10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

DISCLAIMER
Copyright 2009 by The Institute of Internal Auditors and its Audit Executive Center located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701-4201. All rights reserved. Published in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warrant as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be retained.

ACKNOWLEdGMENT
The IIA would like to specically acknowledge Richard J. Anderson, CFSA, CPA, for his extraordinary assistance in organizing and facilitating the CAE roundtable along with his work in authoring the nal report. Anderson is Clinical Professor for The Center for Strategy, Execution, and Valuation and Strategic Management Lab at DePaul University. J. Christopher Svare, managing director of Partners in Communication LLC in Northbrook, Ill., was also integral to the writing process and played a key role in developing the report.

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

TABLE OF CONTENTS
Introduction...................................................................................................1 1. Assess the Organizations Current Processes and Capabilities.....................3 2. Coordinate With Other Risk and Control Functions....................................4 Develop a Unied Approach ..........................................................4 Adopt an Enterprise View of Company Risks....................................5 Foster or Participate in an Enterprise Risk Council...........................5 3. Participate in Summits With Key Stakeholders. .........................................6 4. Help the Organization Develop Near-term Strategies. .................................6 5. Strengthen Top-level Communications.....................................................7 6. Dene Internal Auditings Role. ...............................................................8 7. Audit Risk Management Incrementally...................................................10 8. Assess Audit Skills and Capabilities. ......................................................11 9. Execute the Audit Strategy With Appropriate Reporting. ...........................13 10. Keep up With Evolving Practices...........................................................15

www.theiia.org

ii

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

Todays business environment is characterized by mounting pressures for stronger, more effective risk management. There is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in a post-meltdown world. Audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprisewide risk assessments. As one chief audit executive (CAE) puts it, The audit committee has been getting piecemeal looks at risk, and now they want the full picture. For the most part, internal auditors appear to be well aware of these pressures. In a recent IIA Global Audit Information Network (GAIN) survey, Internal Auditings Role in Risk Management, nearly three-fourths of respondents said they see a growing need to provide their audit committee with a greater understanding of organizational risk management processes. In addition, 44 percent reported being asked by their audit committee for recommendations on how to enhance the organizations risk management process. When asked about current risk practices at their organization, more than 72 percent of respondents from Fortune 500 companies said the entity had either a formal or informal risk management program in place, and nearly two-thirds characterized their rms practices as informal but evolving. Collectively, these ndings show indications of organizational progress along the risk management maturity continuum. In light of this apparent progress, internal auditors need to examine whether they have achieved similar types of gains in promoting risk management goals or providing assurance over risk management activities. This issue was raised by PricewaterhouseCoopers (PwC) in a 2007 publication titled Internal Audit 2012. At the time, PwC analysts pointed to potential value gaps for internal audit functions failing to keep pace with maturing risk practices. The current evidence of evolving organizational risk management maturity heightens this concern. The question for internal auditors, simply put, is this: Have you kept up, or are you falling behind? Is there a value gap in the risk management arena that you need to address? Moreover, what are internal audit leaders doing in the area of risk

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

management that might work well in your organization? To explore these and other related issues, The IIA recently hosted a roundtable discussion in San Diego focusing on current risk management challenges. Attendees included CAEs from Fortune 250 organizations as well as representatives from professional service rms, The Committee of Sponsoring Organizations of the Treadway Commission, and the National Association of Corporate Directors. Several key themes emerged from the discussion, forming the basis for a series of leading internal audit practices. These 10 risk management imperatives can help CAEs better serve their organization and ensure theyre keeping pace with evolving approaches to organizational risk.

www.theiia.org

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

1. ASSESS THE OrGANIZATIONS CUrrENT PrOcESSES AND CAPABILITIES

To strengthen organizational risk management, internal auditing should rst conduct a detailed assessment of the organizations risk management processes, many of which might be undocumented and informal. The assessment should help build an inventory of risk processes and serve as a foundational baseline. It should also help determine the organizations ability to identify, analyze, monitor, and mitigate signicant risks that could impede achievement of organizational objectives. Some key questions to consider in this evaluation: Is the organization taking a top-down, holistic approach to risk management that considers strategic, nancial, operational, and compliance risks and is linked to your strategic and businessplanning processes? Does it identify who owns major risks? Is the organization formalizing and building consistency among its risk management processes? Does the organization have a systematic way to categorize and prioritize identied threats, project their likelihood of occurrence, and estimate their potential cost? Are appropriate steps being taken to build or reinforce the concept of a risk culture across the organization? Is the organization mapping risk exposures against existing riskmitigation measures to identify potential gaps and vulnerabilities in risk oversight to be brought to the attention of senior management and the board? Is the organization taking a portfolio approach to risk management? Does it take into account potentially signicant variations in risk management processes across business units and within functions? Does the organization have an ongoing, sustainable process in place to identify and track emerging risks?

