Latest Blog

Day 1: Auditors and Zombies

In a factory someplace, there are 20 workers whose job it is to continuously pass a ball to each other as quickly as possible. Watching this important work from a viewing area are 10 newly minted auditors selected from a Big 4 accounting firm. On this day, managers give each of the assembled auditors a pen and a notebook and explain that in order to satisfy a “regulatory requirement” they are to count how many times the ball gets passed during the day. The auditors with the correct answer will be promoted to Senior Associates by their firm; the rest will be fired and immediately hired by the factory as new ball-passing workers.

There are no issues for the first hour as the ball gets passed and counted by enthusiastic workers and auditors respectively. At around 10am the factory managers release a hungry zombie onto the floor whose job it is to make new zombies by biting the flesh off the ball-passers. Despite the hazard, the workers continue doing their important work while successfully passing the ball and evading zombie threats. The auditors continue counting passes from the safety of the gallery. No issues noted.

When the zombie has achieved its objectives it drags its prey to a corner of the factory where it dismembers the former ball-passer and feeds on its flesh. After several minutes, zombie-handlers remove the zombie and its “zombie offspring” and a new zombie is then introduced to factory floor. This process continues until 5pm when the remaining ball-passers go home and remaining zombies are returned to their quarters.

At 5:15, managers assemble the auditors in the board room (who are hungry and tired from a long day of counting). They are each given a special remittance form and an envelope and asked to write down the following: (a) the number of passes they recorded; (b) the number of zombies they witnessed; (c) their name, and; (d) the phone number for their next of kin. Auditors then place their sealed envelopes in a metal box and take their seats. While the auditors enjoy some refreshments, managers review the responses in nearby office.

When managers return at 5:30, the results are revealed. On this day, only one of the ten auditors recorded the correct number of balls passed but none answered the zombie question correctly. In fact, none of the auditors reported seeing any zombies during the day. (1)

It turns out the auditors were so focused on counting the passes that they didn’t notice the zombies or the gruesome disemboweling of workers.  (During their post-mortem meetings with managers, two of the auditors stated they were puzzled by “pools of maroon blood” and “the mess on the floor” that seemed to suddenly appear at 5:00, but postulated that it must have always been that way.)

Day 2: Risk Managers and Zombies

The following day, one risk management practitioner was hired to count ball-passes. This time however, every time a zombie appeared, he hollered to the workers to stop passing the ball for a moment. The risk manager jumped down from the gallery and stabbed the zombie in the brain with his Sharpie. Upon returning to the gallery the workers were asked to resume their important work and counting continued. At the end of the day, the risk manager not only reported an accurate tally of ball passes and zombies but none of the workers were harmed. None of the zombies met their objectives.

Moral of the story

To anyone who thinks audit is risk management and auditors are risk managers remember that while auditors are busy counting their balls risk managers are on the lookout for zombies.

accountant zombie









Image credit: Going Loud Studios

(1) There is a paragraph in Richard House’s book The Kills/Sutler that partially inspired this post,  where he explains the reason why the auditors would not have noticed the zombies. It’s “because they’re too busy trying to get something right”.

Who wouldn’t want Ryan Callahan on their hockey team? The New York Rangers’ captain isn’t the biggest star in the NHL but ask General Managers and fans throughout the league and  everyone would be happy to have him suit up.

That is until you find out that Callahan is presently negotiating a contract extension seeking 7-years, $42 million and then maybe you don’t want him that much. (“That bum isn’t worth seven million bucks!”)

Risk management decision-making is just like this. Tell any leader about a high organizational risk and they will behave the same way: “What! We cannot have a high risk. Mitigate it. Eliminate it. Make it go away. We don’t have risks here.”

That is until they find out that it is going to cost them $49 million to treat that risk and then they change their mind. (“That risk isn’t worth seven million bucks!”)

Getting a hockey player is like getting rid of a risk: It’s a really great idea until you have to pay for it.

(Courtesey: Gannett)


Image credit: Gannett

I’m off to Virginia Beach later this month so it seemed fitting that today’s post has a beach theme. This quote comes from Chapter 7 of Nathan Englander’s book “The Ministry of Special Cases” and you should remember these words whenever someone like me asks you to think about your organization’s risks.

