When it comes to aligning risk assessment, the "risk intelligent" chief audit executive provides reassurance that management's reports are reliable, offers advice on improving risk mitigation, and implements value-added risk-management activities.
Risk permeates virtually every aspect of our personal and professional lives. Yet people and organizations are slow to acknowledge potential calamity and quick to believe that bad things always happen to the other guy.
For businesses, this flawed perception can be quite dangerous. In today's environment, which is marked by intensifying competition, increasing scrutiny, and growing threats, a frank and realistic assessment of the true risks a company faces is more important than ever.
Enter the chief audit executive (CAE). CAEs have a unique opportunity to make significant improvements in the efficiency and effectiveness of their organizations' risk-management initiatives. In previous columns, we've discussed the various roles of the Risk Intelligent CAE, such as keeping the organization's risk/reward picture in balance, incorporating risk-management activities into the internal audit function, and bridging silos to promote the sharing of information across organizational boundaries. All of which, in combination, can boost a company's risk-management capabilities.
This column addresses yet another critical role for the CAE: aligning risk assessment.
Aligning Risk Assessment
The traditional internal audit risk assessment starts with a blank sheet of paper as processes, systems, and individual entities are evaluated. In keeping with this typical approach, internal auditors audit those risks with the highest impact and probability of occurrence. Often, no distinction is made between inherent risk (the risk that exists before mitigation and controls are introduced) and residual risk (the risk that remains after mitigation and controls are implemented).
Furthermore, while vulnerability is certainly considered, too much weight is usually given to probability. Probability models work well when dealing with events that regularly occur, and for which reams of data have been compiled. But when dealing with more uncertain events—situations that have never occurred or perhaps can't even be imagined—probability should be subordinate to the notion of vulnerability.
Therefore, the risk intelligent enterprise adopts a different tack. In a risk intelligent organization, management also takes responsibility for:
Assessing inherent risk—even those that are high impact, yet low probability.
Evaluating the effectiveness of existing risk mitigation and controls.
Determining residual risk.
Deciding whether the risk exposure is within the appetite of the enterprise and further mitigating the risk, if necessary.
Providing reasonable assurance to the board that the controls are both effective and efficient.
If the risk exposure is not within the corporate appetite, it's internal audit's responsibility to advise management on how risk mitigation and control might be improved.
Value-Added Risk-Assessment Activities
In addition, the risk intelligent CAE can lead a number of value-added risk assessment activities. These include providing reassurance to management and the board that:
Key risks that affect both value preservation and value creation have been identified.
Different scenarios have been assessed and stress-tested.
Inherent versus residual risk has been reliably assessed.
Residual risk appears to be within the risk appetite of the company.
Controls are both effective and efficient.
Management's reports can be relied on.
What's Your Risk Intelligence Quotient?
To determine if their current risk-assessment models are risk intelligent, CAEs should ask themselves the following questions:
Are we speaking the language of management?
Are we assessing risks to future growth or are we focused exclusively on the protection of existing assets?
Are we assessing risks in isolation or are we looking at how these risks may interact and cascade?
Is there a uniform framework to align the various risk specializations regarding governance, risk, and compliance assessments, which will allow us to reduce the cost burden on the business?
Do existing risk assessments reliably and adequately assess inherent and residual risk exposures?
Do we have the means to assess whether residual exposures are within the risk appetite of the company?
Is there a robust risk-mitigation process?
CAEs can play a unique and important role in the risk intelligent enterprise. While recognizing that management and the board are responsible and accountable for risk, CAEs should provide both guidance and reassurance that risk is being properly and efficiently managed.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.