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

In The IIAs August 2009 survey of risk management practices, 68.8 percent of respondents indicated that internal audit activities conducted organizationwide risk assessments at their organization.

Is the organization appropriately assessing its exposure to any high-impact, low-probability risks such as pandemic or systemic risks that could pose a major organizational threat? Has the organization established communication protocols and procedures to share risk information on an enterprisewide basis? Does the organization identify upside risk potential and share these insights with management and the board?

2. COOrDINATE WITH OTHEr RISK AND CONTrOL FUNcTIONS

Look for opportunities to partner with other risk and control functions while maintaining your functional independence and objectivity. For example, consider involving other risk and control functions in the assessment of risk management processes recommended in Imperative No. 1. Also consider how the functions can collaborate on an enterprisewide assessment of risk management processes. Roundtable participants agreed that most organizations would benet from a common, single risk assessment developed by internal auditing in concert with other governance, risk, and control (GRC) functions in addition to a single risk prole. Its also important to establish communication protocols and procedures to share risk knowledge and information on an enterprisewide basis.

DEVELOP A UNIFIEd APPROACH

Roundtable participants cited the lack of a common risk language and uniform risk management processes and methodologies as a signicant obstacle to effective enterprise risk management (ERM). One CAE said an organization that lacks a single approach to risk management has a great opportunity to establish a common language and taxonomy for risk and risk elements. The CAE also suggested that internal auditors, risk managers, and other control leaders should develop and leverage common risk assessment methodologies and databases to enhance their overall effectiveness.

www.theiia.org

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

AdOPT AN ENTERPRISE VIEW OF COMPANY RISKS

Only by taking an enterprisewide approach to risk management can an organization effectively address the type of silo risk management behavior that contributed to the meltdown of so many nancial services companies in recent years. Too often, organizations manage their risks on either a functional or line-of-business basis with insufcient oversight from an enterprisewide perspective. CAEs should coordinate and collaborate with their counterparts in nance and risk management to address silo issues and develop an effective ERM framework.

FOSTER OR PARTICIPATE IN AN ENTERPRISE RISK COuNCIL

About a third of roundtable participants reported that their organization had some type of enterprise risk council that comprised members of management. Such groups tend to meet quarterly and track 10-12 major risks. The councils provide a coordinated approach to strengthening risk management, said one roundtable CAE, adding that they help you cover your bases. Another CAEs organization instituted a risk council to achieve a common approach to risk management across the company after noting signicant dissimilarities in the way various lines of business and functions were approaching the risk management process. What are the key success factors for such councils? The CAE of a major national retailer said its important that the council reect a diverse set of inputs and perspectives. An IT person will have a different vantage point than a line-of-business head, she said, adding that one never knows which council members will provide the most valuable insight. For example, the retailers head of corporate communications is one of the top contributors to the companys Enterprise Risk Council, particularly with regard to issues surrounding reputational risk. Its also important to keep council members interested and participating, and to show them how theyre helping the organization, said the CAE, who regularly shares articles and insights with council members to keep them engaged. In organizations currently without a risk council, internal auditing has an opportunity to serve as the catalyst for the formation of one. CAEs can advise management on the potential benets of risk councils as well as leading operating practices.

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

3. PArTIcIPATE IN SUmmITS WITH KEY STAKEHOLDErS

To many observers, risk oversight is the No. 1 priority for directors and management alike in todays post-meltdown business environment. Its critical for CAEs to facilitate in-depth discussions with senior management and directors about risk management issues and priorities to ensure that internal auditing and other key risk players understand their chief stakeholders expectations. Ideally, such an effort would be conducted jointly by internal auditing and any other key risk and control players, such as the chief risk ofcer, in addition to senior nancial ofcers. Plan to brief members of the audit committee and senior management on a regular basis and consider holding a series of educational seminars with directors to provide an ongoing vehicle for two-way communication on this essential topic.

