Internal auditors are expected, according to the IIA Standards and some governance codes, to assess the effectiveness of risk management.
That can be a challenge, especially as:
- There is no commonly accepted idea of what effective risk management is.
- While both the COSO ERM framework and the ISO 31000 standard provide principles for effective risk management, neither (in my opinion) is sufficient.
- Few organizations are seen as having effective risk management, so there is no exemplar against which to measure. (The majority of organizations manage the potential for failure, not the likelihood of success – the gold standard of what is commonly called risk management.)
My good friend, Alex Sidorenko has given this challenge a valiant try in his recent video. (I encourage you to follow him as he challenges traditional thinking – something we should all do.)
3 things to look for when auditing risk management identifies three areas to assess:
- Organizational performance compared to prior years, industry benchmarks, and so on
- How well the company makes decisions. Is risk information integrated with how decisions are made?
- Culture, including risk-related policies and procedures and attitudes towards risk
Taking each in turn, organization performance is a poor indicator of effectiveness. Many succeed simply by being lucky; others fail, despite excellent people and processes, when unfortunate and unforeseeable events occur.
How the company makes decisions is at the heart of effective risk management. But looking at minutes and other records of meetings where decisions are being made is not likely to be revealing. Best is to be present when the decisions are made, failing that follow the example of my friend Grant Purdy.
Grant is now retired, but he was a prominent risk practitioner and thought leader (including chairing the committee that developed the excellent Australia/New Zealand’s risk standard on which ISO 31000 is based). He then turned his hand to consulting. When he was hired to upgrade an organization’s risk management practices, he met with the senior executives. Instead of asking about risk management, he asked:
How do you make decisions?
The lesson here is that the individuals assessing ‘risk management’ should meet with decision-makers and ask that question. From there, they can move to questions like:
- How do you consider all the things that might happen and affect the results of your decision?
- When you consider the things that might happen, both positive and negative, how do you assess them? How do you weigh the good and bad together?
- How do you know the information you are using is complete and reliable? What is the likelihood of it being incomplete, inaccurate, out-of-date, or in some other way deficient?
- Who is involved in making the decision? Do all potentially affected parties participate?
- If there is a risk function, how does it help you make decisions? Is it worth the cost of the function? How could it help you more?
- Are you able to adapt with agility when things change? How will you know when there has been a change such that the decision or actions flowing from the decision need to be reconsidered?
- …and more
Alex’s third is really, in my mind, a continuation of the second. I would prefer to think about how the decision-makers know what risks the board and top management want them to take.
Let me suggest my own top three:
- Do decision-makers believe that there are reliable processes to support decision-making, including the availability of current, reasonably complete, and reliable information about what might happen under each of the options they are considering?
- Do decisions involve the weighing, in a disciplined way that allows them to be compared, both the upsides and downsides of each option?
- Do they believe the risk function (if there is one) is helping them set and then execute on strategy? Is it all it should be?
- Do the organization’s processes and practices provide reasonable assurance that there will be an acceptable likelihood of success (measured by the achievement of objectives)?
OK, there are four. I cannot cut any of them out, they are all so important.
Which set of three (or four) do you like more?
Do you have your own?