Tag Archives: Compliance

2016-03-20 by: James Bone Categories: Risk Management “Outrageous Compliance” Series

This series of articles is an irreverent “tongue-in-cheek” look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs that have an appearance of legitimacy but tell us little about risks.
First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes. My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.

My first victim – Risk & Compliance Self-Assessments!


Risk & Compliance Self-Assessments (RCSA) have become a handy tool to communicate to management, regulators and others that an organization has conducted an analysis of their risks to understand both the severity and likelihood of event occurrence. Each risk category is highlighted with its own color coordinated assessment based on a “Table Top” exercise where subject matter experts participate in a facilitated session to list these risks and assign Severity and Probability based on nothing more than memory!
I can’t remember what I ate for dinner three weeks ago should I trust my memory to document the threat level of risks to an organization based on recall? Yes, experience matters and yes experts in their field do have important contributions to make regarding the risks they experience doing their jobs. However, what does this chart really tell us about risk? The answer is very little!

Of course, we all understand that RCSAs are subjective but the “risk” in risk self-assessments is the false sense of security we place in believing these exercises are really a representation of risk exposures in an organization. They are not and here is why!

Statistically speaking risks tend to have a shape. In some cases the shape of risk is a normal curve, in other cases the shape may be skewed to the right or left, but in a RCSA the shape of risk is uniform. Each risk, with slight variation, looks exactly like this chart above. Intuitively, we understand that risks are not uniform but we never question charts and graphs that look like some effort went into producing the results.

Secondly, these charts lack the benefit of the law of large numbers. You might be surprised to learn that risk management is based on scientific laws of statistical analysis. The RCSA is flawed because it’s based on a small sampling of data (your memory) that is inherently biased by recent events that are easy to recall not representative of frequencies found in a large stochastic database of risk events. What does stochastic mean? Stochastic is a process involving a randomly determined sequence of observations each of which is considered as a sample of one element from a probability distribution. In other words, if you are not using a stochastic process for measuring risk you are guessing!

While sitting is a conference with professional risk managers from a range of industries, I asked my fellow participant how he managed risk and if he used a system to facilitate the process. His answer did not surprise me. He jokingly said yes I use a system, it’s called Excel. Each year he conducts a table top exercise with senior management where they list their Top 20 risks and fill in their assessment of each risk. He laughed and said he is the Wizard behind the curtain who controls the process. Once the exercise is completed an entire year goes by before the Wizard unlocks his Excel file for another year’s list to be documented.

If you risk management program looks like this you are practicing Outrageous Compliance! Unfortunately, many risk professionals are taught to perform this exercise because it is easy to do and senior management feels a false sense of security in the process. By the way, show this exercise to your board of directors, internal or external auditors as well as regulators and no one will challenge you or the process to understand what it says about your risk profile. The process appears to be rigorous much like the Wizard of Oz who fears that Toto may someday pull back the curtain to unveil the truth.

RCSAs have some value as a tool for understanding the risks subject matter experts deal with on a daily basis. These tools are a great starting point, not the conclusion, from which you should begin to develop a stochastic database of risk events. Which brings us to the last point about Outrageous Compliance, the risk repository.

A Risk Repository represents a third flaw in thinking about risks. Capturing risks in a risk repository is called a Deterministic model. A Deterministic model is one in which every set of variable states is uniquely determined by parameters in the model and by sets of previous states of these variables; therefore, a deterministic model always performs the same way for a given set of initial conditions. Conversely, in a stochastic model—usually called a “statistical model”—randomness is present, and variable states are not described by unique values, but rather by probability distributions.

Why is this wrong? When developing deterministic models (risk repository) you predetermine the outcome. Lots of organizations make this mistake including insurance actuary models, financial analysts on Wall Street, medical researchers and risk professionals in many organizations. The reality is that all models are wrong but some models are useful! Understanding how to develop useful risk assessment models takes time and patience but knowing the difference

2015-10-16 by: James Bone Categories: Risk Management Blackstone Group: Riddle of Ethical Dilemmas

free_136985 business manIs it possible to manage an ethical company and be successful? Logically, most people would agree that, yes, ethics and success are not mutually exclusive conditions of sound governance. Yet, the Securities and Exchange Commission has found that private equity firms are more likely than not to break the law or have material conflicts of interests. Has the principle of fiduciary responsibility, the “Prudent Man” rule, been relegated to the dustbin of financial market ethos?

