It seems that “emerging risks” are a topic du jour.
- “Emerging risks can be new and unforeseen risks whose potential for harm or loss is not fully known.” – Marsh & McLennan
- “Emerging risks are those risks an organization has not yet recognized or those which are known to exist, but are not well understood. To quote Donald Rumsfeld, former US Secretary of Defense, ‘There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.’ An ERM program that does not address the potential challenges created by the existence and development of emerging risks will not meet its goal of protecting, and generating opportunity for, the organization.” – RIMS
- “Emerging risks are ‘newly developing or changing risks that are generally characterized by major uncertainty’. This uncertainty is ‘partly derived from the lack of historical data that characterizes them, but also from scientific-technological, socio-political or regulatory changes that can create discontinuities in their evolution’”. – AXA
I have no problem with any of these definitions.
I do find it interesting that each of the sources say that assessing emerging risks is more difficult than previously identified risks, generally because there is less historical data.
But who should be alert and watching for emerging risks: things that might happen (a better expression than the ‘R’ word, ‘risk’, because of its negative impression) that might affect the achievement of enterprise objectives?
It’s always interesting to listen to and read the thoughts of Richard Chambers, CEO and President of the IIA.
Richard recently shared Internal Audit and Emerging Risks: From Hilltops to Desktops.
I like the distinction he draws between hindsight, insight, and foresight – although those of us who chose ‘insight’ as an important word to include in the IIA’s Mission for Internal Auditing and in the Core Principles for Effective Internal Auditing might assert that it is forward looking.
I also like this turn of phrase (with a word or two added by me).
Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of today and tomorrow if we are to not only protect but enhance value for our organizations.
Where Richard and I disagree is in the role of internal audit in identifying or responding to emerging risks. He says:
“…stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.”
It is NOT internal audit’s responsibility to identify, assess, or respond to risk.
It is a MANAGEMENT responsibility.
As you can see, I want to shout that from the rooftops.
If I were a board member or CEO, I would be aghast (such a good word) if an executive told me that he or she relied on internal audit to identify, assess, or respond to risks, whether existing or emerging.
That’s his or her job.
If they are not up to doing it, they should be fired.
So what is internal audit’s role?
- Provide assurance on management’s ability to understand and address what might happen on the path to achieving the enterprise’s objectives
- Provide additional advice and insight that will help stakeholders understand the current situation and take actions as appropriate
- Act as evangelists across the organization for risk management (or the ability to make informed and intelligent decisions, which is a more advanced expression and a tougher challenge)
- Provide assurance, advice, and insight on the internal controls relied upon to manage risks to enterprise objectives
- Be agile in their planning and execution so they can shift their focus as ‘risks’ change
- If internal audit sees a new or growing risk that appears to have been missed by management, find out why – help them improve their process, teaching them to fish for new or changing risks
What about the risk practitioner? What is their role?
Richard references an interview with a vice president of internal audit and risk management. Reading the transcript of the interview, the vice president appears to own the responsibility for identifying emerging risk at his organization.
Again, I think that is totally the wrong approach.
The risk function can help, but it is a management (and by that I mean operating) management responsibility to keep their eyes open and on the road ahead.
When I was CAE at Business Objects, the board with the concurrence of the CEO asked me to act as CRO as well. I was willing to do so, but made sure that I was only the facilitator and not the one identifying and assessing risks.
No CAE or CRO can ever know as much about the business as those running it day in and day out. (If they do, there’s a problem.)
That’s my strong opinion.
What is yours?
 For a more complete discussion, see Auditing that matters