By Tim Leech, Managing Director and Lauren Hanlon, Director at Risk Oversight Solutions Inc
Boards and CEOs around the world are being told repeatedly from multiple sources that they need to do a better job managing and overseeing risk and, most recently, ‘risk culture’.¹ Unfortunately, current methods of providing stakeholders with assurance that risk management processes are effective are fundamentally the same methods that have been used for decades.
The 2008 global crisis is a graphic illustration of their inability to cope with an increasingly fast moving and complex world. This article is a call to boards, CEOs, law makers, regulators, investor groups and others for a major paradigm shift in risk management and assurance thinking to create and better preserve shareholder value.
Paradigm paralysis in the enterprise risk management (ERM) and internal audit communities blocks their ability to see new methods available to better meet the needs of stakeholders. This article will outline status quo ERM and internal audit paradigms; describe why the current paradigms are blocking progress; and propose some simple, but radically different ideas to assist boards, CEOs and ERM and internal audit specialists make the paradigm shift necessary to drive positive change.
Paradigm paralysis: ERM methods
Although there is wide variation in how companies have implemented ERM, the most common feature is the creation and maintenance of ‘risk registers’ as a foundation. The extent risks identified are linked to the company’s business objectives and strategies varies greatly. Supplementing the risk registers are ‘risk heat maps’ that depict individual risks in terms of likelihood and consequence. Risk heat maps may, or may not, depict residual risk, the risk remaining after considering risk responses/risk treatments on a single risk.² These risk registers are typically maintained by ERM specialists or internal audit groups and results are reported upwards to the board.
ERM paradigm flaws
The primary drawback of this risk-centric ERM paradigm is that it looks at risks in isolation from the company’s top value creation and value preservation objectives (see below for the authors’ definition). This approach does not allow decision makers to see the current state of residual risk linked to the achievement of the company’s most important objectives.
All of the risks relevant to individual objectives are not looked at in totality in terms of their collective effect on the achievement of specific objectives. The process does not produce information to evaluate the acceptability of the current residual risk status (i.e. is it within risk appetite/tolerance?).
It also creates confusion and uncertainty around who is really responsible for the risks identified, as assigned ‘risk owners’ may not align with those responsible for achieving the linked objective(s). This risk-centric approach has also tended to focus more on value preservation objectives (e.g. ‘three lines of defence’) rather than a balance, which puts at least equal emphasis on value creation/strategic objectives.
Another flaw is that the process is typically completed as a static annual or semi-annual exercise with a heavy compliance connotation. The risk assessment methodology used to populate the risk register and risk heat maps is often not the same assessment approach used by internal audit to complete internal audits, or the assessment approach used by other specialists groups, such as safety, compliance, insurance, quality, etc.
“Paradigm paralysis in the enterprise risk management (ERM) and internal audit communities blocks their ability to see new methods available to better meet the needs of stakeholders.”
It is also important to note that the dominant ERM method to identify risks is ‘brainstorming’, based heavily on the knowledge and experience of participants. The full range of methods available to identify significant risks is rarely used. Key risks linked to top strategic objectives are often missed.
The approach often does not consider the full range of risk responses/risk treatments available as it tends to focus heavily on ‘controls’ linked to individual risks, not the full range of risk responses/treatments.
Another critical flaw of the current ERM paradigm is that when work units are candid and disclose very serious and material retained risk positions, the result in some companies is that the area is then scheduled for a traditional internal audit – in essence, participants are punished for being upfront and disclosing information key to better decision making and a healthy risk culture.
Another significant concern is that the areas that are generally low risk from a culture perspective often do the best job identifying and disclosing risks and residual risk status. Groups and executives that represent major risk to the organisation culturally are least likely to candidly disclose significant risks and the true retained risk position.
The way forward: a board -driven ERM paradigm shift
Boards and CEOs need to take the time to understand the substantial differences between risk-centric and objective-centric assessment risk management frameworks. More information on the business case for objective-centric risk management vs traditional risk-centric approaches that use risk registers as a foundation can be found online.
Require a robust management-driven, objective-centric risk self-assessment framework that uses an objective register as the foundation. Risk management efforts should be aligned with the top value creation and preservation objectives to ensure optimal capital allocation. The objectives register should include the company’s top value creation and value preservation objectives. These should be defined by management and reviewed by the board. ‘Owner/sponsors’ should be assigned to each objective.
Owner/sponsors are responsible for assessing and reporting on the state of residual risk related to each of the objectives to the CEO and the board using an ISO 31000 compliant assessment methodology (for an example of an objective-centric/ISO 31000 compliant approach see the RiskStatusline™ assessment approach shown on page 50).
Conscious decisions should be made on the target level of risk assessment rigour and independent assurance. The board should receive regular reports on the residual risk status of the objectives in the register, including the current Composite Residual Risk Status (CRRR). A sample set of definitions for CRRRs.
Require that the CEO or his/her designate regularly (bi-annually or quarterly) provide the board with a consolidated report on residual risk status linked to the company’s top value creation and value preservation objectives. This simple step has great potential to drive the necessary changes to the way management and all of the specialist assurance groups do their work.
Assign responsibility to ERM specialist staff to implement and maintain a robust objective-centric risk self-assessment framework. This repositions the role of risk specialists to one where their primary role is providing training, facilitating objective-centric management-driven risk self-assessments and helping the CEO produce reliable consolidated reports for the board on the residual/retained risk status of top value creation and preservation objectives.
Require annual opinions from internal audit on the effectiveness of the company’s risk management framework and reliability of the consolidated report from the CEO to the board on company’s residual/retained risk status linked to top value creation/value preservation objectives.
Paradigm paralysis: internal audit
The internal audit profession is based on a core paradigm, largely unchanged since the profession began, that calls for internal auditors to audit a unit, topic, process, or other ‘audit universe’ element and form an opinion as to whether the auditor believes the ‘internal controls’ in the audit universe subject matter are ‘effective’ or ‘adequate’. From a technical perspective, this approach is called a ‘direct report audit engagement’.
Internal auditors must, of necessity, use a direct report audit approach in cases where management has not self-assessed and made a formal representation on the state of risk. When this does happen, internal audit can use an ‘attestation’ approach that reports on management’s self-assessment. Unfortunately, the percentage of companies where management complete self-assessments and report on the state of residual risk linked to key value creation and preservation objectives is still a very small percentage of the total.
Ironically, most internal audit departments claim their audit methodology is ‘risk based’. What this means is often unclear as their audit plans often do not cover the company`s top value creation/strategic objectives. Internal audit coverage expressed as a percentage of the entire risk universe of a company is rarely more than 10 per cent in any given year. Results of individual internal audits are reported to management and summary reports provided to the audit committee of the board of directors.
Internal audit paradigm flaws
The key flaw in the current internal audit paradigm is that it does not position responsibility for assessing risks and reporting upwards on the state of residual risk linked to the company’s most critical value creation and value preservation objectives squarely with the people that should have primary responsibility – management. It discourages management from learning how to formally assess and report on residual risk status linked to key value creation/preservation objectives (i.e. it’s not their job to assess and report, so why do they need the skills to do it?). Internal audit coverage is usually a small percentage each year of the total risk universe and often has
a heavy bias towards value preservation and financial accounting controls.
The audit plan often does not cover the company’s most important value creation/strategic objectives and is often not well integrated with the work of other assurance groups, including ERM, safety, IT security, environment, compliance, insurance and others. The traditional internal audit paradigm often puts serious political pressure on business units to put in place additional ‘internal controls’ linked to the topic audited, even when residual risk status in other areas linked to key value creation/strategic objectives not covered by internal audit warrant more of the scarce risk treatment resources.
Our work globally suggests that only a small percentage of internal auditors today use objective-centric risk assessment methods on their audits that conform to risk assessment methods defined by the global risk management standard, ISO 31000, or COSO ERM 2004/ED 2016.
A large percentage of internal auditors report opinions on sufficiency of internal controls, not the full range of risk responses/risk treatments in place. This can result in seriously flawed results and opinions.
An opinion from internal audit on whether internal controls are effective, or not, is fundamentally an opinion from the internal auditors on whether they think residual risk status is acceptable to the company and the board – information the internal auditors often don’t have and decisions internal auditors aren’t authorised or trained to make.
It is important to note that the Financial Stability Board (FSB) and the Institute of Internal Auditors (IIA) are increasingly calling on internal audit groups to assess and report on all of their company’s risk management processes.4 When internal audit is the group with primary responsibility for completing documented risk and control assessments this requires internal audit report on itself – a violation of audit independence standards.
The way forward: a board/CEO-driven internal audit paradigm shift
Boards and CEOs need to call for implementation of robust objective-centric risk self-assessment frameworks that use an objective register as the foundation. When an objective register is used as a foundation for ERM it defines the role of owner/sponsors, ERM specialists, and independent assurance staff and, by definition, focusses resources on objectives key to long-term value creation and preservation.
Require internal audit use the company’s objectives register not an audit universe as their work foundation. Once management with the assistance of ERM specialists has completed the assigned risk assessments at the defined level of risk assessment rigour, internal audit completes quality assurance reviews where internal audit has been defined as the independent assurance providers to achieve the target independent assurance level defined in the objectives register.
For some objectives in the objectives register the board and/or C-Suite may assign other independent assurance providers. The primary goal of internal audit is to provide the board with opinions on the effectiveness of company’s enterprise risk management processes and the reliability of the consolidated report from the CEO to the board on residual risk status. Internal audit should also flag any areas where they think management is accepting levels of residual risk that they believe may be outside of the CEO and/or the board’s risk appetite/tolerance.
Ensure the internal audit team is staffed appropriately to contribute on top value creation and value preservation objectives.
This can include management rotation programmes and hiring of staff from non-traditional internal audit backgrounds (i.e. outside of accounting, IT security, external audit).
A call to action — boards and CEOs need to drive paradigm shift efforts
Globally, the ERM and internal audit professions have a serious case of paradigm paralysis that is impeding their ability to help boards and CEOs meet new risk governance expectations. Boards and CEOs need to play a key role driving a quantum paradigm shift in risk management and assurance thinking to make improvements in risk culture. When paradigm paralysis occurs it is always worth remembering the words of Albert Einstein, “Insanity: doing the same thing over and over again and expecting different results”.5
Expecting the same internal audit and ERM methods used over the last 20 to 30 years to produce dramatically different and better results for stakeholders is poor judgement at best. The authors hope that the paradigm shift ideas in this paper will help drive further thought leadership and the developments necessary to produce the quantum paradigm shift in ERM and internal audit methods necessary to help boards and CEOs better meet new risk governance expectations.
About the Authors:
For more than 25 years, Tim Leech – managing Director at Risk Oversight Solutions Inc – has helped hundreds of public and private organizations find better, more cost-effective risk management and risk oversight solutions to meet emerging expectations. His analysis of where the risk and assurance profession and public and private organisations should be headed has regularly been proven correct by world events.
For more than 10 years, Lauren Hanlon – Director at Risk Oversight Solutions Inc – has helped public and private sector clients around the world execute better, more cost-effective internal audit, financial reporting, ERM and assurance frameworks.
¹ Example: See Financial Stability Board Principles for an Effective Risk Appetite Framework sent to regulators around the world
² Note: COSO uses the term ‘risk responses’. ISO 31000, the global risk management standard uses the term ‘risk treatments’. In both cases the term refers to the full range of ways to finance, share, transfer, mitigate, avoid and accept risk.
³ See Office of Superintendent Financial Institutions June 2016 E21 Operational Risk Guidelines for an example of a regulator endorsing ‘Three Lines of Defense’
4 See Financial Stability Board Principles for an Effective Risk Appetite Framework and IIA Research Foundation Auditing Risk Assessment and Risk Management Processes
5 Source: Albert Einstein. (n.d.). BrainyQuote.com. Retrieved 29 June, 2016 , from BrainyQuote.com