start from scratch for 2013 strategy.

Watch this video and share with me, will your old strategy work?

Winner of the Competition of Bullshit Quotient Book

Thank you all for participating in the poll and the competition held in the post “A Book Review – Bullshit Quotient“. Over a 100 people voted and mostly in favor of the views expressed by the author Ranjeev Dubey. Ranjeev has personally gone through the comments and chosen a winner. He has also expressed this thoughts on the various comments. Read below, as I am sharing an unedited version of his opinion.

My thought as I read through the thoughtful comments posted by your followers was mainly at the high level of comprehension here. Why we nevertheless allow this endless repetition of culpable double speak is a moot question. Why this clear understanding of the reality on the ground does not translate into a program of change is another moot question. I can draw your attention to the following nuggets that I particularly liked:

“The business of the company is to deliver value to the stakeholders/shareholders. Everything else is incidental. All the stuff about delivering value to customers is BULLSHIT. – M Seshagiri Rao:

“Small practices often have no audit trail. Accountability is ensuring that you understand and carry out the actions of the law, with ethical and moral actions. So, the laws are there, [but] the government is in the hands of those who thrive on power, regardless of having the right to vote, that doesn’t even matter…”- Joanne McNamara:

“As a cynical private investigator I have found that the bigger the lie, regardless of the circumstances, simply means that there are more person involved.”- Jeff Moy

“To add to the misery, a nation in need of an inspiring dream, is fed the empty corporate drivel”. – Amey Kawale

But at the end, the prize goes to the one who goes beyond the points made, to the next level so to speak. And for me, the winner is:

“Commercial organization sometimes fail to realize (or take the ostrich approach to the fact) that they don’t exist in a vacuum, but within an ecosystem where the (mostly competing) interests of companies, customers, employees, regulators, environment and the larger society are required to be optimized. This was the stated (though in a different way) objective of the concept of Trusteeship, which sadly has gone out of the window gradually after Indian independence.” – Deb.

Thank you all, and especially, thank you Debashis

Rajeev Dubey ”

The winner of the competition is Debashis Gupta. Congratulations!

Debashis please email your address to me and we will send you the prize.

Ernst & Young Insight For Internal Audit Transformation

The last post – ‘Coal Gate Scam – Should Auditors Comment on Policy Decisions’ ignited a thought-provoking discussion on LinkedIn. The major debate was on role of internal auditors on evaluating strategic decisions and strategy per se. The message is – transform the internal audit department and leave behind the old thinking of verifying compliance to existing processes. Hence, I thought of sharing some great insights from the Ernst & Young report – The Future of Internal Audit is Now.

Before we discuss the details, check out transformation process depiction below.

The key aspects of the transformation process are:

1.      Align with organization strategy

According to the study, 61% of the internal audit departments did not have a documented mandate aligned to business. One can question then, exactly what are they working on. The way forward is to understand the business strategy – sales, operations, human resources, products, etc. and identify the strategic and business risks of the same.

2.      Formulate the internal audit strategy

Based on the understanding of business strategy and strategic risks, devise an internal audit strategy. Developing an internal audit annual plan isn’t sufficient. Take the time period of the business strategy, and formulate the internal audit strategy for the same period or a three to five year period.

3.      Acquire the right talent

Execution of a strategy is as good as the people deployed to the task. Upgrading skills is a must. Besides technical and functional knowledge, auditors now need business acumen. Rotate resources from operations to get in-depth business knowledge. To highlight the importance of business skills, according to the report just 47% of the IA departments have a training plan for leadership and business management.

4.      Operate as a business function

Internal audit should stop viewing itself as a support function and take a leaf out of line functions. It should measure itself against the same standards as business functions. Have the right strategy, execute it effectively, provide value add and measure against key performance indicators. As it is mostly a cost centre, it doesn’t mean it should let itself go.

