To see the future of the West, study New Zealand’s and Zimbabwe's crises

How long can the worlds' gluttony for debt continue? Seemingly forever, until it cannot. That was the experience of New Zealand in the 1970s and early 1980s when government subsidies ruled the economy until the country went broke. 

(Summary: New Zealand radically liberalised the economy, suffered through terrible social and economic pain, and emerged as a modern, vibrant and growing economy. Growing debt cannot last forever, and when a country hits the wall, it can go the way of New Zealand through the pain and recovery, or the way of Zimbabwe to more debt and devaluation, inflation and longer pain with not gain. Europe and the US have this in their future, we just cannot guess when, and we cannot guess which choice they will make.)

Through the first half of the twentieth century, New Zealand’s close ties to England ensured a steady flow of lamb and milk products from the former colony to “blighty”, at economic terms that benefited both the UK and New Zealand. This ensured that the New Zealand agrarian and rural economy continued to grow, benefiting the entire country. This also allowed for subsidies on imported goods, and on good assembled in New Zealand from imported parts (such as automobiles).

That could not and did not last forever. 

When the UK joined the European Common Market, they were required to abandon their Commonwealth trading relationships and imposed the common European trading relations, which included protectionism for European economies. New Zealand suffered. But so did Australia.

After Britain had joined the EEC Australian butter exports dropped by more than 90 percent; the Australian apple trade declined from 86,000 tonnes in 1975 to just 27,000 tonnes in 1990. The economic consequences of Britain's European ambitions for Australia were severe.

New Zealand was hit even harder, with pre-EM exports to the UK accounting for up to 55% of all exports (1958 – 1960), with 90% of milk and butter going to the UK, and over 95% of lamb (and 80% of mutton). This export market had grown New Zealand sheep populations into the 60+ million sheep, or 15 sheep for every Kiwi.

The short story is that with the loss of the UK markets, the New Zealand government and the National Party (the conservative and party of rural and agricultural New Zealand) attempted to hold up farming and rural incomes through subsidies. Up to 40% of the value of a sheep was in subsidies.

The only problem was that the National government (the conservative party) was running deficits like crazy to fund the range of subsidies, and the deficits were doing exactly what should be expected, devaluing the currency and increasing national debt servicing costs. Inflation was high, and a wage and price freeze did nothing to alleviate the problem, and international pressure was undermining the value of the currency.

And they continued to build that debt, and pay the subsidies, until one day the money ran out, or more realistically, until National and the Prime Minister were told by Treasury that the money was going to run out. The crisis had arrived.

So, having kicked the can down the road as long as they could, heaping subsidy on subsidy, hoping that it would all fall apart under the “next” guy’s administration, they ran out of money. It was their problem.

What to do?

Well, Robert Muldoon did what any responsible politician and Prime Minister should do – he got drunk and while drunk, called a snap election, knowing full well that National would lose, and the problem would be Labour’s.

Not surprisingly, National lost, and Labour won. A multi-year devaluation of the currency, ballooning sovereign debt payments, rising unemployment, and a disconnection from urban New Zealand meant it was time for a change.

The only small problem was that the day after Labour won, NZ Treasury went to the new (soon to be installed) government and said “Sorry to tell you this, but there is no money for your programme. In fact, you might not even be able to make the sovereign debt payment that is due soon.”

The can had been kicked as far and as long as possible.

So began years of economic restructuring in New Zealand, with years of associated pain up and down society. With no subsidies, large numbers of farms became financially unsustainable, with bankruptcies and forced sales. There were stories of farmers committing suicide as the auctioneers arrived at the properties.

Automobile assembly plants closed with the loss of jobs. Imports rocketed in price, and taxes increased to nose-bleed levels. I remember 66% income tax over a (fairly low) level.

Labour had the courage to throw away their platform and enact wide-ranging economic reforms. The pain was incredible. 75,000 manufacturing jobs and over 20,000 jobs in the public sector were lost in the five years from 1987 - 1992. With the pain of liberalising the economy, employment began to grow again through the 1990s, and New Zealand became one of the most open economies in the OECD (from a position of being the least open of 24 OECD economies in 1984).

