Blind Spots in Risk Identification Can Be Driven by Recency

As humans, we exhibit a number of cognitive biases and tend to think in certain ways that can cause us to wander from the path of rationality or good judgment from time to time.

One such bias involves the phenomenon of most easily remembering those things that have happened recently, compared to remembering something that may have occurred a while back. For example, talent managers express concern that employee performance reviews often reflect what an individual’s performance has been lately instead of their true performance throughout the evaluation period.

Thinking Differently

This “recency effect” principle is described by psychologists as a belief that recent experiences will continue on as they have. So we tend to think that what is happening around us today will continue for the foreseeable future. In business, this can be a real source of unanticipated disruption to the company, the stockholders, and the board.

For example, top executives don’t believe that the quality of their products could degrade suddenly and lead to customer injuries, or may not see an emerging competitor with superior technology coming to take their best customers this year. And because they believe their company employs only the best people, leaders and board members may not foresee a scenario where the CEO could divert significant capital into a poor acquisition, or one that is rife with fraud — with either result significantly impacting the acquiring company’s reputation and results.

So recency bias impacts how we think about risk events. When we consider risk to our strategic goals and objectives, it causes us to sometimes discount the likelihood of unexpected events occurring, and instead assume that people, markets, and customers will continue to behave in much the same way as they have previously. If we don’t at least play out the possibility that changes may be occurring – in other words, evaluate options not on the current path — we won’t be prepared to handle any resulting impact. As a result, discounting or ignoring unobvious options precludes planning with appropriate responses that would enable us to recover quickly – the “resiliency” needed to survive and thrive.

Closer to Home

Beyond business survival, having a recency bias can also affect our personal lives – perhaps even impacting the safety of our families. We have to be continually looking beyond today’s observations of the world and consider what may happen in the future – given that various cycles exist in the world, and things that have occurred previously can occur again. Economic cycles, cycles of war, and even the rise of political protest and societal instability will appear regularly in the ebb and flow of events over time.

Our weather here in Michigan is a great example. History shows us that within the space of a few days, the weather can go from one extreme to another and catch many people unprepared.

Over the past few weeks we have enjoyed temperatures in the 40s and 50s, hitting 57 degrees in Detroit on January 12th and 56 degrees in Lansing on January 21st. As a result, many expect the winter to continue to be mild. However, these extremely mild weather patterns have occurred in the past – and in some cases, foretold the arrival of massive snow storms. Two such storms occurred in the final days of January in two different years following unusually warm temperatures and rain.

The storm of January 27-28, 1967 resulted in the shutdown of Chicago, Detroit and much of Michigan for several days, leaving thousands of vehicles and travelers trapped in driveways, streets, parking lots and on highways due to massive snow drifts many feet high. The Governor of Michigan declared a State of Emergency as people were trapped in their homes and trucks were unable to transport goods of any kind across the State. Those with emergency food and fuel were able to adapt to the changing weather and “ride out the storm” more easily, but over 20 people lost their lives — primarily due to the exertion required to dig out of the snow.

Then exactly 11 years later on January 27, 1978 another massive storm — later deemed to be worse than the earlier one — blanketed most of Michigan and again halted commerce. But with this storm, below-zero temperatures, combined with winds gusting over 50 mph, produced wind chills down to negative-50 degrees for the next month. Business and individual resilience was again tested, but to a much greater degree given the extended period of frigid conditions.

Enhancing Risk Intelligence

Identifying potential sources of business risk takes effort. While weather change may be an easily foreseeable event, our failure to take action and prepare for a crisis may come from the human bias toward normalcy surrounding recent conditions. Likewise in business we may dismiss outright or give only passing consideration to events that could occur but have not been observed lately.

Properly managing your risk, whether at home or in your organization, requires a disciplined process for identifying and evaluating events and other factors that could derail achievement of your objectives. This should include unlikely changes in the business, economic, political and other environments.

