What Skills Do You Need to Audit Risk Management?

A good friend at a large company recently asked me this question. He was looking for skills beyond what is required for any internal audit engagement.

In this post, I want to share my reply and his conclusion to see what we have missed. How would others answer this question?

This is what I said: 

Have a look at this: http://normanmarks.wordpress.com/2010/11/25/one-size-fits-all-for-erm/
  1. I would prefer that the team include somebody with deep experience in risk management. This is one of those audits where I would not want the team to learn on the job, although it is possible for them to do a passable job if you have people with the right (other) skills and experience

  2. A business focus, understanding that risks are part of running a business and you neither can nor should eliminate them. If you eliminate risk, you eliminate the business. Risk management is about how you deal with uncertainty, taking advantage of opportunities and limiting downside exposure – deliberately and with knowledge of what you are doing. Take the risks you need to and can afford. Make decisions with knowledge of related risks and with determination of how they will be monitored/managed. Be prepared to change strategies and decisions as risks change

  3. An understanding of why you need risk management. What is it? Why do we say that managing risk should not be a separate process, it needs to be embedded in how you run the business?

  4. What value is needed from the risk management function and process at the company? Understand the ‘context’ for risk management (see the post I referenced)

  5. Knowledge and understanding of the accepted risk frameworks. Although I prefer ISO:31000, the audit team will probably have to work with the corporate standard. If the company does not use an accepted framework, the audit team needs to be able to not only ask why not but understand whether this is a problem. What does the corporate standard omit or get wrong, if anything?

  6. The ability to work with all levels of management – including the executives at the top. They need to be interviewed to ensure they are involved in and support risk management, get the risk intelligence they need to make decisions and allocate resources, etc. Assess whether the information needed flows to and from those involved in risk management

  7. Sufficient insight to be able to make constructive recommendations for improvement

  8.  

My friend decided these were the skills he sought:
Business and industry understanding/knowledge (e.g., knowledge of our risk history, risk and control landscape, risk appetite, internal and external environmental factors that will influence the company, our mission and strategic plan, product lines, and understanding of business drivers)
  • Facilitation skills (perhaps with knowledge of automated, anonymous voting technology) to facilitate assessment discussions with business unit risk officers

  • Knowledge of risk responses (auditors tend to focus on developing controls to manage risks, rather than the full range of risk responses)

  • Risk evaluation (perhaps basic understanding of risk quantification and risk financing - elements of underwriting, insurable risks)

  • Understanding corporate strategy and business planning (linkages to risk identification and resource planning)

  • Knowledge and understanding of the accepted risk management frameworks (COSO, ISO:31000, etc)

  • Ability to work with, and easily converse with, all levels of management

  •  

What would you add or change?

 

Posted on Dec 6, 2010 by Norman Marks

Share This Article:    

  1. I believe a deep understanding of the external and Internal environments affecting the entity and its business would be a great advantage.

  1. Don't under-estimate the importance of the soft selling skills.  Someone needs to help everyone undestand why risk is an enterprise (every employee) problem.  This alignment and colelctive ownership of the risk will help ensure that the risk mitigetion plans and update processes will be undestood and embraced.

  1. One other important attribute - business savvy / thick skin.  To effectively evaluate risk management, one must look at overall governance and, invariably, the role the Board plays relative to risk oversight.  There's a pretty good likelihood that gaps will be found that point toward the Board and C-Suite.  Being able to navigate that will be critical to succesfully completing a comprehensive assessment of risk management.

  1. A really good audit can be a very powerful improvement vehicle for improving risk management programs. However, I think that auditors need to be careful when undertaking assessments not to start assessing risk instead. I would be slightly worried that the friend is veering towards the latter because of his focus on risk management techniques (in particular that he is expecting to facilitate assessment discussions).  I think that your suggestion of including an expert in risk management in the audit team is a better one, but I think that the choice of the expert should not be entirely at the IA team's discretion, as there are many different schools of risk management, and if the expert (or the auditor) had a very different approach to that adopted by the organisation or the risk team it is likely that there could be disagreements. As a risk manager I'd rather have an audit focused on a good risk maturity framework that could be repeated on a regular basis and add some real value to the direction of the risk program for the organisation. I'm always slightly surprised that these seem to be few and far between, at least in North America. In my previous country and industry risk is regularly assessed by external as well as internal audits and has been for many years, whereas here this appears to be a relatively new concept despite being one of the key tasks for Internal Audit. This would seem to be an area where it would be very helpful if the professional bodies for risk management and the IIA worked together to produce guidance on approaches and standards for reviewing risk programs, and perhaps even workshops and training.

  1. Cont..

    Otherwise individual internal audit departments will go on developing assessment schemes and approaches of variable quality and usefulness, which may also hinder the joint working which should be an ongoing feature of the relationship between IA and risk management.

    I would be a little concerned that an auditor felt he was lacking in facilitation skills, had weaknesses in talking to people, or didn't understand the business or the environment. These would seem to me to be baseline audit skills/knowledge for all but the most newly qualified (and a newly qualified /inexperienced auditor is not a good pick to lead an organisational risk review). Otherwise I think that the points made by Norman are good - I'd be happy (although probably apprehensive too) if you were auditing the risk program at my organisation.

    I also agree that risk management can’t be considered in isolation, but rather as part of a wider focus on governance. One of the reasons why including an external expert on risk management can be advantageous is that the more difficult conversations and recommendations can be made with that more dispassionate approach, especially given that IA themselves are a key governance component and should play a role in the risk management process.

  1. Great comments, Jacquetta.  I'd also like to see a team member (or members) who are familiar with the variety of risk management processes (not just ERM) that exist within the organization.  I've seen "ERM" used to describe just the insurance needs of a company, or just the systems engineering (programatic) risks, or just the financial/credit risks of a company.  These can be disconnected from the overall ERM process, or they can be combined and coordinated efforts, or some partial effort in between.  If the audit team has some familiarity with the variety of risk management processes, then there is a much greater potential to add value in identifying duplicate practices or best practices.

Leave a Reply