The sale of State Owned Enterprises resulted in both massive pain, exportation of profits from the privatised industries (such as Telecom NZ), but also the modernisation of industries that remained in government hands as businesses (such as NZ Post), most of which became profitable businesses returning an ongoing dividend stream to the Crown (NZ Government).

Unlike New Zealand, when Zimbabwe hit the wall of national debt, they kept printing money and borrowing, resulting in devaluation and inflation, and ultimately a ruined economy (with a little help from property confiscations and destruction of businesses). 

  

Looking at the chart above, national debt exploded to almost 140% of GDP, dropped, then peaked again at 147% of GDP before dropping again. Why did it drop? Without even minimum fiscal discipline, international lenders simply would not buy Zimbabwean national debt at any price, and maturing debt had to be repaid – with printed money. The cycle repeated, and debt to GDP has stabilised around 80%. 

What stopped the international community? When “the inflation rate reached a peak of 89.7 sextillion (10^21) percent” in 2008.

New Zealand, by contrast, managed to keep inflation, while high for a period, relatively under control, and the economic reforms and fiscal discipline provided the comfort required to manage international expectations of the value of the currency. Inflation peaked before Muldoon was forced out (by his own policies) and was brought under control by the Lange government.

The national debt was also brought under control and paid down, and while spending and borrowing have increased, debt to GSP ratio remains well under 30%; healthy by international standards, and simply low by OECD and “First World” standards. 

  

Where to the “West”?

Current debt levels in Europe and the United States are simply unsustainable. And yet the borrowing continues, and balanced budgets (forget about paying down debt) so not exist in any of the major European countries or the US. This cannot continue forever, and the real question is equally simple:

Will the “West” chose the New Zealand route of hard choices and “short term” (3 – 5 years) pain, or the Zimbabwean choice of continued printing of money, devaluation, and hyperinflation?

The following graphic shows the results of the choice made by New Zealand, and the choice made by Zimbabwe. The grey is 1994, blue is 2004, and green is 2014. Zimbabwe’s choice effectively destroyed their economy and they have lost more than a decade. New Zealand’s choice has, after a difficult period in the 1980s and early 1990s, resulted in a consistent and solid growth.

 'C' = Household consumption expenditure, 'G' = General government final consumption expenditure, 'I' = Gross capital formation, 'X' = Exports of goods and services, 'M' = Imports of goods and services

http://zyaneconomics.appspot.com/#/finmodel/

What New Zealand in the 1970s and early 1980s also shows us is that politicians will continue with their profligacy until they cannot. They will keep kicking the can down the road until they cannot. They will keep hoping that their policies can continue until the “next guy” has to deal with it.

We know this because it already happened, in New Zealand and then, to a lesser extent, in 2008, resulting in TARP and bailouts of industries that lasted for years in the US and across Europe. 

Unfortunately, the ammunition to replicate that kind of stimulus probably no longer exists, and as with Zimbabwe, the first period of money printing did not teach politicians that this was a major danger, but seems to have taught them that they can do it again, and again. Now the Fed (in the US) and the ECB (in Europe) face the problem of QT - Quantitative Tightening, a process as fraught with risk as the original QE. Growing economies do not like restrictions on the money supply.

So what choices will the politicians make next time? Whatever the answer, I suspect we will see the results before long.

Risk Geography and Waterfalls

“Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing where the hazards are at each point along the river, where the bank is too wide, or where the fallen trees are, and then deciding the path, is all part of Risk Management. Most important are knowing where and how to navigate the rapids, and not being thrown over the waterfall.

Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material risks.

Have you ever been faced with the occurrence of an event that was both material to the business, and yet was not on your radar (or risk register)? That rock in the river and that thumping, scraping feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does. It is difficult to look an executive team in the eyes and say “we, I mean, I missed that one”. Once you’ve done that, the question is “what else are we missing?”

Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I could put in place to reduce the likelihood of such a mistake in future.

This has led me to thinking about systemic risks and Black Swans as much as thinking about “internal” risks that might have been missed. This post provides an outline of my methodology change to improve completeness of risk consideration, with a focus on material risks.

Exploring the Black Swan world

Over the past few weeks, I’ve published a number of posts on both Risk Management (operational level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be doing concretely to address these risks?

