Risk and Internal Audit - beyond Three Lines of Defense

1 Introduction

The Three Lines of Defence model (TLD, 3LoD, etc) is a model that sets out to (i) provide a framework for the provision of assurance within a company, (ii) provide regulators with a model they can recommend companies implement, and (iii) that they can assess when reviewing regulated companies. It is the simplicity of the model and the risk of the introduction of silo mentalities that seems to draw much concern from the Risk Management profession. Yet it is also the simplicity of the model that enables companies to implement it.

This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

As a reminder, operational management is considered the 1st line of defence, in that it is operational management that runs the business, including the internal controls that manage risk and opportunity in the business.

However, a more accurate and measured interpretation of the TLD model shows all three lines (Operational Management; Risk Management (and Compliance); and Internal Audit) all provide elements of assurance, with each supporting the other two to ensure that the assurance provided can be relied upon. Where any of the three lines fail to perform their specific responsibilities, the overall level of assurance that can be provided is reduced, regardless of the quality of the other two lines.

We call it the TLD, but a more appropriate model may be the Three Elements of Assurance, which doesn't sound nearly as interesting.

2 Three Lines of Defence

The first thing to remember about the Three Lines of Defence (TLD) model is that it is not a model for a complete Governance structure. It is a model for the management of risk and provision of assurance and comfort to the Executive, Board and shareholders (and appropriate stakeholders). As such, the TLD fits within an overall set of governance functions and structures, and has the specific purpose of ensuring appropriate focus on, and management of risks and controls.

The three lines are generally considered to be Operational Management (1^st line), Risk Management and Compliance (2^nd line) and Internal Audit (3^rd line). Without operational management, the company, any company, would not accomplish its basic functions, and therefore may assume unacceptable risks when providing services and products to customers. Operational management, through operating the business in line with the objectives and constraints of the Board, provides the returns to the shareholders, within the regulatory and legal constraints on the business. Operational Management also ensures controls function effectively and efficiently, and demonstrates that processes are functioning in a manner consistent with achievement of objectives.

The implementation and operation of the TLD is not "the" governance system, but is an element within an overall governance framework. Some organisations explicitly limit the number of functions considered part of "2nd line" to Risk Management and Compliance, while others include a range of operational support functions such as HR, Finance, IT, etc. Personally I consider these functions to be part of "first line" as they are operational functions supporting the direct activities of the enterprise.

The Bank of International Settlements (BIS), in their 2012 guidance on Internal Audit (http://www.bis.org/publ/bcbs223.pdf), includes Risk Management, Compliance, Legal, HR, Finance, Operations and Technology in the 2nd line. Equally, the IIA (Institute of Internal Auditors) not surprisingly included a wide range of business activities in the 2nd line, while reserving the third line for Internal Audit only.

The BIS, in their 2015 guidance on Corporate Governance (http://www.bis.org/bcbs/publ/d328.pdf), has a slightly updated discussion of the TLD model:

"The increased focus on risk and the supporting governance framework includes identifying the responsibilities of different parts of the organisation for addressing and managing risk. Often referred to as the “three lines of defence”, each of the three lines has an important role to play. The business line – the first line of defence – has “ownership” of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities.  The  risk  management  function  is  responsible  for  further  identifying, measuring,  monitoring  and  reporting  risk  on  an  enterprise-wide  basis  as  part of  the  second  line  of  defence,  independently  from  the  first  line  of  defence.  The  compliance  function  is  also  deemed  part  of the  2nd line  of  defence.  The  internal  audit  function  is  charged  with  the  3rd line  of  defence, conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance  framework,   including  the  risk  governance  framework,   is  effective  and  that  policies  and processes are in place and consistently applied."

This latest BIS guidance is clear in setting out the three lines. Like any model, if inflexibly adhered to, TLD can oversimplify and result in silos, in which there is an assumption that only IA is able to provide assurance to the Board and Audit Committee; this in a time when regulators and professional associations are increasingly calling for separate Risk Committees or, failing that, a joint Audit and Risk Committee. In the evolving models and expectations of regulators, Risk Management has a critical role in providing assurance at the Board level.

In summary, the TLD model provides an effective mechanism for the allocation of responsibility for the operation of controls, the assessment of the overall risk and control environment, and allocation of responsibility for the detailed review of specific high risk areas of the control environment. While there is a risk of silos reducing the ability of the first and second to provide assurance, the model is "simple" enough to allow for easy communication and allocation of responsibilities and ownership of operation and assurance over the system of internal controls. Regular communication of the concept also ensures that operational management is aware of and able to enunciate the TLD principles.

