Internal Controls Design
consulting and research for internal control with risk management
"A pocket guide to risk mathematics: key concepts every auditor should know": Favourite paragraphs
Here are some of my favourite, short excerpts. They give a flavour of the writing style and content:
On how the book is designed
The introductory paragraph:
"This book is designed to do one job very well. If you read it as it is designed to be read, step by step, from start to finish, it will transform your understanding of risk and the mathematics involved, and will give you the confidence to tackle audits that would have been out of reach without it."
From page 3:
"Filling your mind with the basic concepts and terminology of a discipline is the fastest way to start becoming an expert and a great way to become a good amateur. That’s why this book is made up of small, digestible chunks, each focusing on an idea and its terminology."
"Many years ago I had to make myself an expert in telecommunication businesses and to get started I bought a book called Pocket Telecommunications that had alphabetically ordered entries explaining industry jargon. I read it every day on my train journeys to and from work. After about two weeks I had finished the little book and I felt different. I was different. I could read books and articles about the industry and understand what they meant. I could talk to people with years of telecommunications experience and get away with it."
"Most amazing of all was that I found I was more of an expert than most people I worked with, many of whom were supposed to have years of industry experience behind them. It’s astonishing what a little homework can achieve when it is focused on the right things."
From page 5 on the myth of mathematical clarity:
"Mathematical thinking about risk and uncertainty is far ahead of the muddle that most of us have in our heads. Understanding its fundamentals will make many things clear to you, perhaps for the first time."
"However, it’s a myth that mathematics is clear. A lot of mathematical writing is diabolical. Never assume you can’t understand some mathematics because you are ignorant or stupid. It’s very likely that the main reason you can’t understand, even after a sincere effort, is that it is written poorly."
From page 9:
"Time and again you will find that what people have done has led to a misstatement of risk, usually an understatement. Consequently, risk is not being taken as seriously as it should be. If you can get the risk analysed or presented more fairly then you can change how people respond to it and perhaps prevent some of the disasters of the past from happening again."
On the philosphically muddled problem of interpreting probabilities
From page 12:
"A lot of ideas about probabilities are controversial among theorists or take a while to understand, but what we know for certain is that probabilities work. There are people who talk about and benefit from using probabilities and this has been true for hundreds of years."
From page 17:
"Not everyone who uses probabilities interprets them in the same way and misunderstandings can occur with practical and painful consequences."
"The explanations below focus on what most people actually think and do today, rather than going through all the many proposals made by philosophers, scientists, lawyers, and others down the centuries."
"Unless you’ve studied the meaning of probabilities in great depth do not assume you know this already!"
Some illustrative audit points
From page 32, a mistake found easily in most large organizations today:
"Many people in senior positions have been encouraged to believe that they need to focus on the ‘top 10 risks’. I wonder how they would feel if they understood that events are defined by people and can be redefined to suit their purposes."
"Imagine you are a manager in a risk workshop and somebody has just suggested a risk for inclusion in a risk register that (1) you would obviously be responsible for, (2) will probably be in the top 10, and (3) you can’t do much about. You don’t want the risk to be in the top 10 and to get beaten up by the Board every quarter so you say, ‘That’s a really interesting risk, but I think to understand it fully we need to analyse it into its key elements.’"
"You then start to hack the big ‘risk’ into smaller ‘risks’, keeping on until every component is small enough to stay out of the top 10."
"The point is that the size of a ‘risk’ is heavily influenced by how widely it is defined."
"Most of the time the level of aggregation of risks is something we set without much thought, so whether something gets into the top 10 or not is partly luck. Auditors should highlight this issue when found and suggest either the level of aggregation of ‘risks’ be controlled in some way or top 10 reporting be abandoned and replaced by a better way of focusing attention."
From page 44, another of the common mistakes:
"When we talk about ‘impact’ another possible confusion is between a measure such as money and how much we value the money. The word ‘utility’ is often used to mean the real value we perceive in something."
"For example, a financial loss like losing £1 million is surely more important if this amount would destroy your company."
"When we talk casually about ‘impact’ there is always the danger of overlooking this point and flipping from thinking in money terms to acting as if it is really utility we are talking about."
"The two ways of thinking give different answers. Suppose we have two ‘risks’, one of which can lead to losses in a narrow range, with the average being £100,000. The other also has an average of £100,000 but the range of possibilities is much larger with a possibility of losses that ruin the company."
"Is it fair to treat these two losses as having the same impact? In financial terms their average is the same but if we translate to utility and then take the average the second risk is considerably worse."
"Some organizations try to express a ‘risk appetite’, which is supposed to help employees respond consistently and appropriately to risks, especially the bigger ones. If averages (or other midpoints) from money impact distributions are being used then the risk appetite initiative is seriously undermined."
A selection of other paragraphs I like
From page 82, introducing the beta distribution:
"The beta distribution is one of my favourites. It’s got two good things going for it. First, by choosing different values for its two parameters it is possible to put it into an amazing variety of shapes. Second, it is a really simple way to show your current views about success/failure rates."
From page 95:
"When I was a teenager I watched Star Trek on television (the original series). Each week the crew of the Enterprise would get into a perilous situation, often because randy Captain Kirk had done something impulsive. They would then be forced to take an extremely dangerous course of action, at which point Science Officer Spock, a Vulcan famed for his command of logic, would sometimes say something like ‘Captain, the odds against surviving are 1,233.5 to one, approximately.’"
"At the time I thought this quite impressive, but thinking about it later I realized something was not quite right. Despite these long odds against surviving they always did. Where had Spock gone wrong?"
From page 110:
"Take a moment to consider how great this is. We built a model of how various things, some we choose and some we don’t, contribute to a result we care about. Then we expressed our uncertainty about their values. The Monte Carlo simulation then worked out how our various uncertainties feed through to a prediction about the result we are interested in. And, finally, it showed us which uncertainties are most important."
"In short, we did a risk analysis. However, instead of a jumbled list of badly defined sentences thrown together in a workshop, we used variables structured into a clearly defined mental model. And instead of relying on some kind of intuition to guess the ultimate impact of various things that could happen we captured the things we knew most easily, and then let our model and the software tool work out the rest."
From page 169:
"If you can say heteroskedasticity after a few drinks then you’re definitely starting to show some confidence with risk mathematics! (Read it carefully and say it to yourself a few times to make sure you pick up all eight syllables.)"
"Graphs of share prices show how they go through periods of relative stability where prices do not move much each day and then other periods of higher volatility where the prices move much more. This changing variance of movements is called heteroskedasticity."
And the last paragraph in the book?
"Certain weaknesses are very common in applications of mathematics to ‘risk’ and the harder you look for them, the more you will find:"
"Good luck in your auditing!"
In the UK try Amazon.
In the USA try Amazon.
Anywhere else, check Wiley's page on where to buy.