Risky Business: Are You Following the Right Risks?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 

The guidance I provide most often to internal auditors is to “follow the risk.” It’s easy for internal auditors to go through our own process of assessing risk in an organization and auditing against those risks. But if we are focused on the wrong risks — that is, risks that are different from the ones senior management and the board are worried about — then I think we ought to ask ourselves why.

I’m not saying that you should take management’s assessment of the right risks as gospel. I’m saying that if you’ve compiled a list of things that are keeping your stakeholders awake at night, and that’s not what they say is keeping them awake at night, then you need to be able to speak to why. This is along the same lines of my recent post on alignment, Are You Auditing Up the Wrong Tree?

So what risks are on management’s radar? Accenture recently surveyed C-level executives from 446 global companies in the banking & capital markets, insurance, energy & utilities, health, and public service industries. Detailed results of the annual survey aren’t due out until later this month, but Accenture has been posting infographics on its website to whet our appetite.

Legal risks made the list for 62 percent of executives, followed by business risks (52 percent) and regulatory requirements (49 percent). Strategic risks, operational risks, credit risks, and market risks all ranked in the mid-40 percent range. Virtually all (97 percent) said risk management is a higher priority for them than it was two years ago, and more than 80 percent said risk managers discuss risk regularly with the board.

The risks that an organization faces are constantly ebbing, they’re constantly flowing, and they’re constantly evolving. You have to continuously recalibrate and realign as an internal auditor, because organizations’ portfolios of risks are moving targets.

So what is keeping executives up at night? More than 90 percent of those in the Accenture poll said risk management was critical in areas such as compliance and reputation management.

An opportunity for those of us in the internal audit profession is presented by the fact that less than 30 percent of those executives claimed to be using their risk management capabilities effectively in those areas.

One reason for this may be that only 8 percent of the survey population considered themselves to be trained in risk management and mitigation. These are so-called “risk masters” who, though only a small percentage of the survey sample, tended to be more focused on strategic and emerging risks.

Accenture’s survey suggests that executives are going to be looking for guidance when it comes to risk management assurance. I think that’s a real opportunity for internal auditors skilled in risk management — such as, say, the more than 13,000 of you who have obtained your Certification in Risk Management Assurance (CRMA).

How do things look within your organization? Are you focused on the right risks? How do you calibrate that? Tell us what works for you.  

Posted on Sep 3, 2013 by Richard Chambers

Share This Article:    

  1. Richard, I have a few comments that I hope will augment your suggestions: 1. Don't worry about what the executives say they worry about, because they won't always tell you what they worry about in their own area. They will be happy to point you to what others may be doing poorly. 2. Make sure you understand, and hopefully management understands, the risks to achievement of their corporate objectives. What might derail such achievement? What are they relying on to happen, and what are they doing to ensure it happens? What assumptions are they making about what will happen? 3. Do you know what is on the agendas of the executive leadership meeting and the full board meetings? That is what they are really worrying about? 4. Worry about the future, not the past. What might happen in the future that needs to be addressed. I advise people to audit where the risk is going to be (misquoting Gretzky).
  1. Richard, you are right to question which 'risk register' the internal auditors should be using, theirs or the C-suite's. If the C-suite register is considered by internal audit to be accurate and complete, they should use it to drive out the audit plan. If they continue to ignore it they are, at best arrogant and, at worst, negligent. If the register is not complete and/or accurate (as per Norman's comments), internal audit should report this to the audit committee, especially as many jurisdictions require organizations to have determined their significant risks. While I have sympathy with internal audit departments who take the easy way out and set up their own risk register, it is not doing them any favors in the long run. Although I'm now retired, I had to set up a risk register for a charity and found that standards published for that sector (housing) were a good starting point. Similarly COSO's 17 principles should be a starting point for any risk register in the US. Although a comprehensive risk register for a large organization will contain many risks and this may seem daunting, internal auditors already know these risks and their associated controls. They are in their audit files! The only problem is they are not collected into a central database. In order to understand the problems of setting up a risk register, and building this into a risk and audit universe, I'm setting one up for a fictitious retailer. One technique I am finding useful is to use 'mind mapping' software to set out objectives/risk/controls hierarchies and I'll be publishing details on my website in the next month, or so... Norman, I can see where you're coming from. One approach to prevent this scenario is for internal audit, possibly in conjunction with external auditors, to facilitate a risk workshop for board members.
  1. Let's face it, Internal Audit works for the Audit Committee, the Board and the C-Suite.  Since the word Assurance means to "Something that inspires or tends to inspire Confidence", we are expected to provide an independant view of the risks that may affect the organizations ability to meet their goals and strategies.  If the C-Suite is concerned about something, we may not be unaware of an upcoming strategy, merger, expansion, etc.  "If we don't know where they are going, how can we help them get there?"

