Alain Chilot, Cyril Vegni and Sebastien Guery discuss how risk management and internal audit functions can work in harmony

From the Sarbanes-Oxley Act in the US to the Tabaksblat in the Netherlands or the Loi de Securite Financiere in France, a raft of regulatory pressures is driving the rapid implementation of effective corporate governance.

The aim is to restore confidence in financial markets as quickly as possible.

In theory, risk management and internal audit are two of the main supports for the corporate governance edifice.

They have this leading role because of their particular function at the heart of the organisation. They have precise day-to-day objectives: to ensure the machine runs smoothly, to diffuse good practice and to evaluate and test the controls in place. While it is true that risk management appears to be the more active participant in defining corporate governance structures, it is also the case that the role of internal audit allows it to exercise a necessary objectivity. Consequently it can assess the adequacy and effectiveness of those structures in complete independence.

The current regulatory environment can thus be perceived as a catalyst which makes it possible for companies to improve their operation by means of a transparent governance mechanism supported on the one hand by a suitably-tailored internal audit function, and on the other by effective risk management.

This is all very well in theory, but it also raises the question, in France at least, of how internal audit and risk management can best co-exist.

The issue is whether co-operation or competition governs the relationship between these two strategic functions.

The evolving definition and role of risk management

For too long, professional French risk managers have stuck with this definition of their activity: 'Risk management is a process of taking decisions, and of putting mechanisms in place, which allow the impact of risks affecting the whole organisation to be reduced'.

The definition is now obsolete because of its limited scope. Recently, it has been supplemented by the widely-circulated standards issued by AIRMIC, ALARM and the IRM, which in turn link to the even more complete definition, used by internal auditors, given in COSO II: 'Risk management is a process conducted by the board, the management and the personnel of an organisation. It is applied as part of strategic development throughout the whole organisation. It is designed to identify those elements which pose a potential hazard to the organisation, and to manage them in accordance with the organisation's appetite for risk, with the aim of providing a reasonable degree of security for its objectives.'

In general, the risk manager most frequently comes under the CFO or the legal department. He delegates the day-to-day treatment of risk to operational departments, which then ensure suitable control of it. The risk manager is at the heart of the complex process of identifying risks and putting in place effective measures to mitigate them. He ensures the transparency of the control mechanisms. He is responsible for the organisation's control of risk.

The principle role of internal audit is to exercise control over the process of management, including that of risk management. Most frequently coming under the CEO, its chief controls are administrative and financial ones. Inevitably, it too looks at the risks affecting the organisation and its operations. In the absence of a risk management function, it is often the principal source of advice to the board regarding problems arising from the identification and control of risks. It is also frequently responsible for mapping an organisation's strategic risks.

Inevitably the two strategic functions have areas of overlap. It is therefore necessary for their respective spheres of action to co-exist. Usually, however, it falls to the internal audit function to draw up a plan, based on risk, to help define its priorities in accordance with the organisation's strategic objectives. This work is undeniably an essential part of internal audit, as is broadly confirmed by the definition of internal audit given by the IFACI: 'Internal audit is an independent and objective activity, which gives an organisation an assurance on its degree of control over its operations, provides advice on how to improve it, and which helps to create added value. It helps the organisation to attain its objectives by evaluating, through a systematic and methodical approach, its system for managing risk, its control mechanisms and its corporate governance, and by advising on means of improving their efficacy.'

The maturing of the risk management function in France, or, more precisely, its level of development within an organisation, thus potentially carries the seeds of a conflict between the areas of competence of the two functions.

So far, the dissonance remains at an embryonic stage.

Evolution of company objectives: the consequences

Under the growing pressure of globalisation, organisations have scrutinised the appropriateness of their objectives in the context of the new parameters of their operating environment. Globalisation brings the dual pressures of the need for profitability and for growth. Shareholders and investors in general now expect a return in double figures, often close to 15%.

To achieve these ambitious objectives, companies can fall back on outsourcing to reduce costs; increased investment in research and development to speed up innovation, and an acceleration in, and curtailment of, product life cycles.

But companies also face a growing number of obligations and safety measures which are not directly (or at least rarely) productive. The consumer must be protected, and above all, the shareholder.