4. HELP THE OrGANIZATION DEVELOP NEAr-TErm STrATEGIES

After assessing current risk management processes, and revisiting stakeholder expectations, try to facilitate the development of near-term organizational risk management strategies. Discussions at the roundtable point to the benets of organizations taking a step-by-step approach to risk management. Accordingly, facilitate a plan to achieve the organizations next step in terms of risk management maturity as opposed to the nal stage in the developmental process. Although internal auditing should refrain from any decision-making role in the development of risk management strategies, the CAE can serve as a valuable adviser to both senior management and the board of directors. If your organization lacks an ERM strategy, suggest options for consideration. Scope out the benets of a step-by-step approach to ERM and suggest what these steps might be. Also consider delineating the roles of the various risk and control functions relative to risk management.

www.theiia.org

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

5. STrENGTHEN TOP-LEVEL COmmUNIcATIONS

As the organization steps up its focus on risk management, keep executive management and the audit committee well-informed of the organizations progress and strategic direction. Explore how to enhance risk reporting to the committee and seek to make risk considerations a central discussion item on the audit committees agenda. Encourage the audit committee and executive management to take a fresh look at the organizations risk appetite and risk tolerances. Roundtable participants agreed that risk appetites and tolerances are difcult topics for both management and directors to address, creating an opportunity for internal auditors to assist and serve as strategic advisers in these areas. As part of the process, suggest that the board of directors and executive management meet as a group to test how they would respond to various what-if risk management scenarios. Recognize that new members of the audit committee can serve as positive catalysts for change; encourage their input. At the same time, develop tactics to overcome obstacles to effective reporting, such as members of the audit committee with narrow viewpoints.

CONSIdER A CEO/CAE PARTNERSHIP TO ENSuRE A HOLISTIC VIEW OF RISK

One roundtable participant, the CAE of a major retailer, is partnering with the companys CEO to present a shared view of risk that combines the CEOs top-down view of risk with the CAEs bottom-up risk assessment. In the partnership, the CEO who also serves as the companys chief risk ofcer articulates the big risks and tells the CAE what the board is doing. In turn, the CAE gives the CEO the straight scoop about line-of-business activities and indicates where the CEO might be receiving misleading information. The CAE also assures the CEO that internal auditings presentations to the audit committee and board of directors reect the CEOs thinking.

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

6. DEFINE INTErNAL AUDITINGS ROLE

After facilitating a strategic reassessment of the organizations approach to risk, work with chief stakeholders to develop an appropriate role and strategy for internal auditing related to risk management. If the organizations risk management processes are in the developmental stage, internal auditing might prefer to adopt a consulting role. Conversely, if risk management processes are developed sufciently to audit, then internal auditing can play an assurance role. Practitioners should recognize that internal auditings role will likely evolve along with the organizations risk management processes. Discussions with internal auditings chief stakeholders are also an opportunity for the CAE to review both the near- and longer-term roles for the audit function as well as the value it can deliver at different stages of risk management maturity. At the end of this discussion process, all parties involved must share a clear understanding of what is expected of internal auditing and agree on the anticipated value to be delivered by the function. Internal auditing should also consider revising its charter to reect its updated role and value proposition, and it should clarify with stakeholders any limitations of audit independence. For further insight, consult The Role of Internal Auditing in Enterprise-wide Risk Management, an IIA position paper issued in January 2009, available at www.theiia.org/guidance/standards-and-guidance.

www.theiia.org

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

ERM AT MIdMARKET COMPANIES

By David Landsittel, Chairman The Committee of Sponsoring Organizations of the Treadway Commission San Diego Roundtable Participant For years, internal auditors have been playing key roles in the implementation and management of enterprise risk management (ERM) processes at midmarket companies. For reasons of efciency and resource management, internal auditings focus has been on the development of processes related to ERM as opposed to the establishment of a separate ERM function. Not surprisingly, internal auditors have been taking the lead on ERM process development for midmarket companies. Given the extent of their work in compliance and operational auditing, internal auditors tend to develop a solid understanding of the businesses they serve from an enterprisewide perspective. In addition, internal auditors often have the organizational contacts and relationships needed to jump-start ERM process implementation. Most importantly, however, the skill sets and competencies needed to succeed in internal auditing correlate strongly with those needed for ERM implementation and management. In other words, internal auditors: Have the training and experience necessary to evaluate business processes starting with those integral to the maintenance of a sound system of internal controls and extending to those involved with the evaluation of operational processes. Are well-equipped to identify and assess risks tasks at the heart of traditional internal control auditing activities. Have, in their traditional roles, been instrumental in the formulation of recommendations to address and mitigate identied risks. Finally, the active involvement of internal auditing in ERM adds assurance that there will be appropriate correlation between the high-priority risks identied through ERM measures and the annual planning of the internal audit function. That is, the risk-driven allocation of internal audit resources to compliance and operational project alternatives will more likely be correlated with those ERM-driven risks that are assessed as the most important to the organization.

