I’m a certified public accountant, however I’ve spent most of my career as an internal auditor. Accordingly, I am a member of the Institute of Internal Auditors and have a subscription to their monthly magazine. It provides … well it’s fluff. Articles are brief, lack and depth, and the publication mostly exists so that on top of the subscription fee the IIA can make money off of copious advertisements for continuing professional education providers (they were also eager to sell my name and address to these providers so I could be inundated with mailings.)
Anyway, a recent article really impressed me with its brazen detachment from reality. The writer basically went on to promote how very important effective risk assessment was and how all risks can and should be both identified and mitigated. To illustrate his point he discussed the 2011 tsunami in Japan. His argument hinged on how a 900 year old scroll, basically an old newspaper, from that region in Japan described how a similarly high tsunami devastated the area back then. With such information in hand, everyone should have planned for such a large tsunami accordingly and so they’ve only themselves to blame for the destruction wrought in 2011.
This is logic that only works in the minds of auditors. It’s also a great example of hindsight always being perfect 20/20 vision. It also exhibits the danger in groupthink, which is endemic in the field of internal audit.
You see, auditors–in their need to justify their existence–insist that simply dealing with financial data and controls is just too limiting to them. As a result they’ve expanded into “risk” as a big factor in their work. As a result they use risk to justify any and all expansion of scope in their work, all the while berating management for not evaluating risk well enough. Invariably they fail to even properly apply their own stated concepts of risk assessment, that being the basic formula of Likelihood x Impact, and assume that because they can imagine a risk it must be significant.
In the case of the disastrous tsunami or the other go-to example, the September 11 attacks, they are always only half correct. Yes, the impact of those events was very significant to those affected, but the auditors are very bad at recognizing the probability. They’ll go on and on about how clearly every business needs to spend great money to fully mitigate the risk of a September 11th-level event because look at how bad September 11th was. How eager were they to crow about impending terrorist strikes in the United States on September 10, 2001? I was recently talking to an auditor and he mistakenly said that obviously businesses should have been preparing for such a thing given the prevalence of terrorist activities “worldwide.” Sure, suicide bombers are “common” in the Middle East, but how much terrorism has there been in Australia? Japan? Canada? Why would anyone use the risk profile of a Middle Eastern country to assess risks in New York City? Should the occasional sand storm also be taken into account when assessing risk in NYC? Also, how well has the existence of 9/11, or the 1993 World Trade Center bombing, and even the Oklahoma City Bombing, predicted the abundance of terrorist attacks to which the United States has been subject over the past ten years?
Having trouble wracking your brain thinking of any? That’s because there haven’t been any of that level of significance. History can be a bad predictor of the future. Also, the fact that something has happened in the past doesn’t make it a certainty to occur in the near future (although damn near anything is likely over a large enough time period, which I guess means companies should start planning for the destruction of the Earth which is bound to happen eventually.) It’s that whole “likelihood” part of risk assessment that I said auditors love to ignore. Like the 900 year old scroll describing a tsunami of size similar to the one that happened last year. If a company had immediately reacted to the last giant tsunami and spent the money to make themselves resistant to a similarly sized on, they would have put a lot of resources into preparing for something that wouldn’t happen for almost a thousand years. Money that could have been put to better use in numerous other ways over that thousand years. Unless you’re talking to an auditor.