“It’s like standing in the ocean and facing the beach.  It’s up to you to know what’s behind you. There’s always another wave coming, building in force and crashing down.”

If you’ve ever had the pleasure of putting many people in a room to discuss and assess risks you’d know that not everyone assesses every risk the same way. To some a particular risk is high, while to others it is low or non-existent (“C’mon, that’s not a risk!”)

But why is that?

In a 2011 article by Dan Lovallo and Daniel Kahneman, they explain that executive are “overoptimistic” which can be traced to “cognitive biases – to errors in the way the mind processes information – and to organizational pressures”.

They go on to write that this optimism is “unavoidable” and “it’s unlikely that companies can, or would ever want to, remove the organizational pressures that promote optimism. Still, optimism can, and should, be tempered.”

Finally, on the subject or managing the risks associated with projects, they write:

When forecasting the outcomes of risk projects, executives all too easily fall victim to what psychologists call the planning fallacy. In its grip, managers make decisions based on delusional optimism rather than on a rational weighting of gains, losses, and probabilities. They overestimate benefits and underestimate costs. They spin scenarios of success while overlooking the potential for mistakes and miscalculations. As a result, managers pursue initiatives that are unlikely to come in on budget or on time – or ever deliver the expected returns.

Perhaps the next time you hire someone to perform a risk assessment or to manage a project, you should consider someone with a background in psychology instead of a professional accountant or PMP.

Quotes courtesy: Delusions of Success by Dan Lovallo and Daniel Kahneman. Harvard Business Review on Making Smart Decisions by Harvard Business Review (Apr 12 2011)

My 14-year old son recently bought himself a not-so-inexpensive bike with his own money. On the Monday after the purchase he wanted to take the bike to school. I advised against this as he had a pretty lousy bike lock. “C’mon, dad”, he replied, “who’s gonna steal my bike in this neighbourhood?” (After all, we live in the suburbs and not in the worst part of Toronto where ruffians often steal $500 bikes so they can buy drugs and iPhones.)

“C’mon ______” is a routine response heard by many risk management professionals and fathers. Bad things happen, but they won’t happen to me is the way most people feel.

I confess, there have been times in my risk management career where I have wished cartoon disasters upon my employer like “I wish an anvil would fall on this computer which is not backed up” or “I wish everyone in the department won the lottery and quit at the same time”. I am not a malevolent person; I just figured if some kind-of-bad thing would happen then managers would take the management of their risks seriously. (And yes there may have been a moment where I wished the one-day old bike got pinched just to teach my boy a lesson, but the satisfaction from my “I-told-you-so” was not worth $500. Instead the thought passed and I lent him my lock for a few days. Sorry son.)

Image courtesy

Despite getting him a quality lock, I explained that even with the best lock on your bike, a professional bike thief will still be able to steal your bike. You are merely reducing the likelihood of the risk by shifting the attention to the next bike with the crappy lock.

As I said yesterday, sometimes you don’t have to have the best risk management systems, just one that is better relative to the next guy.

(Image courtesy:

There’s an old joke about two campers that are awakened by a hungry bear. The first guy yells ‘run’ but the second guy stops to put on his running shoes on first. The first guy asks if his companion really thinks that the shoes will help him out run the bear. To which the second guy replies, ‘no, I just have to out run you”.

Sometimes risk management is the same way. You don’t have to have the best risk management system, just one better relative to the next guy.

I am always amazed that despite the enormous square footage of our planet and the tiny amount of poop produced by a bird that it is possible for my car to get hit. But it occurs despite how unlikely it would otherwise appear.


Shit happens.


We know this because history tells us it does. Shit happening is a universal truth. We do our best to live our lives and manage our businesses but the shit is always there. Look up or look down and it will be there. Call it bad luck, a black swan or an I-told-you-so. The shit will happen.

Risk management (read: shit management) makes an effort to do the following:

a) prevent shit from happening altogether;

b) limit the size of the turd that forms;

c) have enough wipes on hand to clean up the mess; or

d) make sure the shit falls on someone else’s lawn.


So what are you prepared to do about it?


In Stephen King’s novel, Under the Dome, a small town in Maine becomes suddenly cut off from the outside world by “an invisible barrier of unknown origin”. If that sounds a bit too much like the Simpsons Movie or science fiction for you, simply replace the dome with any other sort of hazard (earthquake, avalanche, flood), force good (and bad people) to fend for themselves and watch mayhem ensue. It was an excellent book.