Regulators and professional bodies agree; Internal Audit and Risk Management need to be separate, and only in exceptional cases, or where the business is too small to afford both, should they be combined. In cases where they are combined, additional oversight by the Board is important. Both functions are and need to be independent of management, yet as highlighted above, they fulfil very different aspects of provision of assurance.

3 Should Risk be pan-enterprise

There is an old adage: Risk Managers do not manage risk, Risk Managers create the environment that enables the identification, assessment, management and reporting on risks across the enterprise. One of the key elements of that statement is "across the enterprise". Risk Management must, like Internal Audit, have free and unrestricted access across the enterprise in order to form and maintain a consolidated picture of the risk environment, and to ensure that management is aware of their responsibilities for implementation and operation of that control environment. (Of course Risk Management has many other responsibilities, and I recommend you dig deeper into the BIS governance guidance document).

Yet here the difference between RM and IA comes to the fore; RM works with management to identify, assess, respond and monitor the risk environment. RM does not perform deep-dive reviews of individual controls or events (unless specifically requested or if part of the management of a specific transactions and activities, in which case RM, for these activities, becomes an element of operational management).

The identification and recording / assessment of risks then assumes the identification of controls associated with that risk. Of course, there may be no controls in place to manage the risk, in which case there should be a record of the gap in the system of controls, and the control gaps should be documented, with responsibility allocated for implementing controls, based on and in agreement with the own or the associated risk.

Controls do not exist in a void. Without a business objective and risks to the achievement of that objective, there is no need for a control. Such "controls" are actually a drag on the effective and efficient performance of business operations to achieve objectives. Therefore, if there is a control, then there is a risk, and the risk only exists in relation to the ability of the business to achieve objectives.

Logically then, identification of a risk universe begins with the objectives of the business or function being controlled, at whatever level of granularity, and from those objectives, risks to the achievement of the objective can be identified. Of course, people will identify risks without a specific linkage in mind. It is part of the role of Risk Management to assist in the assessment of the risk, including how that risk may impact of achievement of objectives.

The role of Risk Management in relation to individual controls and the control environment is to ensure that management performs periodic assessments of the effectiveness of the controls they are responsible for, and provides attestation that the controls are functioning effectively. Where the controls are not functioning, or there are gaps in the system of controls, management must identify these missing controls, and through the Risk Management process, confirm the status of implementing such controls.

Risk Management challenges management's assertions on the effectiveness of the controls over risks. Management operates the controls, and attests to the effectiveness of the controls. Internal Audit tests management’s assertions at a detailed level.

4 The Scope of Internal Audit

To be effective, Internal Audit must have unrestricted access across the enterprise, yet should work to a risk-based programme of internal audits and reviews. There is a natural tension between the desire to provide Internal Audit coverage across all business processes, systems and departments, and the recognition that Internal Audit is a cost overhead that must be carefully applied. The nature of Internal Audit activity is to confirm through investigation that the stated control environment is in place, and that controls are functioning to the level of effectiveness attested by management. This means that Internal Audit by nature must dig deeper in to the strategic and operational functioning of the specific areas subject to individual audits.

This can be expensive, and therefore IA resources need to be carefully targeted and used to best effect. Equally, as the audience for Internal Audit's reports and ultimately for the level of assurance provided is the Board and Audit Committee, Internal Audit activity should be focused only on those areas (process, system or department) whose controls or the failure of the controls may have a material impact on the ability of the business to achieve strategic objectives.

What this means in practice is that Internal Audit must be cognisant of, and monitor risk and control status across the enterprise, but that actual Internal Audit activity should be focused on areas of greatest risk. In addition, specialist resources to perform internal audits of technical areas are expensive to retain on staff, and therefore tend to be brought in for the specific audit.

In summary this means that where Internal Audit is performing a controls based audit (as opposed to an E&E, Strategic or Operational audit), they tend to perform deep yet narrow reviews of higher risk areas. Where controls have previously been identified and management has attested to the effectiveness of the functioning of the controls, Internal Audit can use the Risk Register and associated controls reporting to inform audit planning and performance.