    Since the people who need to understand and probably rate our value include the C-Suite and the board, then then their input must be considered.

    In maintaining an independent Internal Audit team; our thoughts and concerns must be a prime factor in building the Audit Plan.  The inputs from all areas of the organization must be considered as a resource to our decisions if we are to continue to be a resource to the organization.

     

  1. If your organization has a robust ERM, then I agree you should follow the leaders.  However, in my 40+ years in audit and management roles, I have yet to see a robust ERM in place and surveys will tell you organizations with robust ERM's are still in the minority.  Generally, I see a lot of emphasis on reputational risk in strategy documents, but that risk is vaguely described and therefore not well addressed.  Although there is a usually a general compliance risk statement, it is usually focused on a few pieces of industry specific regulation rather than the gambit of legislation that would apply to the business, including criminal codes.  Risk of fraud and unethical behaviour is generally not on the radar, or not high on the radar.  There is generally the feeling of trust among senior management, that employees are loyal and, in the case of professionals, wouldn't be involved in unethical behaviour.  Executives don't address topics that they don't understand or don't want to understand or believe.

  1. I think we would be a whole lot more focused on the right risks, if out risk register did not start with a risk assessment. The very first step is creating operational context. Asking questions about what overall goals are, and what has been set up so far to achieve them. Understanding the beast that is the organization from multiple perspectives. What are its motives (strategy, objectives) and current capabilities (physical resources, structure, people, etc.)? Understanding the vision, strengths and vulnerabilities of the organization before ever considering risk, put the auditor in managements shoes and sets them up to be able to define, prioritize and communicate risks more effectively. Image showing up to a Superbowl party where you only have a little background on the teams playing. At a particularly heated moment in the game you shout, don't put him in, don't you know that 5 foot 10 running backs drop the ball more than those of any other height...You would attract many strange looks. This is what many audit reports, feel like to management, when they auditor does not understand the organizational beast.
  1. Richard: Great post. From my perspective I think trying to follow the "right risks" starts with a sound understanding of what the organizations top value creation objectives are, as well as objectives with high potential to erode entity value. We sometimes refer the latter as "foundation objectives". These include objectives like ensure the company publishes reliable financial statements in compliance with GAAP, complying with potential high impact laws such as FCPA, AML, and other objective types that have proven to have potential to have significant negative impact. In my 25 years in the game I have only occasionally seen internal auditors tackle risk assessments of the top value creation/strategic objectives in their organization. Once there is a clear view of this universe of truly important objectives, work to ensure the key risks are being identified and managed should begin. What I am advocating is an "objective centric" assurance approach. ERM and IA efforts that try and identify "top risks" without first asking what are the top objectives have often failed. IIA Canada is offering a free webinar I will be presenting to all IIA members on "Board driven/objective centric ERM and IA on October 8th.
  1. There are many variables/aspects of organisational objectives to be considered. We need to get the organisation to look at as many of these variable (and criteria thereto) as possible. Focusing on certain significant risks, as would be the case when these are highlighted for attention by whoever, demeans the meaning of what a significant risk is. All identified (through a deliberate systematic process) significant risks need to be considered. 

    But by focusing on the processes, whoever is responsible for the respective organisational objectives is directed to that deliberate process encouraged by internal auditing in its consulting role - the different directions one has to ensure one has considered rather than just particular directions pointed out by those higher up.

    An objective centric approach, as Tim Leech puts it, is therefore more consistent with what internal auditing strives to get the organisation to do. It is disappointing when the c-suite and the audit committee do not practice what they preach.

    Internal auditing adds value when it conducts the appropriate engagement in particular circumstances. Where the prerequisites for an assurance engagement  are satisfied, it provides an independent assessment. This should not however be the only assessment as c-suite and audit committees seem to imply.

    Periodic self assessments on the adequacy and effectiveness of governance, risk management and control processes by respective organisational units should provide the required assurance. After all, similar reliance and assurance on the organisation's periodic financial statements is not withheld until they are audited.

  1. In my ongoing discussions with many corporate board members and senior management, one of the two criticisms I hear most frequently is that "you guys (internal audit) are not focused on the risks/issues that I care about". In other words, we are not delivering the assurance service that board members are looking for because we are not giving them feedback on the state of the "real risks" from their perspective, the ones that keep them awake at night. Board members most often look at these risks from an "inherent" point of view (ie not "residual") so they want to us to confirm/tell them whether or not management has the mitigation in place that they need (or say they have). Note that these may not be the risks that senior management (or other levels) identify as the principal ones. If we view the Board/Audit Committee as our ultimate client we need to include in our plan a fairly significant percentage of our time on assurance about the risks they see (or we need to educate them on the risks they should be thinking about).

Leave a Reply