Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Collapse Enterprise Risk ManagementEnterprise Risk Management
Add Spreadsheets to Your Risk Inventory (July 2009)
The Role of the CIO in the Risk Intelligent Enterprise (February 2009)
Where Was Enterprise Risk Management? (November 2008)
Critical Role for the Chief Audit Executive: Aligning Risk Assessment (October 2008)
Chief Audit Executives and Risk Management Silos (March 2008)
Risk Management's Chief Audit Executive (December 2007)
Prescribing Risk Intelligence for the Life Sciences Sector (December 2007)
Enterprise Risk Management in Uncertain Times (October 2007)
Taking Risks To Create Value—It's What Capitalism's All About! (September 2007)
Risk Management Practices Cannot Be "Bolted On" (July 2007)
When Risks Marry and Multiply (June 2007)
Balancing Risk Probability and Vulnerability (May 2007)
Addressing the Full Spectrum of Risks (May 2007)
Bridging the "Silos" (April 2007)
Traditional Risk Management Inadequate To Deal with Today's Threats (March 2007)
The Alchemy of Enterprise Risk Management: Examples from the Investment World (December 2003)
Practical ERM Applications: Risk Integration (September 2003)
Implementing Enterprise Risk Management: Getting the Fundamentals Right (June 2003)
ERM Lessons Across Industries (March 2003)
Practical ERM Applications: Capital Allocation (November 2002)
Practical ERM Applications: Assessing Capital Adequacy (September 2002)
The Language of Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures (May 2002)
Implementing Enterprise Risk Management: The Emerging Role of the Chief Risk Officer (January 2002)
ERM and September 11 (November 2001)
Modeling the Reality of Risk: The Cornerstone of Enterprise Risk Management (July 2001)
Enterprise Risk Management in the Financial Services Industry: From Concept to Management Process (November 2000)
Enterprise Risk Management in the Financial Services Industry: Still a Long Way To Go (August 2000)
Enterprise Risk Management: What's Beyond the Talk? (May 2000)
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Critical Role for the Chief Audit Executive: Aligning Risk Assessment

October 2008

When it comes to aligning risk assessment, the "risk intelligent" chief audit executive provides reassurance that management's reports are reliable, offers advice on improving risk mitigation, and implements value-added risk-management activities.

by Mark Layton and Neil M. Brown
Deloitte & Touche

Risk permeates virtually every aspect of our personal and professional lives. Yet people and organizations are slow to acknowledge potential calamity and quick to believe that bad things always happen to the other guy.

For businesses, this flawed perception can be quite dangerous. In today's environment, which is marked by intensifying competition, increasing scrutiny, and growing threats, a frank and realistic assessment of the true risks a company faces is more important than ever.

Enter the chief audit executive (CAE). CAEs have a unique opportunity to make significant improvements in the efficiency and effectiveness of their organizations' risk-management initiatives. In previous columns, we've discussed the various roles of the Risk Intelligent CAE, such as keeping the organization's risk/reward picture in balance, incorporating risk-management activities into the internal audit function, and bridging silos to promote the sharing of information across organizational boundaries. All of which, in combination, can boost a company's risk-management capabilities.

This column addresses yet another critical role for the CAE: aligning risk assessment.

Aligning Risk Assessment

The traditional internal audit risk assessment starts with a blank sheet of paper as processes, systems, and individual entities are evaluated. In keeping with this typical approach, internal auditors audit those risks with the highest impact and probability of occurrence. Often, no distinction is made between inherent risk (the risk that exists before mitigation and controls are introduced) and residual risk (the risk that remains after mitigation and controls are implemented).

Furthermore, while vulnerability is certainly considered, too much weight is usually given to probability. Probability models work well when dealing with events that regularly occur, and for which reams of data have been compiled. But when dealing with more uncertain events—situations that have never occurred or perhaps can't even be imagined—probability should be subordinate to the notion of vulnerability.

Therefore, the risk intelligent enterprise adopts a different tack. In a risk intelligent organization, management also takes responsibility for:

  • Assessing inherent risk—even those that are high impact, yet low probability.
  • Evaluating the effectiveness of existing risk mitigation and controls.
  • Determining residual risk.
  • Deciding whether the risk exposure is within the appetite of the enterprise and further mitigating the risk, if necessary.
  • Providing reasonable assurance to the board that the controls are both effective and efficient.

If the risk exposure is not within the corporate appetite, it's internal audit's responsibility to advise management on how risk mitigation and control might be improved.

Value-Added Risk-Assessment Activities

In addition, the risk intelligent CAE can lead a number of value-added risk assessment activities. These include providing reassurance to management and the board that:

  • Key risks that affect both value preservation and value creation have been identified.
  • Different scenarios have been assessed and stress-tested.
  • Inherent versus residual risk has been reliably assessed.
  • Residual risk appears to be within the risk appetite of the company.
  • Controls are both effective and efficient.
  • Management's reports can be relied on.

What's Your Risk Intelligence Quotient?

To determine if their current risk-assessment models are risk intelligent, CAEs should ask themselves the following questions:

  • Are we speaking the language of management?
  • Are we assessing risks to future growth or are we focused exclusively on the protection of existing assets?
  • Are we assessing risks in isolation or are we looking at how these risks may interact and cascade?
  • Is there a uniform framework to align the various risk specializations regarding governance, risk, and compliance assessments, which will allow us to reduce the cost burden on the business?
  • Do existing risk assessments reliably and adequately assess inherent and residual risk exposures?
  • Do we have the means to assess whether residual exposures are within the risk appetite of the company?
  • Is there a robust risk-mitigation process?

CAEs can play a unique and important role in the risk intelligent enterprise. While recognizing that management and the board are responsible and accountable for risk, CAEs should provide both guidance and reassurance that risk is being properly and efficiently managed.

Neil Brown is a partner in the Enterprise Risk Services practice at Deloitte Canada. He can be reached at 416-643-8414 or at .

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.