To improve our chances for success, we must be aware that bias may exist as we complete our assessment. In addition, we must evaluate both the range of potential outcomes and how quickly things can change – the velocity – in addition to the impact on the organization. Techniques to assess both the upside and downside impact on our objectives could include business plan scenario analysis, war gaming, and even conducting game theory workshops in situations where external player actions will impact our decisions and plans. Where signals or mechanisms do not exist to provide sufficient early warning for the approach of adverse events, we must develop more robust response plans to minimize the impact on our organization, its employees and customers.

About the Author: Jay R. Taylor is CEO of EagleNext Advisors in Detroit, Michigan after having led Strategic Risk Management and serving in various global executive internal audit roles for General Motors Company. Jay focuses on enabling business growth and opportunity through risk-enabled decision making and better board governance. He is a Founding Member of the Private Directors Association Detroit Chapter and in 2016 became a National Association of Corporate Director’s Governance Fellow. Jay can be reached at

Corporate Directors Share Their Insights on M&A Success

Fostering robust dialogue and asking tough questions are amongst the leading practices corporate directors interviewed for this article perform to ensure M&A success.
By Jackie Bassett and Jay R. Taylor

Many companies with balance sheets flush with cash are now seeking to accelerate corporate growth through mergers and acquisitions (M&A). Today’s environment is creating tremendous opportunity for corporate directors who are responsible for creating long-term, sustainable growth and shareholder value— to optimize the value of an M&A.

Peer exchange, particularly at the corporate director level, is one of the most effective and highly valued methods of learning what works best and delivers the most value. But, which directors are leading the change in how boards engage in the M&A process? More important, which directors are getting great results from their innovative methodologies? Would these successful directors be willing to share their leading practices with their board peers?

To answer these questions, we held one-on-one interviews with some of the most seasoned corporate directors in the United States. Each director actively serves on a board committee in organizations ranging from multi-billion dollar to mid-tier companies in industries including health care, energy, consumer products and technology. The combined M&A experience of these corporate directors represents hundreds of highly complex acquisitions and a total market value of more than US $6.8 billion. According to the directors interviewed, engaging boards in robust dialogue and asking tough questions are amongst the leading practices needed to be on the road toward M&A success.

Foster Robust Dialogue

John E. Lawler, who has been a corporate director for more than a decade and currently serves on the board of two public companies, NCI (NASDAQ) and L1 Identity Solutions (NYSE), as well as two private organizations, stresses that each board member remembers the primary and fundamental goal of a public- sector director: the creation of long-term, sustainable shareholder value.

Lawler also sees great value in the diversity of skill sets and experiences that each board member brings and believes that this diversity should be leveraged to lessen group think and create more provocative discussions. Furthermore, Lawler believes that directors appreciate in-depth discussions and differing viewpoints.

Dr. Richard Sherman, a cardiologist who serves on the board of ICU Medical Inc. also shared his insights on the importance of having robust dialogue with the full board during an M&A.

To have vibrancy, the entire board should be made aware of a potential acquisition early in the process and have regular interaction with management throughout the negotiations. This approach will allow board members time to reflect on some of the more critical questions relative to each event.

Ask Tough Questions

Having robust dialogue is the foundation for asking the right — oftentimes tough
— questions. According to Ernest Godshalk, board of director at GT Solar, Verigy and Hittite Microwave Corp., M&A success lies in the questions the board asks. In particular, Godshalk shared three cases where the board needs to be fairly assertive in asking tough questions:
1. Management appears too eager to get the deal done.
2. Management is reluctant to participate in a merger or acquisition.
3. The deal is too good to be true.