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

KEY SuGGESTION:
Evaluate managements risk management processes and maturity levels as part of your annual audit plan. Recent survey data conrm that risk management practices are continuing to evolve in most organizations. Accordingly, internal auditing needs to re-assess managements risk management processes and maturity periodically and revise the annual audit plan appropriately. As risk management processes mature and become more formal, internal auditing should increase its assurance coverage of them. Changes to the audit plan will also require internal auditing to consider the skills and tools it needs to keep pace with these maturing processes.

7. AUDIT RISK MANAGEmENT INcrEmENTALLY

Roundtable CAEs spoke enthusiastically about the benets of taking a step-by-step approach to auditing risk management. You cant audit all of your companys ERM activities but you can evaluate parts of them and look at how they get their data, said one CAE. Bite off manageable chunks; audit risks in a given area, said another. Dont try to be world-class all at once, said a third CAE. When it comes to setting priorities, audit committees and executive management want internal auditing to concentrate on areas posing the greatest risks those that could impact achievement of major corporate objectives. Make sure to identify and monitor key strategic, operational, and business risks, advised one roundtable CAE. Another recommended singling out the three to ve risks that could destroy the organization, including the types of high-impact, low-probability risks that contributed to the subprime mortgage crisis. Other suggestions offered by the roundtable CAEs include: Keep in mind factors of vulnerability, speed of impact, and level of loss. Assess the degree of uncertainty for each major risk. List planned or completed audits related to each major risk. Consider risk factors identied in the companys 10-K report.

www.theiia.org

10

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

8. ASSESS AUDIT SKILLS AND CAPABILITIES

One of the challenges facing internal auditors seeking to expand their scope of risk management activities is the perception that risk management is beyond the scope and capabilities of internal auditing. Many auditors think control rst and lack an adequate business perspective, said one roundtable CAE. Internal auditing needs to provide value beyond compliance, and its hard to add value when youve been focusing on Sarbanes-Oxley, said another. As an organizations risk management capabilities increase, there needs to be a corresponding increase in the capabilities internal auditing can provide to the organization. In todays business world, internal auditors are being asked to identify and correlate risks across multiple lines of business and functions. They are also being asked to examine complex nancial transactions and to make presentations to executive management and the audit committee. And when an organizations risk management capabilities have reached a sufcient level of maturity, internal auditors are being asked to provide assurance on ERM business processes. The perception that risk management is beyond the scope of internal auditing is the most signicant challenge to an effective review of risk management, according to the GAIN survey on internal auditings role in risk management. Respondents also cited internal auditors lack of knowledge about risk management practices and techniques as a signicant handicap. The top skill needed to assess risk management processes effectively is business and industry knowledge, according to the survey, followed by risk management expertise and good communication and facilitation skills. In terms of business and industry knowledge, the survey results indicate it is particularly important to have a solid grasp of an organizations risk history, risk and control landscape, and risk appetite in addition to its mission, strategic plan, and business drivers.

11

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

To meet heightened stakeholder expectations, CAEs need to conduct a critical assessment of their staff capabilities and resources. Important questions to consider include: Do you have the skills, expertise, and business knowledge needed to achieve your short- and longer-term objectives? If your organization has advanced risk management capabilities, can you provide assurance over risk management activities? Do you need third-party assistance to secure access to the actuaries, subject-matter experts, and specialists required to interact effectively with senior management and the audit committee? Do you have an adequate budget?

