Risk Management's Chief Audit Executive
December 2007
The chief audit executive (CAE) keeps the
organization's risk/reward picture in balance. And, by speaking the language
of senior management, the CAE can also contribute to profitability, growth,
and shareholder value.
by Mark
Layton and Eric Hespenheide
Deloitte & Touche
In our previous columns,
we've touted the many benefits that have been realized by organizations that
adopt a "Risk Intelligent" approach—from minimizing "siloed" behavior and embedding
risk management into strategic processes to protecting existing assets and enhancing
growth opportunities. One of the most significant characteristics of a risk
intelligent company is that it is savvy about both the risks to take and the
risks to mitigate.
Up to this point, we've limited our discussions to the impact risk intelligence
has on an enterprise, rather than the roles individuals play in an organization.
But with this column, we shine the spotlight on the chief audit executive (CAE).
While we caution against over-centralizing risk management functions or crowning
a single individual as a risk-management "czar," the CAE (and, in many cases,
the CRO—chief risk officer) is uniquely positioned to make significant improvements
in the effectiveness and efficiency of an enterprise's risk management practices.
Addressing Enterprise Risks
In a risk intelligent organization, the CAE is charged with fighting complacency
and the denial of risks, enabling the company to understand and address relevant
risks, and helping to reduce costs. An effective CAE keeps the enterprise's
risk/reward picture in balance. By taking a holistic approach to risk management,
the CAE contributes to both the preservation and creation of value. The CAE
can also help the organization develop a common understanding of the different
types of enterprise risks, such as the following.
-
Governance Risks are related to the
policies, procedures, structure, and authorities that oversee key company
directions and decisions.
-
Strategy and Execution Risks are associated
with the company's business strategy and future initiatives, such as plans
to enter new markets, form new alliances, or launch new products.
-
Operational Risks affect controls and
the control infrastructure, particularly with respect to the protection
and utilization of existing assets and operations.
-
Infrastructure Risks are linked to
the performance of people, processes, and systems that support the company's
operations.
-
External Risks are associated with
the environment in which the company operates or external factors beyond
the company's control.
Furthermore, the CAE evaluates how efficiently risk information is shared
and managed across business activities and functions, while simultaneously boosting
the enterprise's ability to prevent, detect, correct, and escalate critical
risk issues. By sharing risk information and coordinating the responses of the
risk management functions, the CAE can reduce the cost of risk management and,
as a result, improve the overall effectiveness of the organization's risk-management
practices.
The Language of Growth
The risks outlined above correspond to a company's ability to meet its value
and growth objectives, which are typically achieved by focusing on four areas:
- Revenue Growth—customer, product,
or market goals.
- Margin—cost reduction, including restructuring
of costs and provision of services and supply-chain efficiencies.
- Assets—asset turnover, flexibility,
effectiveness, and efficiency targets; safeguarding of assets.
- Expectations—various expectations
of stakeholders, regulators, rating agencies, banks, creditors, employees,
customers, partners, and suppliers.
Risk management has traditionally focused on the protection of existing assets—for
the most part, through risk avoidance and insurance. From senior management's
perspective, therefore, risk management is seen as a cost to the business and,
quite frankly, a potential barrier to growth. And when CAEs discuss risk, management
expects such discussions to be about risk avoidance, not about taking risks
that will position the company for sustained growth.
To avoid a breakdown in communication, CAEs must make every attempt to speak
operating management's language and place all discussions of risk in the context
of growth, profitability, and shareholder value. Risk intelligent CAEs understand
their companies' value and growth objectives. They also recognize how the different
types of risks, when managed ineffectively and inefficiently, can prevent an
organization from realizing these objectives.
The role of the CAE, then, is to focus, integrate, and communicate the activities
of internal audit and other risk management functions across the organization.
Such a holistic approach will enable the company to manage the risks that are
most critical. It will also help the organization to reduce the burdens of risk
management and compliance, while making the most of growth opportunities.
Coming Up
In our next few columns, we will explore the role of the CAE in greater detail.
Next up: the CAE and internal audit.
Eric
Hespenheide serves as the global leader of the Internal Audit Services
practice of Deloitte & Touche LLP. He can be reached at (313) 396-3163 or ehespenheide@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.