“It’s very important to ensure we have a mix of board members with various areas of technical expertise. We believe „board vibrancy‟ in making key decisions about M&A is
good for shareholders.”Dr. Richard Sherman, Cardiologist board director, ICU Medical, Inc

“The ability to have a spirited and robust dialogue at those board meetings should be considered a strength, one that is especially valuable in developing M&A strategies and guiding the entire process to successful integration. Board members need to have in-depth discussions about the impact of an M&A on shareholder value based on a perpetual model of the company being a going concern.”
John. E. Lawler, board director NCI, Inc., L1 Identity Solutions, Inc

In situations where management appears too eager to close a deal, board members should ask managers to examine the situation carefully. “What’s the rush?” is often a good question to get the dialogue started. However, if management appears too reluctant to act on an opportunity, the board could ask management to identify the reasons for their hesitation. For instance, board members could ask, “Is the company being too risk averse, and if so, why?”

Finally, if the deal is too good to be true, Godshalk advises that board members ask management to identify the merger’s or the acquisition’s true strategic value.

Blythe J. McGarvie, board director for Viacom Inc., Accenture and Wawa, recommends that board members ask clarifying questions, particularly from sales and marketing managers, to ensure directors understand the true value that will be derived from the deal. McGarvie is CEO of Leadership for International Finance and has participated in numerous acquisitions while serving as Chief Administrative Officer for the Pacific Rim at Sara Lee.
Her questions help to clarify not only the current value of an acquisition or merger, but identify whether management has a focus on future growth. For example, “What are we doing to grow profitably?” “Is the goal to expand geographically or to expand our product offerings?” “Is our goal to enhance customer focus?”

“The best way to understand the value of a potential acquisition is to spend time with top management both formally and informally. You can learn about people, concerns and customs by asking questions and listening when an answer is halting or not quite as thorough as you would expect. I find that going to dinner with the CEO and having one-on-one time to discuss his concerns often yields answers and insights that would be difficult to ascertain in a larger more formal setting.”
-Blythe McGarvie, board director Viacom Inc., Accenture, Wawa

“What will we gain from this deal? And, what do we stand to lose? are key questions
that can help management identify hidden risks or obstacles in achieving the deal’s
Ernest Godshalk, board director
GT Solar, Verigy and Hittite Microwave Corp

Here is a list of key questions compiled from our interviews that board members can ask to initiate robust dialogue sessions with their corporate director peers pertaining to their organization’s planned M&A activities:

Aligning With Corporate Strategy
 How does the M&A fit within the organization’s corporate strategy?
 What is the organization really trying to accomplish, and can we?
 What is the organization buying (e.g., product offerings, clients, presence in a new location)? Will the purchase provide complementary or competing products and services?
 Will the deal provide specific enhancements in technology, processes, or patents, or does it expand the sales force?
 What is the true strategic value of the merger or acquisition?
 What are the synergies? Are these synergies measurable?
 Is the deal driven by “ego” or the desire to fill a strategic need?
 Is this really a good deal?
 What’s the rush with this acquisition?

Measuring Deal Substance
 Does the organization need any technical expertise to assist on this deal?
 What are the specific benchmarks and timelines expected as a result of this M&A?
 When does the acquisition become organic?
 What risks has management identified, and what can be done to manage them?
 What are the opportunities?
 Has management looked at the mergers or acquisition’s fit from a cultural standpoint?
 What makes management sure the terms are right?
 Is management focused on profitable growth, for example:
 Focusing on what existing customers need?
 Innovating the product line and entering an emerging market?
 Expanding the business geographically? Integration as Part of Strategy
 What is the integration plan, and how is the speed of the integration assured?
 Who are the key management executives responsible for the integration?
 Do the right rewards and penalties exist for integration success?
 Is there an opportunity early on to do a “test fit” (post-integration operations simulation) of the acquired company?
 How does management plan to integrate the sales force?

Create Process Innovations
In addition to fostering robust dialogues between the board and management and asking tough questions, these board directors shared some of the process innovations they use to enable M&A success. They reported that each of these process innovations was created specifically for situations where directors’ demanding schedules conflict with the detailed level of preparation that is required in today’s increasingly complex M&A transactions.
Lawler explained that one successful process innovation he uses to facilitate an M&A strategy is to create a special board committee which includes one or two core directors. Additional corporate directors can be appointed to the special committee if a deal requires a particular skill set or knowledge in a specific business function. To avoid burnout, core membership can be rotated, thus helping to spread the work. However, all directors must continue to be fully informed of any planned M&A activity.

