In recent years there has been a resurgence in enterprise risk management (ERM) and internal audit. In boardrooms of companies large and small, spanning industries all over the world, ERM and internal audit are high on the corporate agenda. An outbreak of corporate failures, new regulations, compliance challenges, active investors, rating agencies, exchange listing standards, globalisation and many other forces have caused executives and directors to be intrigued by risk management's potential to anchor the organisation and (with effective assurance provided by internal audit) to keep it out of trouble.
Our experience of working with major corporates indicates that enterprise risk management is now being considered as a means of providing directors and senior management with confidence that the company's risks are known and are being well managed, allowing them more time to focus upon company growth, strategy and value creation. In the public sector too, we are finding that there is an increased focus on ensuring that controls and risk reporting mechanisms are in place.
At the same time, the resulting rise in the profile of internal audit has been a double-edged sword for its functional heads. On the one hand, they are now perceived as having a far more important role than before.
As a result they have more open and regular access to top executives and audit committee members. On the other, they now face more searching questions about what they are doing and how effectively they are doing it.
A key stakeholder in all of this is the audit committee. Its members expect risk management and internal audit departments to have a clear understanding of the organisation's risk profile. They want to be able to turn to them to discuss the risks facing the organisation and how they are managed.
These challenges are bringing the roles and responsibilities of risk management and internal audit ever closer together. We believe there is an opportunity for the two functions to support and complement each other - achieving a balanced approach to risk management and assurance, which ultimately drives real business benefit.
Audit: stretched to the limit?
The role of internal audit continues to expand. It has moved from being the financial police force of the - '80s and '90s to become one of the board's most powerful mechanisms for understanding the full spectrum of the risks facing the company and for monitoring the effectiveness of the risk management processes and controls. In many organisations, internal audit's skill set and mandate mean it is also looked to as the facilitator of key elements of the risk process - for example in conducting an entity-wide risk assessment.
The result is that many internal audit functions are currently being asked to keep more and more balls in the air at once - often at opposing ends of the potential spectrum of their responsibilities. The demands range from the traditional focus on internal financial control, through operational audit to providing assurance and advice on enterprise risk management and governance. Internal audit thus risks being stretched to its limits in both directions. This is highlighted in Figure 1.
The two directions require different people strategies, tools, skills and investments. The challenge for companies today is to reconsider the role of internal audit. An equilibrium is not easy to reach, for clearly the focus on compliance must continue but boards also want to know what internal audit is doing to address the issues that keep them awake at night, and what is being done to uncover the hidden risks that may become serious problems.
Although most internal audit functions would like nothing better than to conduct a comprehensive risk assessment, they face many practical challenges, including:
- insufficient insight into the company's strategic and business planning processes - a key area where risks to future growth opportunities and stakeholder values may be identified
- lack of adequate time, skill sets, or resources
- inadequate resources to cover key risk areas within the company's changing risk profile
- increasing pressure to focus primarily on financial reporting risk
These challenges for internal audit can also create issues for the board and audit committee. In fact, at a time when boards and audit committees are under increasing pressure to oversee risk assessment and management activities across all risk areas, one of their key mechanisms for achieving this end - internal audit - may be stretched increasingly thin and be unable to provide the desired level of insight and coverage. Maintaining an appropriate equilibrium is now, more than ever, a challenge for audit committees and heads of internal audit.
Risk management's role
Clearly, the function of risk management has also evolved from the traditional insurance-orientated function of the 1960s. Although insurance is still a core risk competence, the recognised definition of risk management has broadened. It has become an enterprise-wide function, influencing strategic decision making and control frameworks alike. Recently, driven by changes to external corporate governance and internal business pressures, organisations have developed risk management into processes and systems.
Although enterprise risk management has been around for more than a decade, it has been subject to peaks and troughs of interest and enthusiasm within the boardroom. Today we are at one of those peaks, and the momentum shows no signs of slowing. But the application and exploitation of risk management as part of business decision making and control techniques, demands that risk management teams exert subtle influence to extract value. The danger is that they become perceived as bringers of bureaucracy - in other words, purveyors of 'enterprise list management' - rather than as adding value by providing parameters for competitive and strategic decision making.