Without getting into the details of the plot and characters it made me think about disaster preparedness: lots of folks had generators but not enough propane to power them and one resident ran out of her OxyContin.

Like all things risk management, we know preparation is important but we rarely make time for it. In my home we have a large stockpile of food in our basement but I must confess this is has less to do with disaster preparation and more to do with excellent sales. While we probably have enough cans of corn and boxes of Quaker Harvest Crunch to feed the family for a week, I am not sure how useful those cans of Hunt’s Manwich or Tuna Helper will be without ground beef and milk respectively.

According to the Government of Canada, in addition to canned goods and 2 litres of water per day per person, other items to have are a manual can opener (duh!), a flashlight and batteries, a wind up radio (I have a wind up radio with a flashlight!), a first aid kit, extra keys and cash.

I highly recommend the cash. As my classmate Anne Marie once said on the first day of B-school: “cash is primordial”. When I think back to August 14, 2003, when the lights went out in the northeast, I stood in the concourse of my office building and took note that the ATMs a few yards away were still running on emergency power. However I went back to my office first (elevator to 3rd floor still running on emergency power) to get my belongings, but when I returned the cash machines were out of juice. Lesson learned.

Next week (May 6-12, 2012) is Emergency Preparedness Week so have a read and get prepared.


If there are two things you have noticed about this blog, I often write about zombies and the Moment of Risk Enlightenment. Today’s post combines both.

(Note: This post contains spoilers about season two of the Walking Dead.)

I was catching up on season two of the “post-apocalyptic” television show The Walking Dead this week. In episode seven the survivors learn that the Greene family barn is full of walkers (zombies). Up to this point the farm represented a safe haven; they had not seen any walkers on the farm since they arrived. Impact and likelihood were low. But was it?

As guests on the Greene farm for some time they were completely unaware that the walkers were locked in a barn 100 yards away, but once they experienced their Moment of Risk Enlightenment they felt: impact catastrophic and likelihood extremely likely.

Inherent risk didn’t actually change, only their perception changed once they became aware that the only thing between them and death were a few padlocks and a fence.

Always try to assess your risks accurately and objectively. Try to keep emotion out of it to ensure they are properly prioritized.


In the series A Song of Ice and Fire which begins with the book A Game of Thrones, by George RR Martin, we are introduced to the Wall and the Night’s Watch.

The Wall is an immense fortification on the northern border of the Seven Kingdoms that defends the realm from “what lies North of the wall”. It was created over 8000 years ago and measures 300 miles in length and 700 feet in height.

The protectors of the Wall are a military order clad in black known as the Night’s Watch and they are as old as the Wall itself. While kings come and go and wars are fought in the Seven Kingdoms, the Night’s Watch’s allegiance is always to the realm.

As I see it, the wildlings and Others which lie North of the wall are risks to Westeros; the wall is the risk management; and, the Night’s Watch are the risk managers.

A couple of other takeaways from this analogy:

1. The Lord Commander, the final authority over the Night’s Watch is like our modern day Chief Risk Officer. What’s interesting is that unlike in the rest of feudal Westeros where only lords and knights rise to positions of authority, the Night’s Watch is a meritocracy. Even a common man can rise as high as Lord Commander. (Read: You can make anyone with strong leadership skills the CRO. The position doesn’t have to be filled by anyone else from the C-suite and they definitely don’t have to be a professional accountant.)

2. Like the Night’s Watch who has an allegiance to the realm, modern day risk mangers should only have an allegiance to the organization and shareholders and never to the CEO, CFO or gods forbid the head of internal audit.  This approach has worked for 8000 years for Night’s Watch so it should work for your organization today.

Finally, when someone joins the Order they take a vow; this is known as “taking the black”.  As you read this, consider how today’s risk managers should also take a vow like this:

“Night gathers, and now my watch begins. It shall not end until my death. I shall take no wife, hold no lands, father no children. I shall wear no crowns and win no glory. I shall live and die at my post. I am the sword in the darkness. I am the watcher on the walls. I am the fire that burns against the cold, the light that brings the dawn, the horn that wakes the sleepers, the shield that guards the realms of men. I pledge my life and honour to the Night’s Watch, for this night and all nights to come.”