Recently, Blackstone Group, the world’s most profitable fund manager, was ordered to repay fund investors $28.9 million and assessed a $10 million fine by the SEC for failure to disclose the collection and handling of fees that should have been used to benefit investors. Blackstone, to its credit, reported that its internal audit group uncovered the problem and reported its findings to investors. However, senior executives within the firm had to conceive the idea and present the proposal to a governing board for approval. What is the cause of a lapse in ethical judgment?

Blackstone is not alone, in the same article several incidents of regulatory violations related to fee disclosure by fund managers were cited. Blackstone Group has $330 billion under investment and close to $3 trillion dollars under administration so what causes successful firms to cut corners? How does governance break down? A spokesperson for Blackstone Group responded to the violation by explaining, “our Limited Partner Advisory Committee did not exercise its right to object.”

One of the hottest topics in financial services is a new concept called Conduct Risk. The phrase “conduct risk” comprises a wide variety of activities and types of behavior which fall outside the other main categories of risk, such as market, credit, liquidity and operational risk. In essence it refers to risks attached to the way in which a firm, and its staff, conduct themselves. There is no clear definition for Conduct Risk so it is more like pornography right? You know it when you see it! But, that is not exactly correct. The reason conduct risk is hard to define is because we are misled by the frequency of certain events leading to errors in judging when bad ideas become bad behavior. These incidents beg the question of whether the unethical behavior by private equity firms is any different from Volkswagen’s emissions scandal?

The public outrage and media attention attributed to Volkswagen pales in comparison to reports of financial services firm misbehavior. Why is this the case? The answer is found in the field of cognitive science. Our views of events are shaped in large part by the frequency of news reports on a variety of risks we face. Shark attacks are a great example of this phenomenon. We believe that more humans are killed or maimed by sharks than cows. We know, empirically, that humans are killed or maimed by cows more frequently because farmworkers encounter more cows than beachgoers do sharks. Local news accounts of “death-by-cow” events just don’t draw the same attention as a shark attack leading us to misdiagnose the risk.

The same can be said to explain how we view misbehavior of financial services firms. The frequency of regulatory and financial misbehavior has become almost invisible and is often relegated to the second or third page of news. The shock factor has worn out and we are no longer surprised to find that some fund manager has over charged or failed to follow the rules.

So how does risk management, audit, compliance and ethics officers address conduct risk? What defense can be used when the argument is, “everyone else is doing it why can’t we?” This is the riddle of ethical dilemmas. There is no risk framework or internal control to deal with conduct risk. It represents 98% of all operational risk failures according to a recent study. For the largest firms, regulatory fines are no longer a deterrent and the costs of compliance, risk and audit has already been absorbed as a cost of doing business. The public is no longer outraged about being fleeced, and in fact, car buyers will return to Volkswagen and investors will, undoubtedly, return to Blackstone Group. Solving the riddle of ethical dilemmas is the biggest challenge faced by risk professionals who are ill equipped to adequately mitigate this risk.

It is possible to run an ethical company and be successful. But it is also possible for unethical behavior to creep into the boardroom and C-Suite because the costs no longer exceed the benefits.

2014-12-06 by: James Bone Categories: Risk Management Cicero: Why we kill the messenger

free_57281 images for thegrcbluebook shadow of man“When you wish to instruct, be brief; that men’s minds take in quickly what you say, learn its lesson, and retain it faithfully. Every word that is unnecessary only pours over the side of a brimming mind.”
Cicero, Marcus Tullius unknown 106-43 BC

Marcus Tullius Cicero was murdered by decree on December 7th in the year 43 BCE. He was a lawyer, statesman, politician and philosopher and came to be known as one of Rome’s greatest orators. Marcus Tullius Cicero was an avid thinker and writer and his texts include political and philosophical treatises, orations and rhetoric, the latter of which has come to be known as “Ciceronian rhetoric,” and an amass of letters.

How is a Roman philosopher relevant to 21st century risk professionals?  Even the most educated and articulate practitioner of the art of risk management can be fooled by randomness.  The influence of philosophical thought between 150 – 20 BC evolved during a time of change brought on by war and in intellectual thought. Alliances were formed and dissolved through marriage, assassination, or political arrangement by the ruling class to maintain power.

The ability to persuade one’s audience through effective rhetoric being one of the most prized skills in the legal and political arena helped to build and sustain influence during periods of relative stability.  It is fair to say that the rigor of probability were not mathematically advanced during Cicero’s era however the intellectual pursuit of understanding random events were no less important in the Roman empire than they are in today’s modern business or political setting.