5 The Relationship between Internal Audit and Risk Management planning

The objective of IA planning is to ensure that the highest risk areas within the enterprise and within any individual auditable area are covered by audit review and testing. To accomplish this, frequently IA will review the Risk Register for the area(s) that will be reviewed. The Risk Register should inform audit planning, but should not be the primary resource.

This means that IA needs to interact with Risk Management and the Risk Register three times in the audit cycle: (i) at development of the IA Strategic and Annual Plan, (ii) at the planning stage of each audit, and (iii) post audit confirming that the auditee has updated the Risk Register to reflect findings (risks) and control recommendations. The following chart provides an overview of the IA planning processes, and the key interactions with Risk and the Risk Register.

 

In planning an audit, Internal Audit needs to consider the range of business processes, systems and departments that are included in the specific review. These should be risk assessed and ranked, with the primary focus of audit testing and review being focused on the higher risk areas. At this point it is important to note that risk assessment is not only "likelihood & impact" but extend well beyond, to include factors such as sensitivity of data, value at risk or exposure, as well as other factors.

Note the continual use of the word "risk" in planning and execution of the audit. The question could be asked, why aren't all the risks that IA will be considering already included in the Risk Register? The simple answer is that audit planning is considering a far more granular level of risks at the detailed business process level, while the Risk Register may have a risk or risks that encompass a wider range of detailed business processes within a single risk.

Certainly the major controls should be included in the Risk Register and be associated with individual risks. Again, a Risk to a business objective may have a number of Controls in place to manage that Risk within the Risk Appetite of the enterprise, as set by the Board. Yet the development and evolution of the specific Risk within the Risk Register may omit or fail to include all controls applicable to the Risk. In such a case, if IA places too much reliance on the Risk Register, there is the danger that the full control environment will not be understood, and that key processes and controls will be missed or discounted. This could undermine the value of the audit, and open the results to dispute by not taking into account compensating or other existing controls.

6 IA findings in a Risk world

There should be a link between IA findings and recommendations, and the overall risk environment of the enterprise, and therefore Risk Management. Working backwards, there cannot be an IA recommendation if there is not an associated risk. The failure of a control to function, or a lack of evidence of the functioning of the control does not in itself mean that there is a risk. It could simply mean that the control is redundant, or the evidence previously provided or assumed to be required is not adequate to demonstrate that the control is effective or even required. It can be difficult for an enterprise to get the right balance of under-controlled (and thereby exposed to greater risk than is the Risk Appetite of the enterprise) or over-controlled (and thereby incurring excessive costs of control for limited economic benefit through reduced exposure).

Therefore, when auditing internal controls, generally IA findings should not exist if there is no associated risk. This means that the structure and content of the IA finding needs to clearly enunciate the risk or risks associated with that finding, and the potential impact if the required or recommended controls are not functioning, or not put in place. It is also critical that the auditee recognises and agrees with the description of the description and the resulting situation of risk. Without this agreement, there can be no agreement to the required controls. Failure to gain buy-in to the underlying enunciation of the situation and the risk undermines IA, the auditor, and can result in unnecessary conflict between IA and business units.

Having buy-in to the description of the situation and associated risk(s) does not automatically presuppose that the IA recommendation is the most appropriate response to the risk(s) highlighted by the auditor. Management understands, or should understand, their business objectives and constraints. Therefore management should in theory be best positioned to confirm what controls will be most effective, and to agree to apply the resources required to implement an effective control. IA can and should use best judgement to consider if management's response is appropriate, and if so should be willing to alter the recommendations to meet what management suggests.

The recommendation that is almost always missing from audit reports is one that should be common to all Audits; that the risks, controls and remediation actions identified in the audit should be cross referenced to the Risk Register and the Risk Register updated to reflect the findings of the audit. Where the Risk and Controls are included in the Risk Register, these should be updated based on the audit findings. Where the Risk does not exist, it should be added. Where the Control is not included against a Risk, it should be added.

By taking this final step, IA ensures that the overall risk environment and system of internal controls is updated to reflect the actual current situation.

7 Linkages, and a model

Through the Risk Management and Internal Audit processes, we can build a consolidated picture of the risk environment and system of internal controls. Assurance is provided to Senior Management, the Board, shareholders and key stakeholders. Risk Management ensure a holistic view of the risk and control environment, while Internal Audit provides comfort, through detailed testing, that management's assertions of the effectiveness of the control environment are accurate, and provides guidance on where remediation activity is required.

