June 2011

Navigating Risk Management

By assessing and reporting on how executives manage risk, auditors can provide assurance that the ERM program is sailing in the right direction.

 

Norman Marks, CPA
Vice President
SAP

 

Although the International Standards for the Professional Practice of Internal Auditing (Standards) require that internal auditors provide assurance on risk management, relatively few internal audit functions had performed audits of the full enterprisewide risk management (ERM) program until recently. After all, auditing ERM has not been a traditional expectation or core competency of internal auditing.

 

However, the failure of financial services and other companies around the world that led to the economic crisis and recession has been attributed, in large part, to a combination of governance and risk management deficiencies. Arguably, the greatest risk to an organization is the lack of an effective ERM program. According to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework, only 3.4 percent of respondents rated the maturity of their ERM process as “very mature,” with 17.4 percent saying it was “somewhat mature.”

 

Internal auditing has a major role to play in assessing the adequacy of risk management, reporting on the condition of the program — which includes the risk management to the board and executive management — and enabling improvement through value-adding recommendations. This includes reporting on the risk management framework (i.e., policies, organization, and processes). As IIA Standard 2120 states: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

 

This does not mean that internal auditing should audit the content of management’s risk reports to confirm they are complete and accurate — that would be substituting their judgment for management’s. Instead, internal auditing should focus on auditing how management performs risk management. Does the risk management program meet the needs of the organization, providing reasonable assurance that risks can be managed within desired ranges, enabling the organization to achieve its strategies and objectives? There are two primary approaches to auditing the risk management program. One is to examine the elements of the program for compliance with the International Organization for Standardization (ISO) 31000:2009 or COSO ERM standards. An alternative method is to assess whether the risk management program meets the needs of the organization.

 

UNDERSTANDING THE ORGANIZATION’S NEEDS

Risk management helps an organization see and take action on uncertainties related to the achievement of its objectives. Those uncertainties can be potential obstacles (e.g., the loss of key personnel, the impact of a natural disaster, or losses due to the theft and disclosure of confidential information) or opportunities (e.g., the failure of a competitor or the ability to hire individuals with exceptional talent). By managing these uncertainties, organizations are able to improve the likelihood of achieving their strategies and objectives.

 

The value of risk management is that not only does it serve to protect value, but it enables sustained, optimized performance. The COSO Enterprise Risk Management–Integrated Framework says, “Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.” COSO also states, succinctly, that “enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

 

Another way of thinking about the value of risk management to an organization is that it helps management make better decisions. When decisions are made with an understanding of all relevant information, including the upside and downside of risks and opportunities, they are more likely to be quality decisions that lead to improved performance.

 

Risk is something that needs to be managed continually. Risk levels change, and new risks emerge. Operation of the enterprise, including key decisions, cannot wait until a periodic review and assessment of risks is completed. However, the frequency of risk activities such as risk monitoring and assessment varies from business to business and has to be tailored to the organization’s specific needs.

 

The ISO 31000:2009 global standard sets out principles for effective risk management that include:

 

  • Risk management creates and protects value.
  • Risk management is an integral part of organizational processes.
  • Risk management is part of decision-making.
  • Risk management explicitly addresses uncertainty.
  • Risk management is based on the best available information.
  • Risk management is dynamic, iterative, and responsive to change.
  • Risk management is tailored.

 

These principles are referenced in a recent IIA Practice Guide, Assessing the Adequacy of Risk Management Using ISO 31000, although the principles in the guide apply equally to organizations that use other risk management frameworks (see “Risk Resources” below). The ISO standard explains that when management is developing the risk management program, it is important to understand the business and the environment within which it operates. This helps define what management needs from its ERM program, which is then tailored to meet those requirements. In the same way that an auditor assesses whether the design of internal controls is sufficient to manage business risks, so should the auditor assess whether the organization has adequately designed the risk management program to meet the organization’s needs. Where possible, the auditor should start by reviewing the process management followed when the risk management program was designed.

 

Marks_Risk ResourcesWas an acceptable standard or framework followed? The program is more likely to be effective if the process outlined in a recognized risk management standard or framework was followed. If a recognized framework was used, but then customized, what were the changes and why were they made?

