The power of Why
I love to tell the story of Juliano. His father, Julio, was the manager of a hotel on the Adriatic coast of Italy that my family visited several times. Julio then purchased a hotel of his own near Rimini (not far away).
It was there that I met his young son, Juliano. The kid was maybe 5 years old and spoke very little English – just what he had picked up living in the hotel with many English guests.
Juliano followed my brother and I everywhere. If we played table tennis, he was watching. If we went to the beach, so did he.
He followed us with one word, repeated constantly: “why?”
Why were we going to the beach?
Why were we going to play each other?
Why?
It’s a great question and not always easy to answer, and I didn’t want to dismiss the cute kid out of hand.
He made me think – a very important activity.
Why is a great question for practitioners to ask.
Why are you doing that? Why aren’t you doing this?
Why are you performing that reconciliation?
Why are all your direct reports in this meeting?
Why are you selling that product?
Why are you managing cybersecurity in-house?
Why are your top salespeople given the best customers?
Why are your freight costs so high?
Why is your scrap level this high?
Why are you getting so many product returns?
Why do you use different software solutions in different parts of the business?
If the answer is not readily forthcoming, something may be wrong. Perhaps there is no good reason for what they are doing. Perhaps there used to be a good reason, but times have changed.
Don’t accept these answers:
- Because we have always done it this way
- Because the auditors told me to do this
- Because it’s “best practice”
- Because that’s what the framework requires
- Because the IIA says we have to
- I don’t know
It’s also a great question for practitioners to ask of themselves?
Why does it take so long to assess a risk?
Why isn’t the CRO involved in strategy-setting meetings or quarterly performance reviews?
Why do you need so many risk officers? Where is the ROI?
Why are you telling them what the risk is? Why aren’t you asking them instead? Why don’t they know?
Why do we need to follow this framework, or any framework?
Why are you writing that report? Why aren’t you having a discussion instead?
Why aren’t you being asked to perform advisory work every day?
Why do we need to follow IIA Standards (for internal auditors)? Why is that the best way to deliver value to our stakeholders?
Why does the IIA have Standards? Why are they, or are they, the way all highly effective internal auditors should work?
Why are you spending so much time documenting your work? Why do you think the time is worth spending, delivering more value to our customers than it costs?
Why does the IIA think you need documented methodologies for your work?
Why does the company need a chief risk officer?
Why does it need a risk committee? Why does it believe that risk, strategy, and performance should be discussed separately?
Why are we here?
Why are you reading this?
If you have read the draft IIA Standards and not answered my poll, why not?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I think of your unacceptable answers, “I don’t know” is a good first step! Assuming it leads to more genuine inquiry afterwards to find out the real answer.
I also like “why else?” to try and avoid focusing only on the first thing that comes to mind.