The TLD model, if narrowly applied as per the IIA's interpretation, assumes all assurance is provided by Internal Audit. This is a narrow view that does not adequately consider the assurance roles that are provided by 2^nd and 1^st lines in their daily activities.

A more accurate and measured interpretation of the TLD model shows all three lines (Operational Management, Risk Management (and Compliance), Internal Audit) providing assurance, with each supporting the other two to ensure that the assurance provided can be relied upon. Where any of the three lines fail to perform their specific responsibilities, the overall level of assurance that can be provided is reduced, regardless of the quality of the other two lines.

Management's responsibility is to operate controls that exist to manage identified and recorded risks, efficiently and effectively. Risk Management's responsibility is to ensure that risks are identified and assessed, that the risk environment and system of internal controls is defined, that risks and their associated controls are recorded and monitored, and that management provides attestation or assertions on the effectiveness of those controls. Internal Audit provides a ‘final line of defence’ by performing detailed reviews to confirm the effective functioning of control. None is responsible for catching the others out, or "owning" the provision of assurance.

Internal Audit cannot be everywhere or see the entire risk environment - internal and external. Risk Management cannot retain a systemic view of risk if it engages in detailed controls testing, and managers can provide assurance only over those controls for which they are individually responsibility for ensuring are functioning.

We call it the TLD even through a more appropriate model may be the Three Elements of Assurance, but that doesn't sound nearly as interesting.

Insanity, in 19 bullets

The United States of Amerika has become one of the most insane countries in the world.

I've written a series of posts on what could end the current record-breaking "recovery". What is missing from all of those posts is a list of the individual items of insanity that collectively represent a very Dark Swan in the form of the collapse of Amerika as a nation. I have started to use Amerika because the America that I knew, and the Constitution I swore to protect (from enemies foreign and domestic) no longer seems to be meaningful. I consider this my form of protest, something still theoretically protected by the First Amendment to the Constitution.

This list of insanity bullet points does not include anything that the man-child, probable Russian puppet (or at least patsy), and also possibly early stage dementia suffering porn-star paying adulterous "fucking moron" (me quoting others, not stating this as a fact) is doing to distract from the internal problems, and in fact internal problems that he is encouraging. This also excludes the quislings in Congress who would rather destroy the country than admit what their leader, with their support, is doing. 

Some examples, in no particular order:

1. The police can pull you over and take you assets on the grounds that the policeman thinks, maybe, you might use those assets to commit a crime. It is then up to you to engage a lawyer to fight in court to have your assets returned to you. In 2014 police departments across the US seized more in value from citizens that the total value of assets stolen in burglaries. Asset seizures now account for reasonable parts of police budgets. So, the police are encouraged to steal from the people.

2. In a number of states, there are "open carry" laws that mean a person can walk down the street, or into a shop, openly carrying an assault rifle. Therefore, in such a state, you have no idea if the person with the gun is a nut, a terrorist, or just has a very small penis.

3. Meanwhile the organization (NRA) that rents congressmen to ensure no laws are passed that will reduce the ability of their members to sell guns, also refuses to allow people to carry guns at their national convention. I wonder why? In addition, we recently learn that the NRA will happily take money from anyone, including non-Amerikans. That the NRA is basically an anti-Amerikan entity happy to overthrow the Constitution (while pretending to protect it) can be seen in the appointment of their new president, a man who when in the Military, overrode instead of protecting the Constitution, as he swore to do (protect it, not override it).

4. Almost anyone can buy an assault rifle and/or handgun, but buying a pressure cookers makes you a potential terrorist. Cooking for yourself instead of eating out has become the sign of a sick mind that must be watched, and of course a potential terrorist.

5. The Fed cannot raise interest rates to any meaningful level, because to do so will increase US government debt payments to a level that will bankrupt the government (and the country). So more stimulus will be added, with the objective of pumping the money supply enough to ensure that interest rates remains low. There is plenty of evidence that this is destroying the savings and retirements of a generation.

6. The "Wealth Effect" requires that the Fed be more interested in propping up asset prices in the short term, with little or no regard for the negative impacts when stimulus is no longer effective (which might be now). The "Wealth Effect" is based on the idea that if stocks/equities and other assets (like houses) go up in value, people will think they are rich and there will be greater spending and therefore greater economic activity.

7. Borrowing is future spending brought forward. Eventually that future will be "now". The Fed and government are stealing the future's spending, beggaring us, our children, and quite possibly their children. But as long a "now" doesn't happen until the next person is in office, all will be good.