Closing thoughts

Survival of business in this global economic crisis is hugely dependent on effective risk management. Internal audit plays a vital role in improving the financial performance of the organization. Hence, transforming the department functioning from old mind-set to fit the 21st century requirements is must.

Before closing, here is something to start your week on a good note. An old man for the first time saw moving walls. While he was standing in front of them, he saw an old woman enter the walls, and in a second a young woman came out. He said to his grandson – Son, hurry home and get your grandmother.


The Future of Internal Audit is Now – Ernst & Young report

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.


  1. CAG not a ‘munimji’ of govt’s balance sheet: SC
  2. CoalGate: CAG does not let Manmohan, PMO off the hook
  3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)

Performance Appraisal for Risk Management Functions

Think of climbing into an aircraft that doesn’t have an aircraft control system and the Air Traffic Control rooms don’t function properly. Would you be willing to go for a free ride in the plane?

If I say risk management functions play the role of Air Traffic Control rooms and provide the relevant feedback to the business, you would mostly agree. But what are the systems in place to see whether the risk management functions are fulfilling the role of Air Traffic Control rooms properly. If Air Traffic Control rooms fail, the planes crash and the same happens in business. Isn’t then performance appraisal of risk management functions critical?

Generally, I have seen risk management functions do an appraisal within the team and sometimes take feedback from senior management. This is despite the fact that in most surveys conducted, the business teams respond that they face challenges with risk management functions and highlight quite a few shortcomings. As the year is ending, the functions would be busy preparing annual budgets and strategies. This would be the right time to obtain feedback and do a proper evaluation.

Let us take an example of the fraud department and study the process of performance appraisal for the department.

1.     Senior Management

Get uncensored honest feedback from the senior management. Not the form filling one, where meets expectations means haven’t committed a big blunder till date. Check whether senior managers are ticking the appropriate boxes to keep the risk management function out of their hair for another year or is it genuine support for improvement. Ask the probing and difficult questions to the audit committee and CXO level:

a)     Does the risk management function help you to perform better?

b)     Did the risk management function add value to the business during the year?

c)      Where you worried during the year that some unpleasant risks will appear that have not been identified before?

d)     Does the risk management function makes you feel confident that the business is running on course?

That will give out a message to senior managers that the function is geared to take up a bigger role in business and partner with them for success.

2.     Business Teams

Though the risk management functions issue reports relating to operation risks, the feedback of business teams is restricted to obtaining their replies to the observations made in the reports. Risk management functions rarely go back to business teams for an evaluation. One way is to conduct a yearly survey to obtain business teams assessment on performance. The other way is to incorporate a value scorecard system. This ensures that after every assignment,  the business teams’ feedback is obtained in the value scorecard. This enables the function to take corrective measures promptly to provide better service in the next assignment. Some of the questions to ask are:

a)     Did the risk management assignment offer value to your business operations?

b)     Did the risk management teams partner with you to solve your concerns? For instance, in a fraud investigation, did the report help them identify the suspect, and give a solution to prevent future frauds?

c)      Did the risk management team give you a practical solution or recommendation to mitigate the risks?

d)     Do you get prompt replies to your request for help or advice?

Build a value scorecard with 10-15 questions. A periodic assimilation of the responses will highlight the strengths and weakness in performance of the risk management functions.

3.     Other Risk Management Functions

If one wishes to breakdown the silo approach to risk management, then each risk management team should be evaluating and giving feedback to the other teams. For instance, a fraud department should get feedback from compliance and business ethics function.

This is the most beneficial of feedback, because other risk management teams actually understand the nature of work, issues and challenges. Obtaining feedback opens doors for sharing best practices and aligning the work. With numerous functions managing business risks, there are some un-addressed risks as each department assumes that the other is fulfilling the responsibility. Hence, some relevant questions need to be asked. Here are a few examples:

a)     Do you believe we are complimenting your work or are working at cross purposes?

b)     Do you get information on our work to tie up and give a joint strategy to address related risks?

c)      Do our teams collaborate well together on joint projects?

d)     Do we share our methodologies, knowledge and best practices to benefit each other?