 

What is the nature of the risks that need to be managed to achieve objectives? The auditor should consider:

 

  • How the organization achieves value, and the strategies it uses to deliver optimized value. For example, a city council delivers value through its services to residents; its risks may include weather and fuel costs. A consumer products company may be more focused on risks related to revenue, profits, and share price.
  • The business sector the organization operates within. A financial services company with active trading of securities or a portfolio of insurance risks will generally use different risk management techniques than a gold mining or trucking company.
  • The external context for the organization, including the regulatory environment, the demands of the community (for example, some companies are constrained in what they can do by the presence of neighbors near the chemical plants they operate), the presence of competitors (including how quickly new competitors may emerge), and the economic environment for each of the geographic areas where the organization operates or has customers.
  • The major strategies and plans for the organization. Are these high risk? Will there be major changes in the business, organization, markets, etc.? How critical are major initiatives, such as acquisitions or divestitures, new product launches, capital projects, or IT projects?
  • How stable is the organization with respect to its leadership and retention of key managers and staff?

 

What do key external stakeholders expect? This includes regulators (where there are regulatory requirements for risk management and disclosures), shareholders and owners, and the community.

 

How often do risks need to be identified and assessed? This typically will vary, with some risks needing to be managed constantly (because risk levels change, such as with currencies or an investment portfolio) and others infrequently (because they tend to be stable, such as in the case of the risk of earthquakes). Auditors should consider:

 

  • Who needs risk information, in what form, and at what frequency? This will depend, to some extent, on how decisions are made and who “owns” the management of risk. For example, in more mature organizations, every manager is expected to manage risks within his or her operational area; however, other organizations have decided to manage a limited number of strategic risks and do that centrally. Note that the auditor should not accept a management statement that assessing a limited number of risks periodically is sufficient (even if that statement is based on the recommendation of a respected consultant). The auditor should have an independent opinion on how risk information and the management of risk should contribute to the management and direction of the business, including the quality of daily decisions. It is unlikely that managing a limited number of risks periodically will provide sufficient, timely risk information to manage risks, optimize performance, and achieve strategic objectives.
  • How frequently do new risks emerge or the levels of existing risks change by a significant degree? The more often this may happen, the more frequently risks need to be monitored. For example, where an organization actively trades volatile currencies or financial instruments, management of those risks should be a continuous process.
  • How critical are the risks to the organization, and how close are they to (or do they exceed) the organization’s tolerance for accepting risk? The greater the danger, the more likely frequent monitoring will be desired.
  • What is the culture of the organization with respect to risk? Is it entrepreneurial, where risk-taking is encouraged as a path to success, or is it risk-averse and only takes on risk after heavy soul-searching? This is a board decision; internal auditing’s role is to ensure the board has reliable information on the risks being taken.

 

At this point, the auditor should have a high-level understanding of how risk management activities can contribute to the organization’s success. But this may be quite different from management’s expectations. A discussion with executive management is essential, especially if management is satisfied with periodic assessments of a limited number of risks and doesn’t understand how risk information can improve daily decision-making, the setting of strategy, the optimization of performance, and the assurance of compliance with applicable laws and regulations.

 

ASSESSING THE PROGRAM AND REPORTING THE RESULTS

Before starting the assessment, the auditor should decide — with advice from management and, as appropriate, the board — how the results will be reported and what form the opinion will take. One way is to assess the program with respect to whether the principles set out in ISO 31000 have been achieved. Another is to assess the program overall. Both have value. Whichever method is selected should be used when the program is audited in future years so that management can assess progress.

 

When the expectation is that the risk management program is mature and well-established, a traditional audit report may be appropriate. However, most organizations are still on a journey that may take several years.

 

A maturity model is a useful tool for the auditor. It measures where the program is on the journey from a nonexistent program, to ad hoc and unstructured risk management, to a fully-developed and mature risk management program, where the consideration of risk is embedded into every business process and into daily decision-making. Each stage of the journey is considered a level of maturity. Using a maturity model does not penalize or pass judgment on whether the condition of risk management is good or bad, only where it is on the maturity scale; management and the board determine — with input from the auditor — whether progress is satisfactory. For example, the board and executive leadership could determine whether the expected progress had been made.

 

Marks_Risk Mgmt Maturity ModelThe IIA’s practice guide discusses maturity models and references the Carnegie Mellon University Capability Model. Another resource is the Risk and Insurance Management Society (RIMS) Maturity Model, which assesses defined attributes of the risk management program and places each at one of six maturity levels, from nonexistent to leadership. The maturity model depicted in “Risk Management Maturity Model,” at right, is derived from multiple sources, including the Chelan County (Wash.) Public Utility District, and assesses the risk management program as a whole based on five levels.