The practice of probability was best described in the school of thought called the “Skeptics” in the pursuit of truth, ethical behavior, and the proper role of civil life.  These words and ideas did not exist before Socrates, Cicero and other philosophers “invented” Latin names in an attempt to establish “ideal” societal behavior given the less than ideal lawlessness that was often the norm of the day.

“Cicero was most aligned with the Academy Skeptics and the general view that nothing can be known with certainty and that ‘truth’ is essentially relative probability. The skeptic approach appealed to him especially as an effective strategy in law and politics. The skeptic must seek as many perspectives as possible and tease out as many probabilities in order to present a valid argument. As well, it also accepts and advocates malleability as probabilities and perspectives fluctuate over time, and ‘evidence’ proves otherwise.”

The skeptics’ school of thought is still prevalent in today’s scientific approach to probability, mathematics, physics, and applied quantitative big data.  But what led to Cicero’s untimely and violent end?  He was victim to the same error many make in the pursuit of the ideal to find truth.    “Truth”, like risk, is in the eye of the beholder and the person in power gets to determine what truth is and how to manage the risk that threatens the truth they wish to manage.

Human nature has changed very little in over 3,000 years!

Cicero was first exiled then unceremoniously murdered by Roman solders and his body parts displayed in the Roman Senate as a message to others whose narrative was not aligned with current leadership.

This is why corporate governance is so challenging to address effectively.  Early retirement, job reassignment and staff reorganizations have displaced summary executions but the effect is the same.

Is there a silver lining?  Cicero’s writings and philosophical teachings have influenced leaders through the century and continue to be the cornerstone of regulatory guidance but the challenges remain.  Human nature is hard to overcome.

2013-04-22 by: James Bone Categories: Risk Management Value Proposition – TheGRCBlueBook


What is the value proposition of TheGRCBlueBook?  The answer may be best explained by what it is not.  We are not LinkedIn, where groups are siloed by risk specialty, industry or self-declared standards.  TGBB does not promote a framework or espouse a preference for one tool over another.

 TGBB is organized around the tools all risk, audit, and compliance professionals use. 

TGBB understands that silos prevent open and robust conversations about risk.  We endeavor to share what’s working and learn from others without competing.  Risks are not one dimensional nor are they so unique that one industry’s approach to solving problems may lead to new awareness not considered by a risk professional in another industry. 

TGB B is grounded by the database of GRC tools and solutions providers however as each organization implements these solutions your unique lessons learned add color to the benefits and opportunities for improving these tools. 

The challenge: How do I share these lessons while not exposing myself and my firm to reputation risk?  The answer is that no proprietary information is requested.  Lessons learned, product reviews and product ratings can and should be shared as opportunities to learn from others.  What you give can be returned in full measure from the lessons of others.  In the coming months we will lead by example with personals interviews of GRC users and, hopefully informative testimonials as well.

What’s in it for you?  That depends.  If you participate others will begin to share their stories and we all may learn more as a result.  If you have considered a GRC vendor solution and others provide reviews or ratings of these products you will learn from the experience of others.  We have chosen to not write or pay for reviews to prevent inherent conflicts of interest but more importantly this concept is founded on the belief that users are the best source of information for these solutions. 

What we have learned is that the current sources of information about GRC tools and solutions are not sufficient for making informed buying decisions.  Even more critical to the buying decision is a more fundamental question: What is the most effective approach to integrate these solutions in my organization that adds the most value to managing risks and addressing my problems? 

It’s a bold experiment in trust!  Information provided on this site is for the benefit of the members of TheGRCBlueBook.  It’s free and will remain so. 

So what is the value proposition?  YOU!  Your experience, your feedback, your lessons!  You may be surprised that you get more than you imagined by participating. 

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-03-16 by: James Bone Categories: GRC Articles OCEG Red Book

You must be logged in to view this document. Click here to login


OCEG, the Open Compliance & Ethics Group has developed standards for the structure of GRC (Governance, Risk & Compliance).  Although initially focused on GRC as a risk practice OCEG has shifted focus to a new concept called Principled Performance.  OCEG has modified Enterprise Risk into a Principled Performance model that is inclusive of the COSO Enterprise Risk framework.  This shift in focus appears to imply that risk management is responsible for firm performance.

2013-03-02 by: James Bone Categories: Risk Management Navigating the GRC BlueBook Tools and Reviews

You must be logged in to view this document. Click here to login

James Bone head shot

2013-01-15 by: James Bone Categories: Risk Management Building a Culture of Inclusion at the US Air Force Academy by Adis M. Villa

You must be logged in to view this document. Click here to login

Adis M Villa Building a Culture of Inclusion at the US Air Force Academy