The first step, of course, is to acknowledge that there are potential systemic risks, and that the enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a level of prudential preparation to weather external shocks.

For example, would the entities investment portfolio as managed by the treasury function, stand up to a “Mark-to-Market” post an event that resulted in bonds demanding a 5% additional return? Are banking agreements sufficient to ensure continuity of payments in the event of the failure of a key financial intermediary?

Risk Appetite and Acceptance

Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a vacuum. Senior management (and the Board for validation) should be confirming the risk universe, the risk hierarchy, and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a foundation for acceptance of the residual risk position acceptable to management and the Board.

Of course, understanding the Risk Appetite for anyparticular risk requires understanding of the risks, the identification of the gross potential impact, an assessment of likelihood of occurrence, the current situation in relation to the control environment, and more importantly, the acceptable final risk position (“target” risk score).

The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by someone with the authority to accept that final risk position. Anyone else “accepting” that risk is doing so on behalf of the shareholders, and  very probably is doing so significantly outside the level of authority that the shareholders have vested in that person. Thus the need for a Delegation of RiskAuthority.

Seeing the “Same Thing”

One of the most difficult activities is the identification of all material risks, internal and external. Lists and brainstorming seem to be the most common ways that these sets of risks are identified. And of course generic lists by industry are readily available online, modifiable to your business. These lists reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to get past the list and identify the hidden or out-of-mind risks.

All risk identification must start with the objectives of the business, even before the structure of the business. From there, a common model is needed, that all participants in the risk identification process are either familiar with, or can easily map to their experience and knowledge of the business.

While it cannot be said that all participants in the risk identification process will be familiar with all aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet of Cash Flow.

Victoria, Iguazu or Angel

A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals the amounts “going out”.

A tool that I have found useful for the identification of risks, and to ensure a conversation about risk with senior management is the use of the waterfall diagram. Each element can be de-constructed to whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal the outcomes or outputs. 

The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and industrial company. It would look fundamentally different for a financial institution or insurance business. But in all companies, regardless of industry, after revenues and various costs, we have the output: Net Income.

Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the eventual result. More important, if each element represents a set of definable business objectives, then each element provides us with a specific area of potential risk. For example, a business objective like “complaints per X-thousand customers” relates to specific elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial Services entities, in their Compliance costs as well as SGA.

Let’s add some geography

A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the width of the flow, the internal structure of the river and terrain around it all contribute. So we need to be considering all these facets when looking at our waterfall. Certainly, we have experts internally on the type, flow and quantity of water (internal factors), but how about our understanding of the shoreline and associated geography (external factors).

Risk Identification and associated Risk Assessment need to consider all these factors, or critical risks (I must keep remembering to say “risks and opportunities”) will be missed - critical risks that have a fundamental baring on the likelihood of the business achieving its objectives.

While the metaphor may be imperfect, it does provide a framework.

If we want to ensure that we have identified as many of the material risks as possible, then we need to look at each element of the Waterfall, and consider both the external and internal contributors to that element. In so doing, we identify the potential risks to the achievement of each of those elements.

For a manufacturing and distribution company, the cost of distribution is a material component of the Cost of Goods Sold, and therefore any risks impacting distribution should be included. Consideration of the impact of the sub elements of distribution can be used to determine what specific risk mitigations should be put in place.

In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider distribution costs, or more importantly, the impact of changes in fuel costs as an element of their distribution costs. When fuel costs rose, so did their distribution costs, significantly. Net Income suffered badly.

The inclusion of the potential for an external risk (increased fuel costs) occurring may have suggested the need for mitigation in the form of forward hedging of fuel costs, or hedging of transportation costs for rail costs.

Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed” risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and it helps us focus on, and in some cases identify, material risks.

It also enables the people with the most knowledge of each waterfall element the opportunity to discuss their elements, the make-up and breakdown of the elements, and to confirm the associated key risks. In addition, it supports challenge and common agreement of the material risks.

In the example above, Internal and External components of the waterfall element are listed, and discussed to confirm that associated risks have been identified. Quantification of the materiality of the risks was a secondary task, but by using this methodology, it was easy for the participants to understand quickly how any change in the one of the waterfall elements impacts the overall performance of the business.

