Assessing the Adequacy of Risk Management
Assessing the Adequacy of Risk Management
The Institute of Internal Audit has published an article that promotes the assessment of the adequacy of risk management programs using a risk frameworks, such as, ISO 31000. On the surface, there appears to be valid justification for making the case for an “audit” of risk management to provide assurance to management that the risk programs that are reasonable, effective and are designed to address the changing landscape of risks inherent in most organizations. However, let’s explore the outcomes of such an exercise to determine the value and consequences of an audit.
A brief history of COSO, or the “Committee of Sponsoring Organizations” may help put this in perspective. As a result of banking failures and financial risk taking industry and public accounting firms saw fit to create a framework for organizations to think about how to codify internal controls over financial reporting, regulatory compliance, and firm governance. The framers of COSO hoped that firms would use their framework to adopt internal controls processes to “self-adjust” as the business sought out risk and profit opportunities. COSO continues to serve as a foundation for starting a risk framework and others have followed. ISO 31000, and many other variations on this model now exist globally.
As COSO has become adopted and grown into an Enterprise Risk Framework for corporate governance the roles of risk and audit have become blurred. Audit firms were better organized and enjoyed the attention of boards of trustees. Risk professionals are only now establishing the credibility to have a place at the table. It is interesting that the formal study of risk management grew out of the field of economics yet external auditors chose not to adopt this approach of risk management. Risk managers have done no better! Risk managers have ignored until more recently the research of 19th century, decision analysis & forecasting, computer science, psychology, and work of decision making under conditions of uncertainty.
This is important only in that the call for an audit of risk management misses the point. Auditing risk management is like taking an autopsy of the patient after she has died. Yes, you can learn valuable insights but you learn only about the mistakes, errors, and inevitable missteps that will happen in any risk taking organization.
Therefore, is an assessment of risk management a valuable exercise? And the answer is, maybe, if the assessment reaches beyond the conventional concepts of audit. What does that mean? An audit or assessment is not simply a test of the existence of processes taken by an oversight function. Risk management is a process used by management to achieve reasonable assurance. Reasonable assurance of what? It depends! Assurance is conditioned on the perceived or actual risky endeavor being taken. The higher the risk the lower the level of assurance of achieving one’s goals. Management must choose among risky endeavors and decide what is the acceptable level of risk to assume and what steps must be taken to minimize those risks to an acceptable level.
To assume that an audit of risk management is focused at a department level is the missed opportunity. The role that audit and risk management could play is one of testing the assumptions that all risky endeavors include and developing tools to calibrate risk taking.
An assessment of any risk program must begin with a clearly stated set of management objectives that have been promulgated to achieve specific outcomes. Without a clear mandate from management no risk framework or assessment is credible. It would be impossible to assess a program in a vacuum but that is exactly what is suggested. Generic models based on aspirational goals are no more than a professional wish list of To Dos.
Risk management therefore is a collaborative process between senior management; risk professionals, audit and other oversight groups who must help inform the process of risk taking. Informed risk taking does not assume the elimination of risks it only anticipates both sides of the risk coin that is tossed for each risky venture.
The COSO Enterprise Risk Framework for is a great reference for senior management to begin its process of codifying risk management practice within a firm but was never implied as the only solution or approach to managing risks. COSO or any other risk framework should not become a checklist from which one simply connects steps in a process. Risk management, like competition is more dynamic and challenging which require a level of responsiveness that exceeds a static frame of reference.
The audit team is part of the risk management process as well and begs the question of who audits the auditors? The argument becomes a circular one and misses the point. The debate seems to ask the question of how do you reduce the risk of failure on one’s watch? The answer is you can’t but you can understand what failure could look like and developed a set of approaches to understand the likelihood of their occurrence. The data that could be provided by internal audit or external audit to help inform this level of decision-making has tremendous value.
As risk management evolved beyond existing frameworks for thinking about risk to operational models of risk taking the role that audit, risk and oversight plays will undoubtedly grow and evolve as well. Until then management should consider how risk and audit functions help inform which risks are taken and who must assume responsibility for managing appropriate risky events.