8. After promised to reduce the deficit, the Republican Party and Trump have actually, even though they control both houses of Congress and the White House, actually raised the deficit and predictions are now for multi-year $1,000,000,000,000 deficits through the 2020s. Does the expression "unsustainable" mean anything to anyone?

9. Companies are considered "people" and therefore political contributions or advertisement are considered "free speech" and are protected by the constitution - effectively protecting the right of corporations to use money to drown out the voice of the people.

10. Fewer jobs are created each month than the number of people entering the workforce, yet unemployment continues to decrease. After all, if you are not receiving an unemployment benefit or are not "actively looking for work" then you are not counted as unemployed. Of course, unemployment benefits only last so long.

11. The jobs that are being created are mostly in the service sector and are low wage jobs. Couple that with importing educated labor to displace US educated workers through the H1B1 program, and corporations, with the help of the government, are able to push down wages for what should be the remaining higher-wage jobs. A great race to the bottom.

12. The labor participation rate is as low as it was in the late 1970s, but unemployment is at 4.0%. Either large numbers of couples are able to live on a single income (which we know is not true), or something else is happening.

13. The national debt is now greater than 100% of GDP and rising, with no end in sight. Unfortunately the Fed and congress seem to be taking a lesson from Japan - that a country really can go on buying debt from itself to fund itself forever (really?). All this when economists are telling us that a Debt to GDP ratio of greater than 90% will demonstrably reduce GDP growth. That >100% debt to GDP is for Federal debt only, and does not include state or territory (such as Puerto Rico) debt, or local (such as Chicago) debt.

14. The two political parties' candidates are a Sheep in Wolf's Clothing vs a Wolf in Sheep's Clothing. Both are equally scary, for different reasons. Neither will save the country, let alone actually make changes that will reduce the coming pain of default and economic depression. Both are crooks, but of different kinds and times. They fight to retain their seats in Congress and do not care about the country or the future.

15. Home ownership rates are at their lowest in decades. The dream of home ownership, through government programs encouraging unsafe lending, quite possibly contributed to the GFC (Global Financial Crisis) and the Great Recession. The increased ownership has unwound, yet the dream remains.

16. The country is probably as polarized as it has ever been. Republicans from Democrats, Black and Whites and Hispanics from each other, Muslims from everyone else. All this in a context of a social media world designed to reinforce existing positions and prejudices. The "Melting Pot" has become the boiling pot.

17. In the last financial crisis, the US Government bailed out the major banks, with a very large chunk of the bailout money then being paid out in bonuses to employees of the Too Big to Fail (TBTF) banks.

18. TSA and the abrogation of the Constitution through the Patriot Act (and extensions) while providing "security theatre" only, serves as a proving ground for how to complete the subjugation of the population - the "Sheeple". I've been known to mutter "Baa baa" when standing in the TSA lines.

19. Meanwhile, the exercise of protest by kneeling for the flag is presented as some form of treason and disrespect, when the protesters themselves have very clearly and carefully explained exactly what they are protesting.

Sadly, all "sides" are so polarized that there will be no movement toward common solutions. One side will make a proposal, the other will reject it out of hand. And round and round it will go. And when it does fall apart, there will be enough blame to go around to ensure that the country continues to be polarized, avoiding anyone being held to account.

"This cannot end well" is so right, and when it ends, it will be in the breakup of the United States of Amerika. A civil war is coming, and if not that, then the imposition of the ultimate police state. 

First of course there will be the Second Great Depression, and that cannot be far way. People who actually understand the economics are already predicting a recession in the second half of 2019 ("if there are no Black Swans before then"). 

Yet Black Swans are all around, mostly in the unsettling of international markets by the current traitor in the White House, who hops from one artificial international crisis to another, all with the goal of distracting us from his crimes. "Fake News" will be the cry, from him and his toadies.

If there is any good news, it is that the Praetorian Guard can only be bought for so long, and any Galba, Ortho, or Vitellius (I admit, I always forget the third in that list) will have a short shelf-life. That includes the current Galba, who with his sons Uday and Qusay (as some are calling them) will be discarded when the time comes. Yet we need to remember that the very process that Galba came to power because the prior Emperor was mad and the system had collapsed.

Galba's end wasn't pretty, and my own guess is the best this Galba can hope for is a pillow over his head, and not to be publically murdered in the Forum by his Praetorian Guard.

Is Risk Management a Profession?