Working in isolation isn’t going to help the function, other teams or the business. Hence, taking feedback from other functions is really important.

4.     Risk Management Team

Doing a fair and honest evaluation of team performance is of paramount importance. If possible, implement a 360 degree performance evaluation system. A top down evaluation system will not work for risk management function, as most of the interaction with business teams is done by middle and junior managers. They are aware of business team attitude towards risk management. Even the office rumour mill gives some useful information of acceptance and popularity of the risk management function. Some of the questions the team should be asking are:

a)     Are we viewed as business partners by operation teams and do they think we add value to their business?

b)     Are we doing the best possible work to mitigate the risks?

c)      Are we using standard tools, methodologies and knowledge to give the best possible service to business teams?

d)     Do we have a good talent pool that understands the business and associated risks?

Unless the risk management function does an honest self-evaluation, it is unlikely to find the gaps and improve. Hence, a good deal of time should be spent on it.

Closing thoughts

A good performance appraisal is possible after assimilating the information from all four sources and asking a lot of probing questions. Rather than shy away and get defensive it is best to take the feedback in positive light. Without feedback the function is directionless. Here is a small video pf HCL on performance appraisal. It brings the point home.

Re-branding Risk Management and Audit Functions

There is an old joke on power of branding. When a man goes to a woman and says – “I am great in bed, how about it?”, it is sales. When an attractive woman goes over to a guy at a party and says – “Hi, I hear you’re great in bed, how about it?”, it is branding.  Seriously speaking, how many times have the business teams come over to the risk management or audit department and said – “You are great at this, we need your help and advice”. If the business teams aren’t approaching, then we have poor brand image. Our customers are in two minds whether they should involve us or not. Quite often the business teams think they are better off without us. So shouldn’t we be delving deeper to find out that why in the competition between various departments in an organization, we generally are at the bottom on the popularity chart?

1.     Auditors are Watchdogs

Seriously, why do we use this term? It negates the very premise of being of service to others. Think of it for a second. We say, men are dogs, women are bitches, and auditors are watchdogs. Does it connect to negative or positive emotions?

With it we wish to sell the image of trusted partners, advisers and mentors. When we use the word watchdog, do we think –as trustworthy as a dog?

Have you ever felt the urge to pet a strange German Shepard or a Doberman? We see a couple of them coming towards us, and the bravest of us feel a tinge of fear and anxiety. Why do we expect any person interacting with an auditor to feel any different then?  Doesn’t the term watchdog, makes auditing sound like a blood sport? Why get stuck with an age old expression?

2.     The Coolness Quotient

We associate with brands because of their coolness quotient. It feels good to be part of the tribe, now whether it is Facebook site, Intel machines, Apple iPhone or Harvard degree. We desire it because it makes us feel or look good. When does audit or risk management makes the customer feel or look good?

I came across David Brier (@davidbrier), a branding expert on Twitter. In his short book titled “The Lucky Brand Book”, I was stunned by the last point. It said – give a reason to celebrate the brand.

I questioned him – how does one celebrate risk management? He gave me two answers –

a)     “Choreographed spontaneity” – all the fun and with a safety net

b)     All the gain without the pain

Both these answers send out positive messages. It definitely shatters the mind-set that risk management applies to negative aspects of business. Why not give it a try?

3.     The Independence Clause

We profess to maintain independence, and to do so we state quite a few things are management responsibility. At one point we express a desire to sit on the board table; at another we disassociate ourselves from management. I understand the technicalities of requirement to maintain independence. The question is – are we using it to escape responsibility?

As part of an internal audit role we undertake to issue an audit report. In risk management we either assist or conduct a risk assessment. As risk managers we provide the second line of defense and as auditors the third line of defense.

