After years of practice I have several broad observations about causes about traditional GRC practices and our success in driving down failure rates.
- People Risk (human failure) is the single largest driver of loss events across the broad spectrum of human activity. Studies of SOX deficiencies, bank failures, broad governance failures, aviation disasters, car accidents all point to human failure as leading causes of failure, accounting for approximately 50% of failures of all types.
- Most GRC practices are based on a Control paradigm. It assumes that People Risk (human failure) can be managed with what GRC professionals consider controls. Traditional “hard” controls, so loved by many GRC professionals are used to prevent or detect human failure. People Risk, when it occurs is not recognized as human failure, it is considered a control failure and evidence that more controls are needed.
Unfortunately attempts by GRC professionals to manage People Risk with a Control paradigm are failing.
Substantial and compelling evidence exists that People Risk based approaches drive down failure rates. Examples are abundant in safety (especially air safety where statistics abound), environmental incidents, and quality.
There is no evidence whatsoever that Control based approaches to failures are effective. Control based failures persist across the spectrum of GRC activities, across industry verticals and across geographies.
Human failure falls into one or more of four broad categories. None of them are susceptible to traditional “hard” controls.
- Purpose Risk – People or groups do not understand the objectives they should be achieving or why they are important. As a result they pursue activities not aligned with corporate objectives.
- Capability Risk – People or groups do not have the knowledge and skills necessary to perform their responsibilities.
- Commitment Risk – The SEC calls this compensation risk and has addressed it at least partly in the issue of 33-9089 Enhanced Proxy Disclosure Rules. Reward systems (or the lack of disincentives) skew individual or group behavior to a dangerous level.
- Integrity Risk – People or groups may engage in dishonest or unethical activity.
Here is an example. Several months ago the press reported an incident where two pilots apparently took an in flight nap in the cockpit and overshot their destination by 150 miles.
I will illustrate, with a little tongue in cheek, how the People Risk and Control based paradigms might respond.
- Control paradigm – make cockpit alarm clocks mandatory. Inspect and test them regularly. Investigate the feasibility of Continuous Control Monitoring (CCM) using motion detectors for long haul flights.
- People Risk paradigm – fire the pilots. This behavior is unacceptable.
A People Risk paradigm assumes that if people are given specific objectives, if they are trained to perform those objectives, if their accountability and reward system is aligned with the goals, and if standards of behavior are set and enforced, then the risk of human failure risk will be managed.It embraces a much more optimistic philosophy of human beings.
The People Risk paradigm suggests that if people are the cause of failure, deal with the people. It’s actually quite refreshing.
I understand, by the way, that the pilots in this anecdote were fired and their pilots’ licenses revoked. They knew what to do, they knew how to do it, they knew they were accountable and they knew the behavior expected of them. The root cause of the failure was human failure.
“Alarm clocks”, or “hard” controls, figuratively speaking, do not address the root cause. If these pilots had not been fired, if their behavior had been tolerated, what would the impact be on Commitment Risk? What message would be sent?
The control paradigm suggests that people failure is the result of a control failure and more controls are required. “Hard”controls can be audited. Assurance is visible.
Our corporations have plenty of very useful “hard” controls. We have monitoring reports, we have restricted access, we have passwords etc. Many of these are efficient and necessary. Having the right kind and the right mix of “hard” controls makes sense. I wear a seat belt when I drive my car. Seat belts are cheap, unobtrusive and effective.
Here are some examples of People Risk misidentified as control failure.
Thousands of reported SOX deficiencies, point to incompetent or dishonest CFOs, CEO’s or Audit Committees or compensation systems that rewarded bad behavior. They are reported a control deficiencies. I suggest AS5 create a new category of reportable deficiency called People Risks. Analyses of SOX deficiencies suggest that about 50% or more failures are in COSO Control environment – People Risk.
Very few, if any internal or external audit reports include findings and recommendations related to People Risk. They report control failures.
“Management override”, a popular AS5 notion is not a control failure; it is a People Risk.
Breakdowns in segregation of duties are not control failures, they are People Risk.
Massive compliance breaches are not control failures, they are People Risks.
And in all these cases, the People, not the controls need to be dealt with through coaching, training accountability and reward systems or job change.
The SEC has specifically recognized Commitment Risk, one component of People Risk in 33- 9089 Enhance Proxy Disclosure Requirements.
It would be interesting to explore how regulatory frameworks and GRC professions could address the other people Risks.
I’ll address this topic in future blog.
Please send me your comments and questions.