Godshalk described one particular M&A transaction where he, as a corporate director along with the CEO of the acquiring company, took the time to meet directly with a director and the CEO of the company being acquired.

Paul Feldman, chairman of Midwest ISO and board director of Western Electricity Coordinating Council, creates M&A success by using a highly disciplined process innovation known as Stage Gate. Stage Gate is more commonly used in new product development yet has proven to be equally as effective in M&A transactions. He also suggests performing a “mini risk analysis” so that directors can identify challenges and opportunities, test assumptions and recommend activities that can be performed to manage risks.

Marshall N. Carter, Chairman of NYSE Group and Deputy Chairman of NYSE Euronext, described three considerations that often guided his decision-making about process innovations during the 13 M&As he directed while serving as chairman and CEO of State Street Bank and Trust Co. “Managers should hold a one-day offsite meeting to address M&A due diligence up front and run ‘thought experiments’ and  ‘what if’ scenarios leveraging the diverse expertise of the full board.”
Paul J. Feldman, Chairman of the Board Midwest ISO board director, Western Electricity Coordinating Council

First, the board should always be leery of cross-cultural issues where a target company is greater than one-third the size of the acquirer. Second, integration plans must be sensitive to the situation if the target company has invested a lot of sweat equity in a particular market, and it is wise to not disturb these operations for about 3 to 5 years. Third, Carter recommends boards stay true to their core businesses as he had at State Street.

Discuss Key Issues Early
Stephen Brown, CEO of PreCare Inc., has served as CEO and board member during the acquisition of multiple services-based companies. While working as CEO, Brown took the initiative to actively seek out the skills and wisdom existing within the board by laying out his strategy in one-on-one meetings during the planning stages of each acquisition. “How can you help me?” was a question Brown often asked board members during these one-on-one meetings.

These discussions, which also involved key directors from operations, helped Brown to assure that management was better prepared for the acquisition. In addition, Brown also advises that boards understand the existing level of “sales and marketing synergy” on both companies prior to each M&A, as most expectations are typically over-inflated in this area.

Doug Rainville, chief financial officer at Triangle Inc., has been involved in 10 M&A transactions representing a combined market value of more than $300 million. He cautions that, without a well-disciplined process of information sharing during the early stages of the M&A activity, transactions might be at risk of being “sold” to the board by a limited group, such as the CEO and one or two supporting board members.

The M&A process needs to be opened to the full board prior to the deal so that they can understand the justification for the acquisition and get the optimum level of board involvement. The Board also can hold management responsible for achieving the numbers they developed during the M&A process.

“You must clearly understand what three areas comprise your company’s core skills,
and never do a deal just to do a deal.”
Marshall N. Carter, Chairman of NYSE Group and Deputy Chairman of NYSE Euronext

Final Thoughts
Corporate directors today have a tremendous opportunity, and even responsibility, to lead the change in how boards engage in the M&A process. An M&A is a call to action for corporate directors to initiate boardroom debates by asking tough questions until they obtain answers they can stand behind.

Corporate directors should be open to process innovations that can provide the most value early in the M&A planning process.

When M&As become the strategy for accelerating corporate growth, change is the order of the day. But what will never change is that the number one fundamental goal of every corporate director is the creation of long-term, sustainable growth and shareholder value.


Copyright © Jackie Bassett and Jay R. Taylor 2011. All Rights Reserved. No part of this document may be reproduced without written consent from the authors.

