Four individuals with a strong pedigree in risk management have collaborated on The Future Role of Internal Audit in (Enterprise) Risk Management.
- John Shortreed is professor emeritus of civil engineering at the University of Waterloo, where for 20 years he was the director of the Institute of Risk Research. He has served on ISO technical committees related to the risk management standard and related guidance
- John Fraser is Senior Vice President, Internal Audit and Chief Risk Officer for Hydro One. John is not only a frequent speaker on risk management, but his program at Hydro One has been held out as a best practice case study
- Grant Purdy of Broadleaf Capital International and formerly the head of risk management at BHP Billiton is a veteran of risk management standard-setting. He is the co-author of the Australian/New Zealand risk management standard (4360) on which the ISO risk management standard is based, immediate past chair of the Standards Australia and Standards New Zealand risk management committee, and continues to serve on ISO committees working on ISO risk management guidance
- Arnold Schanfield is Director of Education and Research Center for Managing Risk at Manhattanville College. He has served as chief executive of internal audit and risk management functions at major institutions, and is on an ISO committee for ISO risk management guidance
By way of full disclosure, I know John, Grant, and Arnold personally. Although we disagree from time to time, I have great respect for their experience and deep understanding of the professional practice of risk management. I am a member of the same ISO risk management committee as Arnold.
Now let’s talk about their paper, because anything written by a ‘dream team’ merits our time and attention.
My bottom line: while I don’t agree with everything they have to say (see below), there is a lot of wisdom and insight in this piece. While it is based on the assumption that the ISO 31000:2009 risk management standard is gospel, even if you are a COSO fan I advise reading it. If you are not familiar with the ISO guidance, then this can be an excellent introduction.
Let me tell you what I liked and didn’t like in their arguments and then review their ten conclusions.
- “Internal audit is at a cross roads and will in the next couple of years need to modify its traditional approaches, tools and techniques to meet new legislative requirements for corporate governance and new risk management standards. These new requirements are designed to provide better assurance of an organisation’s [sic – they are Canadian and Australian] capability to manage risk that will require major changes in internal audit practice and support for that function by the board.”
Comment: while I agree that change is necessary, I do not believe that the primary driver will be legislative requirements (which, if they come, will emerge slowly). Organizations need effective risk management now if they are to optimize performance. Internal audit needs to provide consulting services to help risk management mature, and assurance services to inform the board and top management of the state of risk management across the organization
- “[The] internal audit profession [needs]:
- to play a role in the management of risk and not just provide an independent view of management’s efforts;
- to support risk management by providing assurance on critical controls;
- to develop new techniques for monitoring, review, and communication, to improve the effectiveness of both risk management and governance in their organizations; and
- in cooperation with their colleagues around the world to change the requirements, training and practice of internal auditors to meet these innovative, expanded and important challenges.
Comment: I agree, although the “role in the management of risk” does not mean that we should ‘manage risk’. We should provide the essential assurance and consulting services to drive excellence in risk management and effective oversight by the board.
- “Risk is now considered to be “the effect of uncertainty on objectives” (ISO 2009). Risk can be characterized by either or both, positive and negative consequences. These consequences must be linked to the objectives of the organization.”
Comment: I agree and like this definition of risk. Both COSO ERM and ISO talk about both the upside and downside of uncertainty.
- “The organisation’s ability and capability to manage risk and not just controls should be the focus of internal audits.”
Comment: I agree, although I would phrase it differently: “internal audit should provide assurance that the risk management framework and processes, including related controls, provide reasonable assurance that risks are at desired levels”
- “ISO 31000 reflects current best practise. It was developed through a four-year process that involved many thousands of risk management practitioners from around the world in the development of a consensus document. It contains advice on how a framework for risk management can be implemented and enhanced.”
Comment: I agree, although using ISO 31000 does not guarantee success with risk management. The standard does not address what the risk officer should do when the organization’s culture with respect to risk and acceptance of risk management principles is inadequate, nor does it give sufficient attention (IMHO) to the speed of the risk management process – i.e., managing risk at the speed of the business
The authors present ten conclusions:
1. Risk management concerns reducing the magnitude and likelihood of detrimental consequences while enhancing and making more likely the beneficial consequences that might arise from decisions.
Comment: while this is true, I don’t believe it is complete. Risk management is an essential element of effective management, of setting strategy, monitoring performance, and daily decision-making. Risk management helps managers and decision-makers at all levels across the organization make intelligent, informed decisions. Risk management is about optimizing outcomes
2. The focus of internal audit and other monitoring and review functions should be to provide assurance on the effectiveness of risk management and not just on the effectiveness of controls.
Comment: concur. As I said earlier,“internal audit should provide assurance that the risk management framework and processes, including related controls, provide reasonable assurance that risks are at desired levels”
3. Processes for the management of risk must be integrated into an organisation’s system of management to be effective.
Comment: I agree
4. Internal Audit should no longer assess risks on behalf of the organisation. Their role is to assist decision-makers in arriving at the most appropriate treatment of risks and then the monitoring and review of risks and controls.
Comment: as a general principle, I agree with the first sentence. However, internal audit does have the task of assessing the potential effect of control weaknesses: how the level of risk is changed. In addition, many organizations do not have a mature risk management program in place – if they have one at all. This situation is addressed reasonably well in the proposed changes to the IIA’s related Standards.
With respect to the second sentence, internal audit should only provide assurance and consulting services and not decide on risk treatment. That means they can advise and recommend for management to decide.
5. Internal audit will obtain planning information for an audit (and for their annual audit plans) from the risk management process done by decision-makers who own and are accountable for the risks.
Comment: I concur, although internal audit should no longer have annual audit plans but living ones that are updated throughout the period
6. ERM and the ISO 31000 risk management standard have evolved cooperatively and will be the basis for risk management in organizations.
Comment: this is not a conclusion as much as an opinion and an aspiration
7. Effective risk management requires clear expressions of intent and mandate by the Board and top management.
Comment: I agree
8. Evolutionary modifications to the role and practice of internal audit will occur as part of continuous improvement of the framework for the management of risk.
Comment: I don’t find this logical. Internal audit’s role is not linked to the framework; either can change without the other changing
9. The maturity of risk management should be evaluated and reported on at least an annual basis.
Comment: I agree that internal audit should provide a formal opinion on the effectiveness of risk management on at least an annual basis. This can be done using a maturity model
10. Internal Audit has to update its roles and responsibilities to support continuous improvement of and implementation of more effective risk management.
Comment: I agree with the intent. While the IIA’s standards and the definition of internal audit require assurance and consulting services regarding risk management, that has not been the practice – and that has to change
What do you think? I wish they had not talked about the ‘future role of internal audit’. This should be their role now!
By the way, please see this post for the results of a survey of risk practitioners on their preferences (between COSO and ISO) for risk management guidance.