Is Risk Management a Profession?

So once again I have been invited to attend the ISO 31000 training programme. And at the end the 3 days I will, of course, pass my certification exam, and will be able to call myself a C31000 Professional. Wow am I excited, or not.

When I look at a range of "professions" I see a few things in common; years of experience and study, a professional body or association  (or bodies) that determine a set of standards for professionals, certification, and a set of disciplines. I also see regulatory bodies (even if self-regulating within the profession) that protect the name of the profession, and strike off those that fail to uphold the standards of the profession. I also see the profession seeking to protect itself from charlatans who do damage to the profession, and by pointing out clearly the standards required by the profession, to protect companies that employ such professionals.

So how does "The Google" define a Professional Association?

Somewhat limited I think, but for our purposes we can use this. What seems to be missing is protecting the integrity of the profession and professionals, but that might be included in furthering "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans.

Would the ACCA, ICAEW, IMA, AICPA, or the CICA stand by quietly as an organization or individual offered to create certified accountants in less than a week? The Medical Council would not allow someone to practice medicine without proper training and certification. Yet that is exactly what the Risk Management professional bodies do when someone offers three-day courses with a "professional" certification at the end. Where are the IRM, RIMS, GARP, PREMIA in protecting the reputation of the Risk Management profession and professionals?

So is Risk Management a profession? I'm sure that others have their definitions and expectation of what makes a profession and an professional. For me, as someone engaged in the profession, I like the definition from Google:

Considering this definition, I consider myself to be a Risk Management Professional. I have been advising companies on Risk Management, developed and ERM application from the concept to implementation, and I am a Risk Manager in a business. I am a member of a professional body, and have contributed to thought leadership published by that body, ranging from Risk Appetite and Tolerance, to Cyber Threats, and Risk in the Extended Enterprise.

Which apparently means that I should be "certified". Or at least, someone thinks that this will make me a professional.

So let us look at this kind invitation from Alex Dali again, the one that will, in three days, make me a Certified ISO 31000 Risk Management Professional.

The message from Alex Dali says:

I am pleased to inform you about the next training and certification session in London next month in May for you to become a Certified ISO 31000 Risk Management Professional with the official label C31000 certification.

It then gives the details of the course in London, for a very reasonable £1900, which includes the fee for the exam and certification.

It goes on to say:

Given your profile, I am sure that you will benefit a great deal from being a “Certified ISO 31000 Risk Management Professional” with in depth knowledge on the international ISO 31000 risk management standard. This session is also dedicated to those interested to become Certified ISO 31000 Lead Trainer.

Nice to see that my LinkedIn profile indicates that I would benefit from being such a certified professional. Or not.

So where am I going with this?

I expect my professional body to protect "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans. And that includes calling out examples like this, where people can claim to be a Risk Manager simply by paying for a three-day course.

To be very clear, any programme that offers a professional certification after a three day course and an exam (I wonder what the failure rate is, after paying £1900) is a joke. To be completely honest, I would have a difficult time taking someone seriously if they actually put C31000 or any other notification that they have receive this certification on their profile. I would then question every other certification that they claim, and I would wonder if that MBA or any other degree was from a mail-order "Institute" or "Institution" or just a postbox.

We as a Profession should be calling out specific examples like this, where someone sells certifications. We should be making it clear that we, individually and as professionals, will not accept bogus credentials.

For my part let me be very clear:

If you send me a CV with the C31000 certification on it, or if you have the C31000 certification on your LinkedIn profile, I will NOT be engaging with you. You are not a Risk Management Professional. You are the second definition of a Profession above: "an open but often false claim".

Just so there is not mistaking what I've just said:

To the professional bodies I ask, why are the Risk Management professional bodies and association such as the IRM, GARP, PRIMIA, RIMS and others not calling out the charlatans. Why are the professional bodies not protecting the interests of their members?

If my professional body will not openly state that this type of certification is a sham, then I need to do so, if for no other reason than to state categorically that I want my Profession to stand for something. When I say that I am a Risk Manager, I want it to be clear that this means I have years of experience, that I can back that up with evidence. That I am a professional.

Panama Papers: Proceeds of Crime?

Drug dealer has a pile of cash. Drug dealer buys mother a house. Mother is pretty certain that the money is not clean, but it was from her son. Sweet boy. Time goes by. Drug dealer is caught. Assets are confiscated. Mother loses house. Proceeds of crime, after all.