Jackie Bassett is CEO of Sealed Speed, Inc. an innovative technology that finds hidden networks of knowledge everywhere they exist. In 2000, she worked at Netscreen Security where she launched and grew the service provider market out of Washington, D.C. Netscreen carried out a successful IPO in 2001, then was acquired by Juniper Networks in 2004 for US $4 billion. Her background is in investment banking where she grew a portfolio of eurodollars to US $2.5 billion. She holds an MBA from Babson College and is the author of Drawing On Brilliance. Ms. Bassett may be contacted at

Jay R. Taylor, CIA, CISA, CFE, is General Director, Strategic Risk Management at General Motors Co. in Detroit, MI. where he established strategic risk management in 2014 in conjunction with senior leadership and the Board Risk Committee. He is responsible for facilitating the identification, assessment, mitigation and reporting of top risks across the regions, functions and business units. His goal is to use his experience and knowledge to help other organizations at the Board of Directors level install appropriate risk governance and oversight. Taylor earned his MBA from the University of Michigan and is a frequent speaker and writer on topics including risk management and internal auditing. Mr. Taylor may be contacted at

Culture: The One Element Most Critical for the Board’s Management of Risk

Private Director’s Association – December 2016


Something More Fundamental

Previous articles in this forum on the topic of risk management focused on such things as the need for a risk register and improvement opportunities for board-level reporting. But today, I want to take directors back to something even more fundamental — something that explains both the “failure to thrive” in so many businesses — and the colossal failures in giants such as VW, Wells Fargo, and General Motors. It is also the key to enabling successful strategy execution. What is it? Culture.

Given everything a company must do, what makes culture so important? How does this link to business growth over time? What can board members do to impact the risk culture and enhance oversight? What indicators should we be looking for? These questions are being asked in board rooms and court rooms all over America today, and are discussed below.

Importance of Culture

Let’s begin with some reasons why board members and senior leaders should be concerned about culture.

Peter Drucker, a recognized leader in the development of management education, is often credited with saying that “culture eats strategy for breakfast”, meaning that great strategies can be enabled or resisted by strong enterprise cultures. A bad culture can also surround and destroy organizational creativity and initiative. Joe Tye, CEO of Values Coach, the leading authority on values-based leadership skills and strategies, said “when strategy and culture collide, culture will win. Culture provides a level of risk prevention that cannot be attained with strategy alone”.

At a recent leadership conference in Washington, D.C. for corporate directors, I heard a keynote speaker state that “risk is not knowing what is going on around you”. Earlier, when I was involved in helping to change the dynamics around risk taking at General Motors, our CEO talked about culture as a set of specific behaviors exhibited by leaders and modeled by the team – which could be either positive or negative. In other words, it was about the ways in which people acted when no one was looking. But how can a company model and reward the desired behaviors to fix or improve the culture? The answer starts at the top with the actions of the board and CEO.

Pamela Bilbrey and Brian Jones, in their book Ordinary Greatness: It’s Where You Least Expect It… Everywhere, said, “Every organization has a culture. Unfortunately, many, if not most cultures developed by happenstance…” As board members, we cannot afford to let this occur. Culture should be planned and fostered.

James S. Turley, former chair and CEO of Ernst & Young, chairs the audit committee at both Citigroup and Emerson Electric Co., and serves on the boards of Northrop Grumman Corp. and Intrexon Corp. His advice to directors: “You want to create a ‘culture of candor and credible challenge’ [that allows directors] to ask the uncomfortable questions of management.” When the culture in the organization does not support open communication with the board, big problems can occur. As directors, we need tools to help us understand the organization’s current environment to assess what improvement may be needed.

Pointing the Way

As a director, what are some of the questions we could ask, or indicators to look for, that might tell us about the health of the risk culture?

  • Is the CEO active in creating the culture for the organization? Is he or she modeling the right behaviors?
  • Is there appropriate tone at the top, both during and outside of board meetings?
  • During strategy, product, and investment discussions, is there transparency around business assumptions, openness to respectful but challenging views, and identification of emerging risks to the business model beyond the immediate planning horizon?
  • Is there a willingness to bring forward bad news? Is there an understanding that failure may occur, but the business cannot grow and prosper without taking smart risks?
  • Has the board established clear expectations for timely identification and handling of risk, particularly those around business goals and objectives? Is there clear risk ownership?
  • Not everything should be filtered through the CEO. Are other executives and risk owners present at board meetings and allowed to take questions directly?

