The IIA has a paper on the subject of internal audit in risk management that is important for all of us. While they have considered updating it from time to time, I think it’s still pretty good. I especially like the guidance on what is acceptable and what is not. For example, it stresses that IA can facilitate a risk assessment, but it is management’s responsibility to identify, assess, evaluate, and respond to risk.
There’s another paper that merits our attention.
Written by thought leaders in risk management (friends of mine), The Future Role of Internal Audit in (Enterprise) Risk Management is a few years old now (published in 2012). But that doesn’t mean that much if not most of what is says remains valid.
But, thought leadership has moved on and it’s a good idea to revisit the thinking of even the best.
Here are their ten conclusions, with my comments on each:
1. Risk management concerns reducing the magnitude and likelihood of detrimental consequences while enhancing and making more likely the beneficial consequences that might arise from decisions.
Comment: I think risk management thought leadership has progressed further. It is now considered as enabling informed and intelligent decisions that help the organization to set and then execute on strategies. In other words, it enables decisions that lead to the achievement of enterprise objectives. It’s less about managing the risks (the consequences) and more about achieving objectives.
2. The focus of internal audit and other monitoring and review functions should be to provide assurance on the effectiveness of risk management and not just on the effectiveness of controls.
Comment: This is an important distinction. It is insufficient simply to say that internal controls are inadequate (or adequate), or even to say that there are high risk deficiencies. Internal audit needs to communicate their assessment of whether management is appropriately addressing the more significant risks to the achievement of (specific) objectives. But, see additional comments later.
3. Processes for the management of risk must be integrated into an organisation’s system of management to be effective.
Comment: Consideration of ‘what might happen’ should be integral to decision-making. See additional comments.
4. Internal Audit should no longer assess risks on behalf of the organisation. Their role is to assist decision-makers in arriving at the most appropriate treatment of risks and then the monitoring and review of risks and controls.
Comment: I have never believed that internal audit should be relied on to assess enterprise risks. I cannot understand why some say that internal audit should be expected to identify emerging risks. NO!! Those are management responsibilities. Internal audit’s role is assessing how management does them. Internal audit can assess whether management is ‘treating’ risks with adequate and effective controls.
5. Internal audit will obtain planning information for an audit (and for their annual audit plans) from the risk management process done by decision-makers who own and are accountable for the risks.
Comment: That should be both the current and future state. Management should have effective processes for identifying, assessing, and evaluating what might happen as an integral part of decision-making. Once internal audit has assessed those processes as reasonably effective, it should use them as input to its continuously updated (they should not be annual) audit planning activity.
6. ERM and the ISO 31000 risk management standard have evolved cooperatively and will be the basis for risk management in organizations.
Comment: ISO 31000:2017 is useful but not complete (in my opinion) as it barely touches decision-making. ERM needs to evolve into effective decision-making, aka effective management.
7. Effective risk management requires clear expressions of intent and mandate by the Board and top management.
Comment: Risk management is not a siloed activity. The board and top management should insist on informed and intelligent decision-making. That will drive everybody to quality consideration of ‘what might happen’.
8. Evolutionary modifications to the role and practice of internal audit will occur as part of continuous improvement of the framework for the management of risk.
Comment: Both need to continuously improve. Certainly, as risk management is transformed into informed and intelligent decision-making, internal audit needs to rethink its approach. See additional comments.
9. The maturity of risk management should be evaluated and reported on at least an annual basis.
Comment: Internal audit needs to provide its assessment to the board and top management of whether practices meet the needs of the organization, enabling informed and intelligent decisions. I cover this and the use of a maturity model in World-Class Risk Management. But, top management should first provide their formal assessment to the board.
10. Internal Audit has to update its roles and responsibilities to support continuous improvement of and implementation of more effective risk management.
Comment: Internal audit should provide assurance, advice, and insight to improve decision-making. It should remember not to penalize those working diligently to upgrade management’s processes, but instead encourage and be an evangelist for world-class practices.
Now for some additional comments.
Think about this.
If we are stressing that risk management is really all about effective, informed and intelligent decision-making, shouldn’t internal audit start focusing on the quality of decision-making processes?
I am not saying that internal audit should second-guess management’s decisions. I am saying that decisions are what lead to success or failure. So, shouldn’t internal audit assess whether management has reasonable processes to inform those decisions?
Internal audit can identify significant decisions, such as the setting of strategy, the pricing of products, or the hiring of key personnel. Understand how those decisions are made and by whom before assessing whether there is reasonable assurance that they will be informed and intelligent.
Controls come into this as we need them over the information used in decisions, and so on.
Risks come in as we should consider what might happen to prevent a successful decision, as well as what might happen under each option considered.
But the conclusion, what is being assessed, is at the heart of effective management and what provides reasonable assurance of the success of the enterprise: is there reasonable assurance that these critical decisions will be informed and intelligent?
Another thought: should internal audit address whether the board and top management have reasonable insights into what might happen in the next year or so (what risk frameworks refer to as changes in the internal and external contexts)? It is only by understanding what might happen can you start to consider how that might affect the organization (what some refer to as risk identification).
So what is the future for internal audit and risk management – or effective management, for that matter?
I think IA should be thinking about how they can provide the board and top management with the assurance, advice, and insight necessary for success.
That goes beyond the static processes for risk management and controls.
It includes the dynamic activity of management, and the core of management is decision-making.
What do you think?
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023