With the insights gained from such introspection, CAEs will be better able to address any gaps they discover between stakeholder demands on internal auditing and their ability to deliver on these demands.

www.theiia.org

12

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

9. EXEcUTE THE AUDIT STrATEGY WITH APPrOPrIATE REPOrTING

Effective reporting is central to successful internal auditing and risk management. Determine the type of reporting that best suits your particular internal audit function. For organizations with more formal or maturing risk management processes, it might be appropriate to perform audits and then issue assurance reports. For organizations that are just developing risk processes, internal auditing might play a more consultative role and issue consulting reports. If the organization has yet to produce any risk reports, internal auditing should consider other types of reporting that could provide management and directors with important updates on the organizations risk prole or other risk-related changes. Auditors should also consider providing the audit committee with periodic updates on the implementation of managements risk management strategy. Responses from The IIAs GAIN survey of risk management also support a variety of reporting approaches:

32.9% 43% 35.4% 55.7%

of survey respondents provide assurance on the risk management process through written reports. provide written assurances that risks are correctly identied. provide consulting reports to improve or implement the risk management process. provide assurance through written reports on the management of key risks.

During the roundtable event, CAEs discussed the various ways they report on their auditing of risk management. Most indicated that they are auditing and reporting on one aspect of risk management at a time as opposed to performing a single, organizationwide audit and producing a report covering all of the enterprises risk

13

THE INSTITUTE OF INTErNAL AUDITOrS

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

management processes. For example, at one roundtable CAEs organization, the internal audit function is currently reporting on the organizations risk responses and next year plans to review risk identication. At another CAEs company, internal auditing is prompting audits of individual risk functions, such as environmental health and safety, and issuing reports on that basis. CAEs also discussed the need to specify carefully the scope of their audits and resulting reports so as not to mislead readers into reaching conclusions that are more broadly based than is warranted by the scope of the work performed. Periodic reporting on risk to executive management and the audit committee was also a topic of discussion at the roundtable. Two common areas of focus for such reports, which are generally produced on a quarterly basis, are emerging risks and changes in the organizations risk prole.

www.theiia.org

14

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

10. KEEP UP WITH EVOLVING PrAcTIcES

As risk management practices and processes continue to evolve, its important for CAEs to keep abreast of relevant internal audit practices and to ensure the organization benets from their up-to-date insights and perspectives. For example, credit rating agency Standard & Poors has begun to include ERM assessments in its ratings of nonnancial companies (see page 16.) In addition, the National Association of Corporate Directors, The Committee of Sponsoring Organizations of the Treadway Commission, and other leading organizations are producing numerous studies and papers focusing on risk management practices that offer useful information and insights for internal auditors. To monitor changes in risk management relevant to your organization: Periodically search the Internet for new reports and studies on risk management. Ensure that you are receiving information from The IIA, professional services rms, and other key sources on the subject of risk management. Strengthen your organizational processes and capabilities to share risk management knowledge across the enterprise with key decision-makers. Consider designating a risk management knowledge leader within internal auditing who would acquire and distribute current risk management information and insights.

CAEs are also advised to work with their chief stakeholders and other players in risk management to revisit organizational risk management practices and related internal audit strategies on a regular basis (quarterly, if possible). In doing so, CAEs should keep in mind the need to: Conduct ongoing risk assessments. Recognize change as its occurring. Monitor emerging risks across the enterprise. Maintain an incremental, step-by-step approach to ERM implementation. Keep executive management and directors aware of continuing developments in risk management.
THE INSTITUTE OF INTErNAL AUDITOrS

15

10 RISK MANAGEmENT ImPErATIVES FOr INTErNAL AUDITING

SEVEN ERM QuESTIONS FROM STANdARd & POORS

In May 2008, credit rating agency Standard & Poors (S&P) announced plans to include enterprise risk management (ERM) assessments in ratings of nonnancial companies. In the third quarter of last year, S&P analysts began to incorporate specic ERM discussions into meetings with companies rated by the agency. The following questions provide the basis for these discussions and may be useful to internal auditors in assessing the state of their organizations risk management processes.

1. 2. 3. 4. 5. 6. 7.

What are the companys top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?

What is management doing about top risks?

What size quarterly operating or cash loss has management and the board agreed is tolerable? Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure the success of risk management activities? How would a loss from a key risk affect top-management incentive compensation and planning/budgeting? What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past? Give an example of how your company responded to a recent surprise in your industry. How did the surprise affect your company differently than others?

www.theiia.org

16

GLOBAL HEAdquARTERS 247 Maitland Avenue Altamonte Springs, FL 32701-4201 www.theiia.org

09/09458/RS/JP