Of course, at the core of a successful risk identification (and confirmation - this should be done annually at least) is ensuring the widest range of people are involved. This most especially includes subject matter experts on each of the element of the waterfall, and representation from Internal Audit to ensure a common risk universe is agreed.

The result is likely to be a much better aligned assessment of risk against business objectives.

Flocking Black Swans

Thinking and talking about "Black Swans" as unexpected or unforeseen market or economic events has become almost blase, yet the use of the term in this context is quite new, dating to Taleb's analysis of the 2008 financial crisis. Now almost anything that we don't (or didn't) see coming is a "Black Swan".

How many of these Black Swans are actually unforeseen? How many are simply emerging risks that have come to fruition? Should we really be unprepared for these events?

Right now, without even adding meteors or pandemics, I can list a series of potential Black Swans, any of which could have a serious impact on the global economy. These range from Tariffs/Trade War to Brexit induced recessions in the UK and Europe, to Emerging Market credit crises or Chinese economic woes. It reminds me, again, of one of my favourite phrases: "It is easy to predict the future; getting the dates right it the difficult part".

And so the question; When? Some of these Black Swans could be brewing now, and may already have caused the underlying damage that will only be apparent with hindsight. Others may eventuate at any time. 

Flocks

When considering Black Swans, the most important difference between "reality" and the concept is that Black Swans, the birds, stand out because they tend to be a solitary, and are not intermingled in flocks of White Swans. 

Swans, while solitary, do pair and can be seen in bevies, eyrars, or even gargles or herds, especially on the River Thames, where all "mute" or unmarked swans are property of the Queen (Act of Swans, 1482). Each year the Upping of the Swans takes place in the third week of July, when over a section of the Themes, all swans are caught, inspected, given a health check, and then released. 

All this to say that we think of Black Swans (back to the the economic events) as singular events, when in reality they cluster, or to use some of the collective nouns for swans, there could be a "bank of (black) swans", or even a "whiteness of (black) swans". The initiating event may not even be readily apparent during the period of crisis. 

Contagion

So which was the primary cause of the Global Financial Crisis: the collapse in values due to the MBS/CDO sub-prime collapse, or the resulting impact of Mark-to-Market and resulting impact on the capital value of financial institutions? It could be argued, and was, that as financial institutions typically match their assets to their liabilities from a duration perspective, they were holding securities that were to be held to maturity, and therefore there was not financial impact unless they were required to sell their bond holdings.

The point is that any of a number of Black Swans may arrive concurrently or with only a few months between. Some will create the conditions that bring about additional crisis.

So to timing

As mentioned above, it is quite possible that some of our Black Swans have already inflicted the damage, and we are simply waiting for the evidence to come through - the evidence that may push some other situations over the edge.

The Trade War, Emerging Market debt, and the Chinese Economy are good examples of potential contagion. 

The recent +4.1% GDP change print for the US is being presented as a great result, but is it a reflection of underlying economic strength, or a reaction to threats of higher costs from tariffs? I do not know the answer, and we will only know with certainly at the next GDP print in October, just in time for the mid-terms.

One thing we do know is that the tariffs and global uncertainty aremdriving the value of the US$ higher, imposing additional costs on Emerging Markets while also suppressing US exports. This is supporting an expansion of the US trade deficit, and is hitting Emerging Market bonds with significantly higher costs.

So if, and it remains a big "if", the GDP print this past quarter is a reflection of anticipation of the impact of tariff and a Trade War, then we will know for certain in three months. But the damage will already be done, and the US economy may well have flipped into recession by then.

Equally, the Trade War may drive another potential Black Swan; an Emerging Markets financial crisis. Certainly that crisis may arrive all by itself, with an end-of-credit-cycle unwinding of EM opportunities as US, UK and EU treasuries are forced to pay higher yields, and a consequent "flight to safety".

Mixed in with all of this, there is the potential Black Swan of a serious credit squeeze in China, resulting in another huge stimulus program, and a potential draw-down of US treasuries to pay for the stimulus. When Russia sold almost $50 billion in US treasuries earlier in 2018, US 10-year rates jumped to 3.1% from a around 2.9%. What would be the impact of a $100 or $200 sale of US treasuries by China as part of a stimulus programme?

