Latest Blog

Day 1: Auditors and Zombies

In a factory someplace, there are 20 workers whose job it is to continuously pass a ball to each other as quickly as possible. Watching this important work from a viewing area are 10 newly minted auditors selected from a Big 4 accounting firm. On this day, managers give each of the assembled auditors a pen and a notebook and explain that in order to satisfy a “regulatory requirement” they are to count how many times the ball gets passed during the day. The auditors with the correct answer will be promoted to Senior Associates by their firm; the rest will be fired and immediately hired by the factory as new ball-passing workers.

There are no issues for the first hour as the ball gets passed and counted by enthusiastic workers and auditors respectively. At around 10am the factory managers release a hungry zombie onto the floor whose job it is to make new zombies by biting the flesh off the ball-passers. Despite the hazard, the workers continue doing their important work while successfully passing the ball and evading zombie threats. The auditors continue counting passes from the safety of the gallery. No issues noted.

When the zombie has achieved its objectives it drags its prey to a corner of the factory where it dismembers the former ball-passer and feeds on its flesh. After several minutes, zombie-handlers remove the zombie and its “zombie offspring” and a new zombie is then introduced to factory floor. This process continues until 5pm when the remaining ball-passers go home and remaining zombies are returned to their quarters.

At 5:15, managers assemble the auditors in the board room (who are hungry and tired from a long day of counting). They are each given a special remittance form and an envelope and asked to write down the following: (a) the number of passes they recorded; (b) the number of zombies they witnessed; (c) their name, and; (d) the phone number for their next of kin. Auditors then place their sealed envelopes in a metal box and take their seats. While the auditors enjoy some refreshments, managers review the responses in nearby office.

When managers return at 5:30, the results are revealed. On this day, only one of the ten auditors recorded the correct number of balls passed but none answered the zombie question correctly. In fact, none of the auditors reported seeing any zombies during the day. (1)

It turns out the auditors were so focused on counting the passes that they didn’t notice the zombies or the gruesome disemboweling of workers.  (During their post-mortem meetings with managers, two of the auditors stated they were puzzled by “pools of maroon blood” and “the mess on the floor” that seemed to suddenly appear at 5:00, but postulated that it must have always been that way.)

Day 2: Risk Managers and Zombies

The following day, one risk management practitioner was hired to count ball-passes. This time however, every time a zombie appeared, he hollered to the workers to stop passing the ball for a moment. The risk manager jumped down from the gallery and stabbed the zombie in the brain with his Sharpie. Upon returning to the gallery the workers were asked to resume their important work and counting continued. At the end of the day, the risk manager not only reported an accurate tally of ball passes and zombies but none of the workers were harmed. None of the zombies met their objectives.

Moral of the story

To anyone who thinks audit is risk management and auditors are risk managers remember that while auditors are busy counting their balls risk managers are on the lookout for zombies.

accountant zombie









Image credit: Going Loud Studios

(1) There is a paragraph in Richard House’s book The Kills/Sutler that partially inspired this post,  where he explains the reason why the auditors would not have noticed the zombies. It’s “because they’re too busy trying to get something right”.

In celebration of La Fête Nationale, Bastille Day, on July 14 here is an example of some poor risk management on the part of the British.

The late historian Robert Sobel once noted that the “British created a civil service job in 1803 calling for a man to stand on the Cliffs of Dover with a spyglass. He was supposed to ring a bell if he saw Napoleon coming. The job was abolished in 1945.”

Since the “short dead dude” died in 1821 I find it incredibly unlikely that this risk would manifest itself between 1822 and 1945. Napoleon was not coming.

Make sure to spend your time and money on the important risks. A guy on a cliff is just silly.

Image courtesy:

My 14-year old son recently bought himself a not-so-inexpensive bike with his own money. On the Monday after the purchase he wanted to take the bike to school. I advised against this as he had a pretty lousy bike lock. “C’mon, dad”, he replied, “who’s gonna steal my bike in this neighbourhood?” (After all, we live in the suburbs and not in the worst part of Toronto where ruffians often steal $500 bikes so they can buy drugs and iPhones.)

“C’mon ______” is a routine response heard by many risk management professionals and fathers. Bad things happen, but they won’t happen to me is the way most people feel.

I confess, there have been times in my risk management career where I have wished cartoon disasters upon my employer like “I wish an anvil would fall on this computer which is not backed up” or “I wish everyone in the department won the lottery and quit at the same time”. I am not a malevolent person; I just figured if some kind-of-bad thing would happen then managers would take the management of their risks seriously. (And yes there may have been a moment where I wished the one-day old bike got pinched just to teach my boy a lesson, but the satisfaction from my “I-told-you-so” was not worth $500. Instead the thought passed and I lent him my lock for a few days. Sorry son.)

Image courtesy

Despite getting him a quality lock, I explained that even with the best lock on your bike, a professional bike thief will still be able to steal your bike. You are merely reducing the likelihood of the risk by shifting the attention to the next bike with the crappy lock.

As I said yesterday, sometimes you don’t have to have the best risk management systems, just one that is better relative to the next guy.