The demand for profit is all too often difficult to reconcile with the need for safety. Numerous examples illustrate this: the failure of Enron with its consequences for Andersen; the scandals surrounding Xerox, Worldcom and Baring.

The continuing change in the objectives of organisations has inevitably caused risk management to evolve in a direction which we can classify in three levels:

- 1ST LEVEL - THE CONTROL AND THE MITIGATION OF NEGATIVE EVENTS. This is the sphere of crisis management, of contingency planning, and of the financing of damage and loss. Here, setting standards in place and checking their function are the principal methods of improvement.
- 2ND LEVEL - THE MANAGEMENT OF UNCERTAINTIES INHERENT IN THE ACTIVITIES OF THE ORGANISATION. This has the objective of improving operational performance by reducing the gap between anticipated performance and actual result.
To achieve this, ongoing activity can be protected and supported by specific risk-mitigation measures, by total quality checks, new internal control practices, and state-of-the-art methods of risk mapping and evaluation
- 3RD LEVEL - THE PURSUIT OF OPPORTUNITY. This involves seeking competitive advantage and increasing the satisfaction of stakeholders. Here we are speaking of the integration of risk management with operations and strategy.
This level clearly raises the question of the evolution of the risk management and internal audit functions

In this new context, the risk manager must react to emerging risks. He must:

- take into account the political and social risks involved in outsourcing
- analyse the product and reputational risk consequent on speeding up activity cycles
- examine the technological and contingency risks linked to complex information and data systems
- take account of specific risks, such as SARS or terrorism

Risk management thus now aspires to an enlarged spectrum of responsibility within the enterprise, and has new means to deal with it. It makes it possible to justify taking on added risk on various projects. It seeks to establish sustainable growth by promoting a culture of acceptable risk.

Equally, it can contribute to reducing the cost of capital and improve the quality of decision-making (and the allocation of resources) by defining, mitigating and financing the risks created by the decision.

Risk management is thus poised to rapidly evolve outside the limits of the financial sphere. It needs to quickly expand into other areas: economics, engineering, applied science. Evaluation of risk is becoming a strategic function. This in turn asks 'What is the function of risk management inside organisations?' That, as Shakespeare might have said, is the question.

Where does this leave the internal audit function? In future, it seems, it will be principally driven by the growth in legal obligations which are accompanying the change in the global socio-economic fabric, and which organisations must satisfy. By positioning itself as the privileged partner of the audit committee and as the adviser-of-choice to treasury, internal audit can reinforce its participation in, not to say its control over, corporate action, in the light of the spectrum of risk in its broadest sense. Moreover, in future it can extend its role as counsellor into operations and take on important responsibilities in the sphere of governance. Forsaking its policing role to take on that of an omniscient internal consultant, internal audit need no longer simply be an instrument of control for the CEO, but can aspire to become a trusted partner for managers, helping them to refine and direct their processes. That is the challenge for it to take up.

The end of an unhappy disharmony

By having the means to take action (define, measure, analyse, mitigate and control) the risk manager can at last be distinguished from the internal auditor. He is today the ally of choice for top management in the largest companies. While there is no doubt that in the past the risk manager has been confined to the operational functions of buying insurance or pursuing claims, the redefinition of company strategies towards integrating risk management as a vector for sustained growth seems to be close.

For a long time, the idea of risk management seemed to be an ideological abstraction far removed from reality because of the lack of ready-made solutions primed for use. It is by putting forward solutions, relying on proven methods and tools, and by making daily proof of challenges met and success achieved that the risk manager will find his place beside the directing minds of the organisation, who will be conscious of this new strategic opportunity. He will also have clearly differentiated himself from the internal audit function.

It is in an increasingly competitive environment where growing attention is being paid by decision-makers to company culture and values, as well as to the different regulations and guidelines, that risk managers and other strategists who are capable of deploying the practical tools and techniques of their trade will carve themselves a role in the overall direction of organisations, with the goal of creating sustainable value.

- Alain Chilot is a former risk manager of Wavecom, Cyril Vegni is product manager and Sebastien Guery is senior consultant, Equity,