It is well known that risks must be evaluated and managed, but how do you audit risk management in organisations in a way that is now considered to be best practice? This was the theme of the well conducted masterclass half day seminar that was held by Mr. John Chesshire*.
The purpose of the course was to equip internal auditors with the right competencies, framework and tools to perform an internal audit of risk management practices in organisations.
In this article we explain the main «building blocks» of what is considered best practice for IIA-members and others who did not have the opportunity to take part in this well conducted and very relevant seminar.
Risk Management Components – a few terms and defintions
Risk is by IIA defined as «the positive or negative effect of uncertainty on objectives», thus having both positive and negative outcomes in mind.
Risk management is defined as a «process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives”.
Standard 9.1 in the Internal Audit standards states that in order to «develop an effective internal audit strategy and plan, the chief audit executive must understand the organization’s governance, risk management, and control processes».
To understand risk management and control processes, the chief audit executive must «consider how the organization identifies and assesses significant risks and selects appropriate control processes».
COSO, ISO and IRM do all provide well known and relevant guidlines and frameworks for how risk management can and should be conducted in organisations as illustrated in the picture below:
Risk Management Components – relevant questions
Questions that organisations should ask themselves with respect to the risk management comprise the following:
- Are we employing an established risk management framework or process?
- Have we adapted it for our context, or have we got our own bespoke approach?
- Do we have a common risk language or taxonomy across the organisation?
- Is risk management properly integrated with strategy, planning and performance?
- Are risk management roles, responsibilities and the three lines understood?
- Is risk management (really) part of the organisation’s culture and ways of working?
- Have managers and team members been equipped to identify and manage risk?
A well identified and described risk should be clear and written in plain language with no or few acronyms so that is easy for anyone in the organisation to understand what is meant. The purpose is to promote a common understanding and response to the relevant risk issues. The main cause(s) and main effect(s) of the events should be explained and the design of appropriate controls and actions to mitigate the risk should be put in place.
A 6 x 5 risk matrix with risk scores from 1 to 30 makes it possible to divide the risk levels into 3 equal brackets of 10 each in terms of risk severity and with assigned colours of green, yellow and red:
What is meant by the term «risk appetite» and how should it influence the work of the internal audit function?
Risk appetite should come down to how much of what sort of risk an organisation or an individual shall be allowed to take.
Chartered Institute of Internal Auditors:“The level of risk that is acceptable to the board or management. This may be set in relation to the organisation as a whole, for different groups of risks or at an individual risk level”.
Institute of Internal Auditors (Standards, Glossary):“The types and amount of risk that an organization is willing to accept in the pursuit of its strategies and objectives”.
The purpose is simple: If the managers are running the organsiation with insufficient guidance on the levels of risk that are legitimate for them to take, or not seizing important opportunities due to a perception that taking on additional risk is discouraged, then business performance will not be maximised, and business opportunities will not be taken.
This means that risk should be quantified with respect to the financial outcome and the effect on the capital of the organisation.
An organisation constantly erring on the side of caution (or one that has a risk averse culture) is one that is likely to stifle creativity and is not necessarily encouraging innovation, nor seeking or exploiting opportunities, according to Mr. Chesshire.
Internal audit shall not be responsible for setting the organisation’s risk appetite but should assess whether the risk appetite has been established and reviewed through active involvement of the board and executive management. It should assess whether risk appetite is embedded within activities, limits and reporting of the organisation.
When evaluating the effectiveness of risk management, internal audit must consider the organisation’s appetite for taking, accepting and tolerating risks through the definition of its risk appetite.
There are techniques available to measure the changes in business performance, such as key performance indicators (KPIs) – for example, increase in sales in retail, or passenger numbers in the airline industry.
These have been further developed into key risk indicators (KRIs). KRIs are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.
The risk responses and and types of controls or treatment options normally constitue the following:
Examples of good questions that the internal auditors should ask are the following:
- Are risks clearly and simply described? If not, why not?
- Are there any clear and obvious gaps in identified risks? If so, why?
- How frequently are risks reviewed, and emerging risks considered? By whom?
- Is the risk scoring system logical and effective in practice?
- Do we use key risk indicators? Are they effective? If we don’t use them, how do we get systematic, early warning of the increasing probability of risks arising?
- Is well-considered risk-taking, within appetite, encouraged? By whom?
- Does internal audit identify and manage its own risks well – leading by example?
- How has the organisation determined its risk appetite(s) and how is this communicated and applied consistently?
- How is risk appetite applied in decision-making?
- How are the design and implementation of controls aligned with the risk appetite, as well as the organisation’s capacity to absorb and take risks?
- How effective and timely is the organisation’s risk management information system for tracking, reporting and escalating risks that could exceed the organisation’s risk appetite?
- Are risk appetite levels reviewed and amended as circumstances change?
In a more risk mature organisation, effective internal auditing of risk management should be providing the board, senior management and other key stakeholders with the assurance that they need over three areas:
1. Risk management processes, both their design and how well they are working
2. Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them
3. That recording, reporting and classification of risks is appropriate, accurate and in line with any established risk appetite level(s)
An approach to auditing Risk Management can thus be illustrated as follows:
It should also be useful in establishing a basis for planning and priority setting for future work plans and for peer review and/or benchmarking, both within and between organisations (bilaterally or multilaterally).
Further questions that the Internal Audit function could usefully ask as part of an internal audit of risk management, considering the ‘policies’ component include:
- – Does a formal risk policy exist and is this documented, endorsed by the head of the organisation, clearly communicated, readily available to all staff and subject to regular review?
- – Is it part of a broader risk management framework?
- – Is the risk management policy (policies) integrated with established policies for other key business activities (e.g. planning, budget management, delivery etc)
- – Is a common definition or taxonomy of risks and how they should be managed, clearly communicated and adopted by all staff throughout the organisation?
-Are they setting the criteria for acceptable and/or unacceptable risk?
-Are they establishing the criteria/arrangements for escalation of consideration of risks at various levels in the team, division, department etc?
-Is well-managed risk taking encouraged to help seize opportunities and support effective innovation?
-Do senior managers understand and take responsibility for the management of risk in their areas?
-Are they proactive in driving a culture embracing well-managed risk taking?
A value-adding approach to auditing risk culture
The Institute of Risk Managhement (IRM), identifies eight aspects of risk culture, grouped into four themes, key indicators of the ‘health’ of a risk culture, aligned to an organisation’s business model. This can be illustrated by the figure below and which can be applied as a framework in ensuring that a risk management audit takes into consideration all important aspects:
Diagnosis can be by means of a simple questionnaire considering the aspects above or by way of structured interview techniques.
A gap analysis will provide pointers to areas of strength and weakness and hence ensure that prioritisation and focus is being brought to the most relevant set of issues.
*John Chesshire – CFIIA, QIAL, CRMA, CIA and CISA and owner of JC Audit Training Ltd at IIA Norway on March 2nd. Mr. Chesshire has acted as a recent Chief Assurance Officer in the States of Guernsey and previously UK Government. He is also an independent Member of the Audit Committee of the Ministry of Defence of Ukraine, Audit & Risk Committee Member at WaterAid, Independent Audit Committee Chair, London Borough of Hillingdon, and Audit Committee Member Cotswold District Council.