Let's guess at timing

We need to keep watching  indicators from around the world, and look for specific activities. The Baltic Dry Index provides a good indicator for us to watch. In the past moths, the Index has risen from $1250 to over $1700 now. The Baltic Dry Index provides a reliable surrogate for global trade volatility, with higher trade volumes increasing the cost of freight, and falling freight volumes driving down the BDI. 

It is also is a close to real-time indicator, with pricing of freight being highly sensitive to the actual trade volumes and projected volumes. 

I will be watching that over the next three months, looking to see if the Index remains high, or if as I suspect, pre-tariff activity will taper off, and we will see the Index fall.

Old is Good, Unless You are a Computer System

Old is, by itself, I am happy to say, not bad. And the process of getting older is also not by too bad either. We build up knowledge and understanding, and sometimes we see wisdom in some (older) friends. But “old” is not good in computer systems. That accumulated “knowledge” is actually decades of bugs and bug fixes, new functionality that does not always work with the old, and ancient security holes that either have never been found, or have been too difficult to fix without breaking the rest of the system.

New-build systems, while potentially having a limited functionality set, are easier to manager, faster to build, scale more easily, and consume fewer resources to run and maintain. The “systems shop” full of geeks is a thing of the past, unless you are running a large legacy system.

Agility in the face of threats and opportunities is magnified in newer systems, while legacy systems can be overwhelmed in the face of new threats.

This does not meant to settle the Buy-vs-Build argument, but it does argue for the replacement of legacy systems with newer systems built with current technology and for modern infrastructure. After all, who speaks COBAL any longer?

On example of how to overwhelm a legacy system; regulatory reporting. FATCA created a nightmare for financial institutions having to deal with new fields and new reporting requirements. Older systems required new code, new reporting systems build or new extracts to feed reporting platforms. Meanwhile, newer systems, built with regulatory reporting as a core design requirement, found the delivery of FATCA reporting much easier. 

Newer financial institutions and those with newer systems may still refuse to open accounts for US citizens, but that is being driven by an expectation of future US Legal Imperialism.

But these new systems are able to support CRS, the “rest of the world’s” response to FATCA. Pity that the US of Amerika refuses to engage with the rest of the world and implement CRS (Common Reporting Standard). Even countries like Panama are implementing CRS, and computer systems are having to cope with the new regulatory reporting requirements.

I enjoy being older. I’m smarter, I think more deeply, and my opinions are based on decades of experience and knowledge. At least, I flatter myself with these thoughts, even though I may be hard-pressed to find much support for those assertions. But I do envy the young. I cannot run as fast any longer, or run at all for that matter. I’m not as agile, and new music simply baffles me. 

Another area where younger seems to have an advantage is in fraud and cyber-security. I’m back to talking about computer application and banking systems of course.
Remember the good old days when a dial-up network with a 48kb connection was enough? Back in those days, hacking was a different scale, and individual hackers were or became known to officials. They weren’t always caught. But sometimes that special person like Clifford Stoll will "stalk the wily hacker", ultimately leading to an arrest.

From "Stalking the Wily Hacker", Clifford Stoll, 1988

Today stalking the wily hacker is almost impossible, and the number of vectors continues to increase exponentially. Building information security in from the beginning is key to a successful financial systems application. I do not know what application Monzo, the UK challenger bank, but they certainly are talking about their agility in the face of cyber-attacks and fraud. Imagine with old systems being able to respond to apparent fraudulent activity within four hours.

“Within four-and-a-half hours, the team rolled out updates to our fraud systems to block suspicious transactions on other customers’ cards. That evening, we reached out to other banks and the US Secret Service (which is responsible for credit card fraud in the US) to ask if they had seen anything similar. At the time, they hadn’t.” Try doing that with a legacy system.

Yet for all that, and perhaps as a victim of the “Sunk Cost Fallacy”. I happily will continue to hold this particular legacy system (myself) dear and will continue to attempt upgrades.

It's all about the Target (risk assessment)

In my previous post I commented on the importance of adding a “Target” risk position to the traditional "Inherent" and "Residual" risk assessments, and the linkage to the Risk Appetite. More importantly, the “Target” level for any risk provides a focus on the future.