 

The assessment itself can follow a traditional audit process. The auditor will first assess the design of the risk management program and then test whether it operates effectively, as intended. Questions the auditor should consider include:

 

  1. Is there a culture within the organization — from the boardroom to frontline supervisors — where risk is considered during the decision-making process?
  2. Have the organization’s attitude toward taking risk and the levels of risk it is able to tolerate (risk criteria) been defined, approved by executive management, and communicated to all who need them? This frequently is included in a risk management policy or other documentation.
  3. Are the risk criteria practical in terms of enabling managers to effectively consider risk in setting strategy, optimizing performance, and making daily decisions?
  4. Are there adequate processes to ensure risks are identified and analyzed promptly and appropriately? Are appropriate individuals involved in the processes? Is it clear who has responsibility and ownership for managing which risks?
  5. Are there adequate processes for evaluating and assessing risks, determining whether they are above tolerances, and selecting risk treatments? Are appropriate individuals involved in the processes and do they have a sufficient understanding of risk management principles and techniques? Are treatment options considered and evaluated appropriately, using techniques such as scenario planning to select the optimal response?
  6. Are controls to manage the more significant risks identified, designed adequately, and operating effectively so that risks are managed within tolerances?
  7. Is risk oversight by the executive leadership and board (including assigned board committees) sufficient? Do they receive appropriate and timely information?
  8. Are corrective actions (risk treatments) completed timely?
  9. Is there appropriate monitoring of the risk management process to ensure that it continues to function as intended?
  10. If individual departments (such as IT and treasury), geographies, or business units have their own risk management processes, are these coordinated to provide consistent reporting across the enterprise? Do managers, executives, and the board have sufficient visibility into risks at their level of responsibility? For example, do department managers have risk insights appropriate for managing the department, while business unit managers have information for their unit, and top executives and the board have timely, reliable, and current information for the organization as a whole?
  11. Are sufficient resources dedicated to risk management, including personnel, tools, and budget?
  12. Is the risk management efficient? Are best practices, processes, and tools shared across the organization?

 

An additional resource auditors should consider is the UK Treasury’s Risk Management Assessment Framework: A Tool for Departments, which was developed for government agencies but has valuable guidance for assessing risk management at any organization. It includes a five-level maturity model. The Canadian Institute of Chartered Accountants’ 20 Questions Directors Should Ask About Risk is a valuable self-assessment tool.

 

BUILDING RISK COMPETENCE

Internal auditors may have to answer questions from the board, management, and risk professionals as to whether they are competent to perform an audit of risk management and provide constructive suggestions for improvement. These are the same questions auditors have had to answer for decades regarding audits of human resources, inventory management, and compliance. Sufficient understanding can be obtained to perform the audit without being an expert.

 

The audit manager should ensure that his or her team is competent to perform an audit and add value. If necessary, this may be achieved by adding a subject matter expert (perhaps from a cosourcing partner). However, there is a great deal of material on effective risk management that will provide the experienced internal auditor with a wealth of relevant information. Certainly, the auditor should read and understand the framework or standard adopted by the organization. Given the lessons of the recent past, and the fact that ineffective risk management can lead an organization to fail, risk management should top the audit function’s list of risks to audit for the next several years.

 


 

 

 


Share This Article:    

Strategic, Tactical, & Operational Assurance
A very interesting article which raises some very important issues from an Internal Audit perspective. I agree with Norman that Internal Audit has a major role to play in this space and this represents a great opportunity for Internal Audit to raise its game and its corporate profile. For Internal Audit to maximize its added value to an organization it must start providing assurance at strategic, tactical, and operational levels. Some readers may be interested in reading some of my thoughts on this in my article entitled "In Defense of the Corporation", link attached: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1539879 I have also addressed my views relating to the maturity model approach in a separate paper entitled "Optimized Corporate Defense Programs: A 5 Step Roadmap", link attached: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1557743 I hope this is of interest.
Posted By: Sean Lyons
2011-07-12 5:55 AM
NAVIGATING RISK MGT
The article is very good and informative. It actually shows the fundamental issues to be considered in the risk mgt process.
Posted By: Phillip Sam Keakile
2011-06-09 2:38 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP