Skip to Content
Enterprise Risk Management

Risk Management's Chief Audit Executive

Mark Layton | December 1, 2007

On This Page
A rid die that says low risk, no risk, and high risk on each side

The chief audit executive (CAE) keeps the organization's risk/reward picture in balance. And, by speaking the language of senior management, the CAE can also contribute to profitability, growth, and shareholder value.

In our previous columns, we've touted the many benefits that have been realized by organizations that adopt a "Risk Intelligent" approach—from minimizing "siloed" behavior and embedding risk management into strategic processes to protecting existing assets and enhancing growth opportunities. One of the most significant characteristics of a risk intelligent company is that it is savvy about both the risks to take and the risks to mitigate.

Up to this point, we've limited our discussions to the impact risk intelligence has on an enterprise, rather than the roles individuals play in an organization. But with this column, we shine the spotlight on the chief audit executive (CAE).

While we caution against over-centralizing risk management functions or crowning a single individual as a risk-management "czar," the CAE (and, in many cases, the CRO—chief risk officer) is uniquely positioned to make significant improvements in the effectiveness and efficiency of an enterprise's risk management practices.

Addressing Enterprise Risks

In a risk intelligent organization, the CAE is charged with fighting complacency and the denial of risks, enabling the company to understand and address relevant risks, and helping to reduce costs. An effective CAE keeps the enterprise's risk/reward picture in balance. By taking a holistic approach to risk management, the CAE contributes to both the preservation and creation of value. The CAE can also help the organization develop a common understanding of the different types of enterprise risks, such as the following.

  • Governance Risks are related to the policies, procedures, structure, and authorities that oversee key company directions and decisions.
  • Strategy and Execution Risks are associated with the company's business strategy and future initiatives, such as plans to enter new markets, form new alliances, or launch new products.
  • Operational Risks affect controls and the control infrastructure, particularly with respect to the protection and utilization of existing assets and operations.
  • Infrastructure Risks are linked to the performance of people, processes, and systems that support the company's operations.
  • External Risks are associated with the environment in which the company operates or external factors beyond the company's control.

Furthermore, the CAE evaluates how efficiently risk information is shared and managed across business activities and functions, while simultaneously boosting the enterprise's ability to prevent, detect, correct, and escalate critical risk issues. By sharing risk information and coordinating the responses of the risk management functions, the CAE can reduce the cost of risk management and, as a result, improve the overall effectiveness of the organization's risk-management practices.

The Language of Growth

The risks outlined above correspond to a company's ability to meet its value and growth objectives, which are typically achieved by focusing on four areas:

  1. Revenue Growth—customer, product, or market goals.
  2. Margin—cost reduction, including restructuring of costs and provision of services and supply-chain efficiencies.
  3. Assets—asset turnover, flexibility, effectiveness, and efficiency targets; safeguarding of assets.
  4. Expectations—various expectations of stakeholders, regulators, rating agencies, banks, creditors, employees, customers, partners, and suppliers.

Risk management has traditionally focused on the protection of existing assets—for the most part, through risk avoidance and insurance. From senior management's perspective, therefore, risk management is seen as a cost to the business and, quite frankly, a potential barrier to growth. And when CAEs discuss risk, management expects such discussions to be about risk avoidance, not about taking risks that will position the company for sustained growth.

To avoid a breakdown in communication, CAEs must make every attempt to speak operating management's language and place all discussions of risk in the context of growth, profitability, and shareholder value. Risk intelligent CAEs understand their companies' value and growth objectives. They also recognize how the different types of risks, when managed ineffectively and inefficiently, can prevent an organization from realizing these objectives.

The role of the CAE, then, is to focus, integrate, and communicate the activities of internal audit and other risk management functions across the organization. Such a holistic approach will enable the company to manage the risks that are most critical. It will also help the organization to reduce the burdens of risk management and compliance, while making the most of growth opportunities.

Coming Up

In our next few columns, we will explore the role of the CAE in greater detail. Next up: the CAE and internal audit.

Eric Hespenheide serves as the global leader of the Internal Audit Services practice of Deloitte & Touche LLP. He can be reached at (313) 396-3163.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.