Conversely, here are some of the indicators that the risk culture may not be effective:

  • Unclear objectives for the organization and each group or function
  • Lack of awareness at the staff level of the company’s long-term and short-term strategies and objectives
  • Allowing unethical practices or failing to address noncompliance with policies
  • Using extreme “stretch” goals to drive the business, or too much focus on short-term goals
  • Lack of attention to regulatory failures or issues raised by risk owners or auditors
  • Shooting the messenger – bad news is not well received by management
  • Failing to train leaders on the basics of managing their risks; inconsistent or nonexistent understanding of risk, leading to unwanted “surprises”
  • Absence of visible processes to measure performance, manage business change, or manage risk.

The Rewards

According to scholars at the Enterprise Risk Management Initiative in the Poole College of Management at North Carolina State University, fostering meaningful conversation is key to shaping the right risk culture. Importantly, the board and management need to exercise best practices in governance. Management and the board should encourage open discussion and foster trust in the organization to drive certain behaviors. A busy schedule should not interfere with the important conversations that need to take place to manage risk.

Culture should not be left to happenstance, but instead should be driven by thoughtful consideration by the board. We need to develop greater confidence in management’s ability to navigate risk to achieve company objectives more often. With that comes not only the ability to truly know what is going on around you, but fewer performance surprises. Organizations that are agile and can act quickly in the face of new or changing risks will be able to successfully pursue greater levels of risk and reward.

I will end with a quote from Lou Gerstner, former IBM CEO, who said, “When I came to IBM, I probably would’ve told you that culture is just one among several important elements in any organization’s makeup and success – along with vision, strategy, marketing, financials and the like… I came to see, in my time at IBM, the culture isn’t just one aspect of the game – it is the game”.


This Article is Classified as: BOARD OPERATIONS – Communication and Culture, in the PDA Body of Knowledge.  Published at




3 Tips to Better Align Directors and Internal Auditors on Technology Risk


Many directors have questions about their organization’s cyber security posture and the effectiveness of the groups (including internal auditors) that are responsible for providing assurance on risk management and control.  In this posting, I discuss some causes of blind spots and suggest actions.

I recently spoke at a technology symposium attended by IT audit directors from many of the largest companies in the U.S.  The purpose of my talk was twofold: share insights from conversations with corporate directors regarding their role in strategic risk oversight, and help audit executives understand the pressures that boards face so that internal audits can better align with shareholder needs.

During the exchange, I conducted anonymous polling to understand why significant gaps can exist between board director expectations and what internal audit teams are actually able to deliver.  Below, I describe some highlights from the session and encourage directors to probe more deeply about their organization’s defenses during cyber security updates and other presentations.  Directors should also request action plans from management that will close any significant gaps.

How well are internal audit teams addressing strategic IT risk?

According to a recent study[1], two out of three board members believe internal audit should have a more active role in evaluating an organization’s strategic risks.  This implies that management has defined, and internal auditors have obtained and assessed, the organization’s strategic plans including the specific business and IT-related initiatives that will advance its goals.

In this regard, polling of participants at the symposium showed that only 76% agreed that their organization had an IT strategy, while the remainder (24%) felt there was “somewhat” of a strategy in place.  Where a definitive strategy does not exist, auditors may struggle to provide the board with needed assurance around related control and risk management practices.

Internal auditors are effective when they assess the management of the organization’s most important risks, particularly those impacting company objectives and strategy.  When asked at the symposium whether their audit teams assessed the management of some or most of the strategic risks in their organization,

  • 65% agreed they perform these strategic audits, while
  • 35% acknowledged being aware of company strategy and objectives, but said they did not assess how well the related risks were being managed.

