GRC Tuesdays: Ending the Whack-a-Mole Approach to GRC – The Role of the Third Line of Defense
The basic strategy of GRC professionals is similar to the old Whack-a-Mole arcade game in which players use a mallet to hit toy moles, which appear at random, back into their holes. A risk pops up? Whack it! Think a risk might pop up? Whack it with a control. Ineffective control? Whack it with an action plan! Compliance problem? Whack it with a policy! Risk-based audit universe? Think mole-based audit universe!
A Whack-a-Mole approach is perfect when moles pop up suddenly, unpredictably, randomly and spontaneously. That’s rarely true for risks in GRC, but Whack-a-Mole thinking prevails. It’s prevalent in both our business and regulatory responses to business risks and compliance failures.
Unreliable financial reporting? Whack with SOX! Problems with money laundering? Whack with AML! It’s reactive, regressive, costly and unnecessary. And then of course we complain about the resulting regulatory and GRC complexity.
Look for the Mole Nests, Not the Moles
No thought is given to the systemic issues, root causes, or the underlying conditions or human behaviors that fosters moles. Just whack the moles when they pop up. Keep whacking until they go away, which of course they never do.
No successful professional or business discipline works this way.
To stop the Whack-a-Mole approach we need to find where the moles live and stop them before they start.
It’s Not a Mole Problem, It’s a People Problem
In my view, the role of the internal audit department is to report on the completeness and accuracy of the risk and control information reported by the First and Second Lines of Defense. In other words, how are they managing their moles and are they likely to succeed?
Years ago as a chief auditor of an oil and gas company, my staff and I implemented what today would be called the Three Lines of Defense approach.
Below is a mock-up of an actual report. This report is extremely simple but extremely powerful. It was used to report to senior management and the audit committee of the board. It was one of several reporting formats we used.
Whacking Moles Before They Pop Up
As a result of our self-assessment initiative, every department of the company used a methodology for identifying, documenting, and assessing their risks and controls. A copy of their assessment was sent to the internal audit department. It was usually a word report, sometime a couple of pages, sometimes a binder. We scored it in two ways.
- We assessed the completeness of the assessment against a control framework. We had adopted a framework that let us categorize controls. If they documented and assessed their controls across all framework categories they were given a score of up to 5 points. We wanted to make sure they were looking everywhere for mole nests, not moles.
- We then assessed the level and candor of staff participation. Some departments involved multiple levels of staff in the self-assessment process and conducted workshops and surveys. We assigned a score from 1 to 5 depending on the level and nature of participation. We wanted to make sure everyone was looking.
Several departments scored extremely well in the barrel graph. On the other extreme, one department head sat down on a Friday afternoon near the deadline and created, on his own, a pencil list of controls he felt were in place. That department stands out clearly. We found that if business managers were unwilling or unable to size up their risks and controls, they were likely going to have a mole problem. We wanted to stop the moles before they popped up.
The Role of the Third Line of Defense
All of the information provided by the business was auditable and could be verified. Our focus was on building risk and control assessment skills capability in the business first and providing assurance on the reliability of the results second.
As CAE I was expected to explain and interpret the results of the self-assessments and the reliability of information reported. Management and the board now had a lens to look through. We gave them some levers to pull.
- We tested the information documented by the business.
- We consulted on best practices in control design.
- We modeled the impact of major system changes on the entity level control framework.
- We benchmarked against competitors.
At the time, the technology we have available today did not exist. Today we have the GRC tools to drive this process farther and deeper into organizations than we ever dreamed.
Our work was described in “Ripe for a Renaissance” written by Paul Makosz and myself and published in IA Magazine in December 1990. Apparently, we overstated the “ripeness” for change of the GRC professions.
Twenty years ago, Whack-a-Mole strategies were excusable. Today they’re unnecessary, inefficient, unreliable, and unacceptable.
I’ll be talking about this subject and more at SAPinsider GRC2016 in Vienna this June 20-22. I hope to see you there.