Though we desire a more active role, we don’t wish to match the responsibility with it. For instance, we submit a report with recommendations, and leave the business teams to implement the solutions, as it not part of our job. Doesn’t that appear like sailing a person in  middle of a deep-sea and leaving them there, on their own? As giving a return ride back to the shore isn’t part of the deal.  Is it going to generate trust and respect to build healthy relationships? Next time round, are the business teams going to welcome us back?

Closing Thoughts

I definitely don’t have the answers to this one. Though it is clear, we need to re-brand. Maintaining the status quo isn’t helping us. At the logical level we are doing our job. At the sub-conscious level the business teams receive numerous negative messages, which dissuade them from emotionally connecting with the functions and its members. Risk managers and auditors need to figure out how to brand themselves externally and internally.

While you do so, listen to one of the everlasting brands – Elvis singing Suspicious Mind


The Lucky Brand Book by David Brier

Misunderstanding of Risks Between Business Teams and Auditors

PWC Internal Audit survey highlighted one critical shortcoming of Chief Audit Executives and Internal Audit Department. The risks that business teams consider critical are being ignored. I have been covering some of the risks on the blog, namely – people risks, competitive advantage, innovation and creativity, marketing, country risks, etc. According to the survey, more than 20% of the stakeholders reported that internal audit paid too little attention on these risks. Hence, the question is why are internal auditors and risk managers not looking at them. Take a look at this chart first.

PWC Internal Audit Survey 2012

From the survey results, two assumptions can be made. First, the internal audit function is still focused on auditing the processes that link to the financial numbers. Second, they are not understanding the business aspects of the organization. As given below, three things need to be done.

1. Understand business requirements

The situation reminds me of an Archie-Veronica joke. Veronica is trying out a new pair of jeans in a store. She looks in the mirror and says – “The jeans are tight, I wonder what could be the problem.” Archie promptly replies – “You might have gained a few pounds”. Veronica gives one whack on Archie’s head and again makes the same statement. This time Archie replies – “The store may have marked a wrong size on the jeans”. If the internal audit reports were hard hitting, business teams may give the internal auditors a rosy picture. They may not be sharing the true concerns in respect to various business risks. Hence, internal auditors would focus their energies on some unsubstantial risks.  Improve the communication with business teams to understand the risk environment. Create an environment where truthful interactions occur.

2. Add in next year business plan

Last quarter of the year has started today, and most of the organizations will prepare 2013 plans in this quarter. This is a good time to understand the business risks and prepare the 2013 annual audit plan and budgets accordingly. Coordinate with the business teams to understand their annual plans. Identify the risks relating to the plans. Discuss with the teams on how internal audit function can help them. Attempt using collective intelligence and crowd sourcing techniques to develop your plan. Where required, take a call to provide advisory services rather than assurance services. Business managers expect much more from the internal audit function. Hence, gear yourself to meet if not exceed those expectations.

3. Develop talent and skills

In the 20th century internal auditors audited the same financial numbers as external auditors. In the 21st century, the function requires revamping. In my previous article – “New Risks and Uncertainties in 21st Century” – I had conducted a poll. I had asked respondents whether they thought present day risk managers were equipped to deal with 21st century risks. Out of 17 total votes, 15 had responded that less than 50% of the risk managers can manage the new business risks. The verdict was by the risk managers about risk managers. Don’t be a dinosaur and learn new skills to survive in the market. In another 5 years when Gen Y become middle managers, Gen X may become redundant.

Closing Thoughts

With the turmoil in various economies, the 2013 risk landscape will be drastically different. Organizations that are well geared in risk management, have a higher probability of sailing through. Internal auditors and risk managers need to incorporate the impact of globalization, technology and social media in their annual plans. There is no purpose in serving stale bread and expecting business teams to swallow it. Rejuvenate in the new business age.

Wishing all my readers a Happy Gandhi Jayanti. Let us pray that each person believes a little more in non-violence and work towards a peaceful world.


PWC Internal Audit Survey 2012