When asked about barriers in the organization preventing them from auditing strategic risks,

  • 43% indicated that there were no barriers in their organization, however
  • 21% indicated that management was resistant to them being involved in strategic risk areas, and
  • 14% indicated the board was not interested in having the risks assessed, and
  • 14% lacked awareness of the strategic direction, while 7% responded, “don’t know/not applicable”.

Clearly, these areas need discussion and perhaps greater attention by the board and the Chief Audit Executive (CAE) to reduce or close any expectation gaps.

Are you able to withstand a cyber-security attack today?

With all the attention given to cyber security in recent years, you might expect that a large percentage of major organizations in America rate themselves as well protected.

However, when asked whether they felt their company could currently defend itself successfully against a sophisticated cyber-security attack,

  • 33% of poll respondents at the symposium indicated they could successfully do so,
  • 48% felt their company’s defenses were not sufficient, and
  • 19% were unsure.

These polling results showing that two-thirds of the executives lack confidence in their defenses do not surprise me.  Large, complex organizations are naturally more vulnerable to security events because of the broad “attack surface” created when deploying technology and application systems across dealers, suppliers, venture partners and others.  However, in those cases I expect that the board and internal auditors would have significant dialogue around the effectiveness or ineffectiveness of company defenses and discuss the timing of steps agreed by management to remediate the deficiencies.  Transparency with the board is critical.

Where does the Board want assurance on controls?

When building the internal audit plan, it is important that the audit team have an understanding of areas where the board would like to receive assurance from the audit work.

In the polling, 73% of participants said that they had a good understanding of the areas where their board wanted assurance and actually had performed audits in those areas.  However, 26% said they either had not asked their board for their input on coverage, or were aware of board “hot buttons” but did not perform audits in those areas.  Expectation gaps can arise around internal audit performance when they have not gathered requirements from their most important “customers”. 

While 69% of participants felt the board should hold the CAE accountable for internal audit’s failure to deliver what the board wants, 25% felt that the audit committee itself was responsible for any such failure; after all, the audit committee typically retains, oversees, and evaluates the performance of the CAE.

Tips for Better Alignment around Technology Risk Management

Now that we have a better understanding of the sources of potential blind spots, directors can use the following lines of inquiry in board meetings to get issues on the table for resolution.

#1 – Inquire whether the internal auditors understand and are assessing your organization’s technology strategy.  Some organizations hold their strategic plans “close to the vest” and may not be sharing them with the CAE.  However, the audit team cannot hit a target that they cannot see.  Where the target or strategy is non-existent, the board should understand the reasons.

#2 – Ask for assurance that the auditors prioritize and focus on the most critical cyber risks.  Directors should understand whether management has performed a thorough risk assessment.  Where gaps in defenses are noted, management should be taking steps to reduce the potential impact of a breach.  Internal audit should be providing value-added recommendations where needed. For example, performing an internal audit assessment of the company’s “crown jewels”, which are the most valuable or important digital assets, will help to bring attention to areas needing heightened levels of protection.  You cannot protect everything, so be sure to put your resources where needed most.

# 3 – Ensure that management is not restricting the auditors from doing their job.  To be effective, the CAE and internal audit team needs the visible support of the board to enhance their ability to be independent and objective in their work.  The CAE should discuss with the audit committee any differences of opinion with management regarding the audit plan to reduce the likelihood of undue influence on coverage of important risk areas.


Directors, management and internal auditors have shared objectives when it comes to protecting the organization from downside risk.  Likewise, aligning the three groups in pursuit of strategic goals and objectives will help the organization take advantage of opportunities to pursue growth and long-term value creation.


[1] “Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference”, by Jim DeLoach and Charlotta Lofstrand Hjelm, a Global Internal Audit Common Body of Knowledge (CBOK) study report, conducted by The IIA and Protiviti, 2016.