(Image courtesy:

There’s an old joke about two campers that are awakened by a hungry bear. The first guy yells ‘run’ but the second guy stops to put on his running shoes on first. The first guy asks if his companion really thinks that the shoes will help him out run the bear. To which the second guy replies, ‘no, I just have to out run you”.

Sometimes risk management is the same way. You don’t have to have the best risk management system, just one better relative to the next guy.

With the news this morning that your eHarmony or LinkedIn password was posted on a Russian website, people are frantically changing their passwords today. Or so one hopes.

Why all the urgency?

Should anyone be concerned that some troublemakers are going to hack your LinkedIn profile and change your Harvard MBA to one from Ohio State (oh the humanity) or change your eHarmony preferred mate preference from athletic to BBW (oh the humanity)? What you should really be worried about is that your stolen password can also be used to access your bank accounts or email. (Oh, I hadn’t thought about that!)

In truth, the posting of passwords probably doesn’t matter because according to a 2011 study of passwords, it was revealed that the most common passwords are the following:

1. password
2. 123456
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

Shocking isn’t it? (I can believe people actually use ‘monkey’ as a password. Huh.)

This article also goes on to list some suggestions for creating and maintaining a secure password:

1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.
2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.
3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

I recommend one takes security a step further and also applies the same methodology that author Charles Lutwidge Dodgson employed in selecting his pseudonym Lewis Carroll.

Select a two word password and convert the first word to Latin and then back to English. Next take the second word of your password and convert it to the Latin and then back to Irish. Switch the first and second words and you have a password. Oh ya, and add one of these thingies too: & % $ or @.

I am always amazed that despite the enormous square footage of our planet and the tiny amount of poop produced by a bird that it is possible for my car to get hit. But it occurs despite how unlikely it would otherwise appear.


Shit happens.


We know this because history tells us it does. Shit happening is a universal truth. We do our best to live our lives and manage our businesses but the shit is always there. Look up or look down and it will be there. Call it bad luck, a black swan or an I-told-you-so. The shit will happen.

Risk management (read: shit management) makes an effort to do the following:

a) prevent shit from happening altogether;

b) limit the size of the turd that forms;

c) have enough wipes on hand to clean up the mess; or

d) make sure the shit falls on someone else’s lawn.


So what are you prepared to do about it?

If there are two things you have noticed about this blog, I often write about zombies and the Moment of Risk Enlightenment. Today’s post combines both.

(Note: This post contains spoilers about season two of the Walking Dead.)

I was catching up on season two of the “post-apocalyptic” television show The Walking Dead this week. In episode seven the survivors learn that the Greene family barn is full of walkers (zombies). Up to this point the farm represented a safe haven; they had not seen any walkers on the farm since they arrived. Impact and likelihood were low. But was it?

As guests on the Greene farm for some time they were completely unaware that the walkers were locked in a barn 100 yards away, but once they experienced their Moment of Risk Enlightenment they felt: impact catastrophic and likelihood extremely likely.

Inherent risk didn’t actually change, only their perception changed once they became aware that the only thing between them and death were a few padlocks and a fence.

Always try to assess your risks accurately and objectively. Try to keep emotion out of it to ensure they are properly prioritized.

website dedicated to the popular show Lost published a post a while back about how each of the characters on the show would make a peanut butter and jam sandwich. I have borrowed this idea to illustrate how some finance or risk management professionals might make their own sandwich.

In my 4th instalment we look at how former equity analyst Henry Blodget might make a sandwich.

How to Make a Peanut Butter Sandwich: Henry Blodget

  1. Make an ordinary peanut butter and jam sandwich.
  2. Tell everyone that peanut butter and jam sandwiches are the best sandwiches in the world.
  3. Throw out your own sandwich because you really hate peanut butter and jam.
  4. Write a book about the sandwich.


In my third instalment of this increasingly less funny series, we look at how popular auditor and blogger Norman Marks might make a PBJ sandwich.

How to Make a Peanut Butter Sandwich: Norman Marks

  1. Add jam and peanut butter to bread.
  2. Perform a self-assessment to determine if that was actually peanut butter, jam and bread.
  3. Check off boxes.
  4. Ask Tim Leech if this is an adequate sandwich.
  5. Draft a new framework about how to make a peanut butter and jam sandwich.
  6. Solicit input on LinkedIn from others who like peanut butter and jam sandwiches.
  7. Publish findings in Internal Audit magazine.

website dedicated to the popular show Lost published a post a while back about how each of the characters on the show would make a peanut butter and jam sandwich. I have borrowed this idea to illustrate how some finance or risk management professionals might make their own sandwich.

In my first PBJ post, we looked at how Nassim Taleb, author of The Black Swan might make a sandwich. In today’s post we look at how one of my Twitter chums, Donald van Deventer, founder of Kamakura Corporation, might make a sandwich.

How to Make a Peanut Butter Sandwich: Donald van Deventer

  1. Take Starship Enterprise to Japan to get radioactive peanuts.
  2. Return to Waikiki and crunch peanuts in nerd grotto to make peanut butter.
  3. Add generous portions of Kewpie blueberry jam to bread.
  4. Play ukulele.
  5. Enjoy sandwich with 100% kona at Island Vintage Coffee.
  6. Watch surfers.



Also, see how Norman Marks makes a PBJ