Let me explain.

Inherent to Residual: Inherent risk is the level of risk before remediation. This is important to ensure that we are focusing on the areas of risk that represent this greatest threat or opportunity for the entity. Inherent risk scoring is subjective, but then so is almost all risk scoring. Yet an assessment, subjective or quantified, of the risk before controls or other remediation ensures that we invest our limited resources on the areas that pose the greatest to achievement of the entity's objectives.

So we’ve assessed the Inherent risk, and we have applied controls for remediation, mitigation, etc. Now we have our “Residual” or “Net” risk position. Again, this is by nature subjective, and fraught with assumptions. But it does provide an assessment of our current state of risk and the level of risk that is being taken by or accepted by the entity. But this is subjective. And it will be wrong.

There will be too many missing controls, controls that are functioning ineffectively, mitigation that is unfocused or not in place. The assessment of the Residual risk position provides a snapshot of the current situation, with no insights into either the level of risk that is acceptable, the actual level of risk being taken, or the level and type of risks that the entity wants to take.

Target: And to we get to the “Target” risk level or assessment. What level of risk does the entity want to take, and what level of risk is acceptable. This fundamentally an assessment of the desired future-state of the risk environment that the entity wishes to work within. And yes, this too shall be subjective. It will also probably be achievable.

As Risk Managers we need to consider and advise on the level of acceptable or desirable risk to be taken or accepted by an entity, across the spectrum of risks. This means that we need to assess not only the raw (Inherent) risk environment and support the allocation of resources to highest or least desirable risk areas, and of course allocation of resources to those areas where we want to take risk. 

We also need to work with management to objectively assess the desired, or acceptable level of risk to take; the Risk Appetite. This should be done globally, and should be done at the level of each identified and recorded (and managed) risk. This is our Target risk level for each risk.

Now, and only now, can we meaningfully assess our “Residual” level or risk, and determine if that level of risk is appropriate. 

If our current (“Residual” or “Net”) equals our Target, then we are running at our desired level of risk. And if we are not, then we now know that our desired future state does not equal our current risk managed state for this, and all other risks where Residual does not equal Target. 

Example of Residual to Target tracking

In the example above, a number of interesting observations can be made, including that the Residual and Target risk assessments change, as risks are reviewed by the Risk Owners. It is also clear that Residual are Target are not the same. Within the data there will probably be a number of individual risks where the Residual assessment equals the Target assessment; the current risk situation for those risks equals the entity's Risk Appetite for those specific risks.

So why does Residual not equal Target? There are three possibilities:

1. Our control environment is ineffective and or does not include all the controls that are already in place to manage the risks (and these then need to be identified).
2. Our aspirational level of risk management for risk is too high.
3. Conversely, we are over-controlled (where Residual is lower than Target for specific risks) and we are potentially stifling the business through excess controls.

And when we determine that our Residual risk position does not equal our Target risk position, we have four option:

1. Accept that it will not be possible to achieve the desired Risk Appetite for this risk, and, through a Delegation of Risk Authority process, change our Risk Appetite and therefore our Target level for this risk to equate to the current Residual risk level.
2. Subtly different, but we may determine that the Risk Appetite is not right, and that we do want to accept, or take, more of this risk, and therefore change the Target.
3. Identify the controls that are not effective and implement improvement programmes or introduce new controls.
4. Confirm that we are over-controlled and look at which controls are not actually required, or are burdensome and should be replaced with monitoring controls.

What is the role of Internal Audit in this?

The Internal Audit function provides some assurance that the system of internal controls is effective. This requires Internal Audit to determine what areas of business activity they will review. This selection should be risk-based, which means starting with the risk register and consider a balance between this Highest “Inherent” risk areas, and the highest “Residual” risk areas.

As part of each Internal Audit, the assessed level of Target risk should be considered, and Internal Audit should then perform an audit programme designed to confirm (or otherwise) that management’s assessment of the effectiveness of controls is accurate. If the controls are effective, and these controls have been determined to bring the entity to within Risk Appetite, than Internal Audit’s role is limited to questioning the appropriateness of the Risk Appetite. (Note I say question, not set, as that is the role of senior executives and the Board, other others within their Delegation of Risk Authority).