Despite the current enthusiasm, a recent Ernst & Young survey 1) indicated that only 14% of organisations class themselves as having a mature ERM system, leaving 86% yet to establish and embed one.
Making the trapeze act work
The changing roles of internal audit and risk management have resulted in a need to clarify the focus and interface between the two functions, readdressing and confirming the balance of activities they perform.
Since Turnbull, one of the key responsibilities of the board has been to gain assurance that that there is a robust risk management process in place, and that the key risks are being managed to an acceptable level.
If we venture the idea that risk management has reached maturity as a business 'process', this points towards the internal audit function having the potential (and obligation?) to provide assurance to its board level stakeholders. This assurance can and should be that key business risks are being managed (the driver for risk-based audit planning), and additionally that the risk management process itself is effective. Not surprisingly, given the parallel evolution of risk disciplines, there has been much debate in recent years over the role internal audit should take in the execution of risk management - not least to avoid a situation of 'self audit', and the consequent compromising of objectivity.
The time has come for the two functions to work together more effectively in order to achieve common business goals. Aligning corporate goals, risks, risk management and internal audit activities enables focus on the risks that matter. And, although notoriously difficult to prove or disprove, good risk management is seen as a determinant of corporate success and shareholder value.
A recent Ernst & Young survey of leading investors 2) indicated that 82% believe that good risk management is worth a premium price. The downside is that 61% of investors have not invested where they deemed risk management to be insufficient.
Likewise, a related survey 3) undertaken by Ernst & Young shows that senior management of corporates recognise the need for better alignment between risk management and line management, as well as across individual functions. But how can these needs be satisfied in a tangible way? What roles can both professions take to ensure that the business stays out of trouble while making it perform better?
The Institute of Internal Auditors (UK and Ireland) (IIA) presents a range of risk management activities (Figure 2) and indicates which roles an effective professional internal audit function should, and equally should not, undertake 4). As can be seen the IIA has subdivided risk management roles into:
- roles core to internal audit
- roles legitimate to internal audit (with safeguards)
- roles internal audit should not undertake.
This is not as simple as it might sound. Unfortunately one size does not fit all, and clear dividing lines rarely exist.
The division of responsibilities between 'core' internal audit activities and other risk management functions depends very much on the maturity of corporate governance practices and functions within the organisation.
Independence must be maintained, and many organisations have taken steps to separate risk management activities from assurance providers. The result is that internal audit departments and risk management are separate, with different reporting lines and cycles. Although conceptually this can make things neat and tidy, this division should not ignore the benefits that can come from muddying the waters a little - sharing knowledge and skills and actively seeking alignment.
An effective and safe hand-over
Commonality exists between internal audit and risk management, in that both disciplines share the same knowledge, experience and skills. For example, both appreciate the need for corporate governance requirements, have strong project management and analytical skills and possess a healthy appetite for risk (for example, are not extreme risk takers or risk avoiders).
The linkage of risk management, assurance and corporate strategy is a critical aspect of an aligned organisation. Since they have the same common customer - ie the business - it is possible to make efficient and effective use of their respective agendas and knowledge.
While risk managers report to the management of the organisation and do not typically have an explicit responsibility to the audit committee, in our experience, this relationship is important. Not only can assurance be taken from rigorous and consistent risk management, but the audit committee's mandate can also lend weight to the drive for embedding risk and control changes. In contrast, internal auditors are increasingly extending their knowledge into ERM, although this requires taking steps to appreciate the complexities of the risk management process (risk assessment, quantification, reporting, transfer and modelling techniques), which lie outside the knowledge boundaries required for internal auditors.
In particular, the benefit of bridging the gap between internal audit and risk management is that both sides win. Internal audit can benefit from better and more up-to-date information to inform its planning. And the conclusions of internal audit reviews can highlight key business processes and functions where risk management effort can be directed to maximum benefit. Therefore, many leading companies are taking active measures to close the gap which can exist between internal audit and risk management.