And that is the way it is supposed to work. While mother is a nice woman and loves her son, she did knowingly accept assets that were the direct result of criminal activity. Apparently this standard does not apply to journalists. Journalists get Pulitzer prizes instead.

The "Panama Papers", while shining a bright light on the world of offshore companies and diversion management of assets, more importantly highlights the very grey line between the ethical hacker and the crooks, including the users of the information that was stolen. We still do not know how the information was released, although Mossack Fonseca is stating that the document were stolen in an external hack of their systems.

Basically there are two options; and insider copied the documents and made them available to the Süddeutsche Zeitung, or an external individual or group of individuals hacked Mossack Fonseca's systems and copied the files, providing them to Süddeutsche Zeitung.  We are told that the person (singular) who provided the document has not asked for money, only protection of identify. It is worth noting of course that an internal party could have been the hacker, to help obscure the source of the information.

As there was too much information for one news agency to fully explore, the data was distributed to a number of news agencies and papers, using the ICIJ (International Consortium of Investigative Journalists) as the network for distribution.

What is disturbing is the wide dissemination of the information for a long period of time, and teh ability of the journalists brought in to keep their silence. Almost mafia-like. While journalists as individuals have, in liberal western countries, a theoretical legal protection for use of sources (and in some case protection from releasing their sources), the information used in this case was sourced illegally. Once sourced however;

A network of about 400 journalists in 80 countries put together by the consortium spent months researching the documents. The media partners included the Guardian and BBC in the U.K., El Confidencial in Spain, Le Monde in France, Falter and ORF in Austria, Sonntagszeitung in Switzerland, and L’Espresso in Italy.

We are also told that newspapers and journalists have had access to the documents for many months, with the various reports saying anything from six months to a year. It is interesting that in that six months to a year, the story was kept secret from all, until Sunday April 3rd, when the bombshell exploded onto newspapers (online of course) and the TV news.

And what an explosion. 12 heads of state, 120 senior politicians or close associates of politicians, family members, etc. The first scalp has been taken, with the Prime Minister of Iceland stepping down. Score one for the "Revenge of the Sith Bankers". Personally I would not be surprised to find that the IMF, Troika, and individual banks that lost big in Iceland, are rubbing their hands in spiteful glee, but I digress.

In total, something like 214,000 companies were established by MF, with these companies spread around the world. Strangely, there are few American companies or individuals reported thus far - the current number seems to be 3072, with a total of 441 clients, but we're told to expect more. 3072 out of 214,000? Really?

Putin is just missed, but some around him are having their affairs aired in public. All, according to the Kremlin, part of a campaign of Putinphobia. Whose to know, but the Panama Papers are highlighting goings on that seem a little unsavory. In fact, a lot unsavory, by a huge range of people, from football stars to royalty, to criminals and (not criminal) individuals and companies.

And yet, all the information is not being released, raising questions about the political motives of those that released the information. Wikileaks climbed into the fray by stating categorically that one of the organisations involved in the dissemination of the information is effectively a front for Soros and his anti-Russia pro-democracy agenda.

And it is to that background that the relatively low number of Americans identified raises questions. If there is a dearth of Americans, is this because the information has been massaged? Is the number so low because the United States already has significant tax havens in Arizona and Delaware, and therefore there is less "need" for Americans to create international vehicles? Really?

At the core of my concerns then, is the question of whether the release of information, stolen information, was a crime, and not a "whistle blowing" action. And if it was a criminal activity (which hacking resulting in the theft of company information clearly is) then while there may be an argument that the thief was a whistle-blower, it does not absolve organisations from their use of the information for gain.

In this case, Süddeutsche Zeitung, the Guardian and other news organisations, instead of being legitimate news gathering and reporting organisations, are in fact the recipients and exploiters of illegally gains assets (the data). The drug data dealer has given then a home, and they know it came from criminal activity.

This makes their activities effectively the exploitation of the proceeds of crime.

I would expect that the vast majority of the companies formed will have been for perfectly valid business or personal reasons, legally using mechanisms to manage business activities and assets while also managing tax exposure - legally. None of that matters of course. Panama and anyone who does business with a Panama legal firm is now assumed to be a crook, while the real criminals, the Hacker(s) and the news outlets that has used the proceeds of that crime, will wear a mantel of purity of spirit.

If anything, I wonder if there will not be legal actions taken against the organisations that used and reported the data. Proceeds of crime indeed.