Where the Residual risk level does not meet the Target, Internal Audit should be determining if this is because the controls are ineffective, or because the control environment provides inadequate coverage of the risk. In which case, new controls may be appropriate.

In all cases, Internal Audit should be determining if Management's assessment of the effectiveness of the control environment matches the evidence provide to Internal Audit. If management's assessment is correct, and there remains a delta between the Residual and Target, and senior management and/or the Board are aware, then there is no Internal Audit finding other than the fact that senior management and/or the Board are aware of the difference, and are aware of and support management's plans for remediation.

It's all about the Future

The core message however is that the Inherent risk position represents a “past” with no controls, the Residual risk position represents the present (as assessed by management), while the Target risk represents the future, or desirable control and risk management state, and is one of the enunciation of the entity's Risk Appetite.

The question we ask of Risk Owners is: What are you doing to get from the Residual risk position to the Target risk position, and when will you get there?

Why Inherent and Residual Risk are Inadequate: What is the Appetite?

Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite.

Risk Appetite provides management with a view of the level and type of risk that the entity is willing to take, and the risks that the entity will pursue. Missing from the IIA’s (and others) assessment of risk is the Target Risk level. This represents the level of risk acceptable for any individual risk based on the Risk Appetite of the entity.

The delta between Inherent Risk and Residual Risk measures only the current assessed level of control or risk. It does not provide a link to what is the acceptable level of risk (and control) for the entity.  This means that Internal Audit could, in theory, report that the entity is well controlled as the Residual Risk level is accurately stated and the controls to enable that level of Residual Risk are functioning effectively. 

Equally, in theory, the Residual Risk level could actually be fully in-line with the Risk Appetite, and in such a case there would be no Internal Audit findings other than “(Auditable area) appears to be well controlled with the current Residual Risk being within the Risk Appetite”.

I do say “in theory” because I have only seen one Internal Audit report in the past 35 years that did not contain findings and recommendations, even when reporting that the audited area is effectively controlled. Internal Auditors simply, almost pathologically, count the number of findings, and too few findings are seen (by the Internal Auditors) to indicate a poorly performed or ineffective Internal Auditor. For a candid discussion of the “7 deadly Internal Audit sins” I would only point you to the video from Richard Chambers, IIA President and CEO.

The concept limiting risk to Inherent and Residual is sound – IF that remediation reduces risk to within Risk Appetite.

From the IIA

The reality is that Inherent and Residual Risk scores do not cater for the situation in which the level of residual risk is inconsistent with the entity’s Risk Appetite. This is left to Internal Auditor to attempt to determine what the control environment should include to bring it within the Risk Appetite, sometimes in the absence of a defined Risk Appetite.
In this case, we need to know what the Target Risk score is, in terms of the Risk Appetite. The most important delta then is between the Residual Risk level and the Target Risk level, not between Inherent and Residual.

Of course there is the common problem that many (most?) entities do not have a well-defined Risk Appetite, and therefore it is almost impossible to confirm that a Residual Risk position actually is within the Risk Appetite. This make development and communication of the Risk Appetite a critical step for an entity in its journey to becoming “well controlled”.

Therefore, as the Risk Appetite frequently is either non-existent or not well communicated and understood, the probability is that the Residual Risk position will not be in line with what would be the Risk Appetite. What is needed then is to determine what management considers the “Target” risk position should be for any risk, thus creating the de-facto Risk Appetite at that particular risk level.

Then, with a Target Risk score, it is possible to clearly communicate the difference between the Residual and the Target. That difference is the Internal Audit finding, and can be used to demonstrate the need for improved or additional controls, or can be used to demonstrate that existing control are not operating effectively.

In an ideal world the entity will have a defined Risk Appetite statement, or Target risks scores for each identified risk, therefore having a de-facto Risk Appetite at the risk level. And in such an entity, all Internal Audit findings and recommendations should demonstrate how those recommendation will enable achievement of the Target, and therefore Risk Appetite. This will also allow management to petition an adequately senior authority to “accept” the risk or authorise resources to plug the gap. 

Such “acceptance” should of course be in line with the Delegations of Risk Acceptance, but that is a topic of a different article.