Approaches currently being used include:
- reaching an explicit balance between strategic roles: advanced internal audit and risk departments are assessing how, where and when they can work together. The allocation of roles (as highlighted in figure 2) is a useful tool for consideration. It is important to stress that one size does not fit all, and that joint working is often a practical and pragmatic option. Making the respective roles visible to key stakeholders (for example, the audit committee) can help understanding and engagement at senior levels where the overarching purpose of an organisation's risk strategy is concerned.
- integration of process cycles: internal audit and risk management processes can be better aligned by establishing a mechanism whereby new risks and control deficiencies identified by internal audit are fed back into the risk management process and internal audit risk assessment requirements are fed into the risk management process to minimise the need for duplication of efforts. Establishing a simple communication and planning protocol between internal audit and risk management, which incorporates this feedback loop, is a further step.
- seeking opportunities to apply internal audit skills to key risk areas: re-examining the focus, staffing, and charter of internal audit, and investigating options to identify and address the areas where risk coverage may be unacceptably low
- leverage internal audit skills: internal audit can serve as active developers, facilitators and beneficiaries of a risk assessment process owned by, and executed within, existing processes of management and of various corporate functions
- rotation and cross training: in order to retain the best resources and to develop future leaders within the company, many internal audit and risk functions are looking to focus on recruiting resources from within the company's business areas, and rotating back ambassadors into the business
- auditing risk management as a process: too often the proximity of the audit and risk functions has meant it can be difficult to plan and conduct an independent audit. This is not an acceptable or responsible position in future business. Submitting ERM practices to a trained audit eye can be a useful barometer for true acceptance and application of risk management.
If risk management cannot pass the internal auditor's 'show me' test, then this needs to be brought to the attention of key stakeholders.
A combined class act
With no end in sight to the risk and internal control challenges for organisations, the pressures will continue to mount for internal auditors and risk managers. Both parties have decisions to take, with the pull between core roles and new applications for their skills putting strain on resources and demanding prioritisation.
Drawing on the full corporate capability in risk management - from consultants to assurance providers - has never been more important. Internal audit is also at an interesting crossroads, which the risk management community should pay close attention to. Positively and jointly shaping the agenda and achieving a constructive interplay between the respective roles of internal audit and risk management might just tip the scales towards sustainable success for embedded risk management.
1) Ernst & Young 'Emerging Trends in Internal Controls' Survey, 2005
2) Ernst & Young Risk Survey: 'Investors on risk: the need for transparency' November 2005.
3) Ernst & Young Risk Survey: 'Companies on risk: the benefits of alignment' March 2006.
4) Institute of Internal Auditors Position Statement: 'The role of internal audit in Enterprise wide risk management', September 2004.
Tim Cromack, Waseem Aslam and Russell McKay are senior managers, business risk services team, Ernst & Young, Tel: 020 7951 5000
What do you want internal audit and risk management to do? How can they work more closely together?
Deciding upon the role of each requires dialogue, and there are no easy answers. However, what can help is asking the right questions. Some of the key questions should focus on the following.
The risk management process:
- Is there a robust risk management process in place and is it operating effectively?
- Do risk management and internal audit use the same risk language?
- Are the definitions of risk consistent between both functions?
- Is the same methodology used for risk assessments?
Taking a comprehensive approach to risk assessment:
- Is the internal audit plan aligned with the business risk assessment so there is a focus on the key risks facing the business?
- Has the risk assessment been independently validated by internal audit to provide comfort that all the right risks are being covered?
- Are the risk register updates fed into internal audit so that the internal plan remains responsive to the changing risk profile of your organisation?
- Is there an overlap in the risks reported by internal audit and those reported by risk management to the board?
Dedicating the right resources:
- Are the skills of internal audit fully aligned with your risk management needs?
- Do you have adequate resources, and infrastructure investments to address all the risks that need to be covered, including compliance?
- Do your people have the skills you need, or should you consider working with a third party to source specialised skills?
Feedback loop:
- Are your risk management and internal audit functions fully aligned?
- Do they communicate findings to each other on a regular basis so that each is up to date on what is happening within the organisation?
- Is there a mechanism in place to ensure that any new risks or control gaps identified by internal audit are being fed back into the risk management process?
The risk management and internal audit functions that answer positively will be in the best position to add real and lasting value to the business.
