After working in financial management and process improvement for almost 25 years, I returned to internal auditing in 2002, thanks to a series of corporate frauds perpetrated by Enron and others, and the ensuing Sarbanes-Oxley regulatory response. As I moved back into the profession, one thing struck me immediately: How little actual management was being applied to any of the risk management that organizations claimed to be doing.
Just because a company has a robust risk management system in place doesn’t guarantee that it will actually manage risk well. There are countless examples of companies that are renowned for their world-class enterprise risk management (ERM) processes that end up on the front page of the Wall Street Journal with glaring and embarrassing examples of risk management failures.
The converse is true as well, just because a company doesn’t have a formal risk management system in place doesn’t mean that it won’t do a good job at managing risks. A good management team can mitigate risks or navigate through a realized risk without all the heat maps and risk officers if they have the right skills and knowledge. How? By focusing on the management part of risk management.
The reality is that, except within a few select industries, such as financial investments and insurance, an effective manager will effectively manage risk even without a formal risk management system in place. An ineffective or criminally bent manager will mismanage risks, as well as business operations, no matter how strong a formal risk management system is in place. Two examples from my experience support this view:
Recovering from Natural Disaster: Effective Management with No Risk Management Program
I once worked at a middle-market manufacturing and converter-distributor. The management of the company was not particularly sophisticated in the kinds of management ideas and practices that someone coming from a Fortune 500 environment would expect. I can’t remember ever hearing the terms “corporate governance” or “risk management” while I was with the company. However, the management team had one thing in common: everyone had started on the shop floor and had thorough knowledge of the business. Low barriers to entry for the industry had resulted in hundreds of smaller competitors, in addition to a primary large competitor. As a result, the experienced management team knew that missing even one order to a customer could result in losing that customer to the competition. For that reason, management had a well-established integrated mutual support strategy, which included the practice of periodically redirecting one full day of orders from each converting branch to the next closest branch.
One morning a tornado struck the industrial park where one of the regional converting branches was located, completely destroying it. Thankfully, the tornado hit before work started, so no lives were lost, but the branch was knocked out of commission. The branch manager immediately contacted the corporate vice president of operations and the corporate facilities manager, who booked tickets on the next flight to the branch. Meanwhile, the corporate IT manager quickly redirected the branch’s orders to other supporting branches. Before noon, the corporate executives were on the ground assessing the damage.
After verifying the situation with the branch manager, the VP of operations contacted leasing agents. The facilities manager assessed the condition of the machinery at the destroyed plant, directed the employees in cleaning and protecting equipment, and set up the relocation plan. By mid-afternoon, the VP of operations had leased a facility. He was able to move so quickly that he inked the lease before the commercial real estate market responded to the disaster by jacking up lease rates. In little more than a week, all equipment was relocated and set up for operation. Replacement inventory was received and the center was shipping again to its own customers. Not a single order was missed for any customer.
That was accomplished without a risk management system by a group of people who didn’t spend any time thinking about risk management, but spent a lot of time thinking about management of the operations and service to customers.
The Global Financial Crisis: Extensive Risk Management, Ineffective Management
Few industries have as comprehensive, sophisticated, and complex risk management systems as banks, brokerages, and insurance companies. The 2008 financial crisis is perhaps the most glaring example of what happens when companies have world-class, best practice systems, yet management fails to perform effectively, willfully ignores the warnings the risk management systems are sounding, or worse, chooses to engage in ethically questionable or illegal activities to support a system known to be failing. In several cases, ineffective management negated risk management in spite of:
- All the regulations covering financial reporting, corporate governance, and risk management put in place just six years earlier;
- Implementation of COSO ERM;
- Enhanced governance rules established by the Securities and Exchange Commission, the Federal Reserve Board, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, the stock exchanges, and many others; and
- The many examples of past banking and financial services failures.
In so many of these cases, poor management beat good risk management systems to produce the financial crisis.
Can We Refocus Risk Management to Improve Management?
There are many managers working in the range between those who are always effective and those who are always ineffective or criminally inclined. In spite of my statement that an effective manager will be effective even without a risk management system, an effective risk management system can support managers in that big middle range to be more effective in achieving their performance objectives. That only happens, however, if those managers are properly engaged and fully understand that an effective risk management system is not based on checklist compliance with a risk framework or complex risk management software. Instead, it is an operational tool to ensure that they and their teams are prepared to perform effectively when faced with challenges to achieving objectives. In other words, they still have to manage.
I recognize that corporate executives have a dual challenge regarding risk management. The first e is that they are responsible for planning, designing, implementing, managing, and monitoring the effectiveness of an enterprise-wide, high-level risk management program that is appropriate for the company they run. The second challenge is that they are responsible for effective operational management performance of the whole company. That includes effective operational management within their own functional duties and responsibilities, as well as their own compliance with the risk management system that has been established under their direction. Effective management of risk at this level includes communicating the risk management system concepts and processes throughout all levels of the organization and ensuring that all personnel understand the risk responsibilities assigned to them.
Unfortunately, meeting the first challenge has become a compliance function at too many companies, rather than a management function. The eight components of COSO ERM are implemented at a high-level corporate standpoint. Implementation success is claimed, but success in post implementation compliance doesn’t necessarily deliver performance success. When operational risk management failures occur, deficiencies in the risk framework can include:
- Inadequate granularity of risk response: The high-level risk responses are not effectively cascaded down through the organization and linked to an actionable response that can be initiated by lower-level management.
- Control activities are mistakenly assumed to equal effective management actions: Control activities exist to ensure compliance with the system. Operational risk management effectiveness necessitates linkage with Business Process Management and general management activities.
- Inadequate information and communication: Entering the risk descriptions into risk management software, and then requiring lower level management to read and update the computer record once a quarter, does not equal effective information and communication. Effective information and communication as part of a risk culture necessitates adopting learning company concepts such as ongoing in-depth training, participation by lower level management and their teams in the design of response, and practicing and improving responses.
Why Should Internal Auditors Care About Risk Management Frameworks?
The easiest, but perhaps less important, answer to this question is because risk-based internal auditing and the understanding and application of risk management concepts are part of the Institute of Internal Auditor’s professional practice standards.
The more important answer from my perspective is because:
- Taking an active role in supporting your organization’s risk management program is a great way to demonstrate that internal audit understands and supports the achievement of the organization’s objectives; and
- It increases the value that you and the internal audit department have to the board and senior executives.
Why Can’t I Get a Seat at the Risk Management Table
When I returned to the internal audit profession, another thing that struck me, in addition to how little actual managing was involved in risk management, was how little internal audit practices, methods, and technology had changed in the 25 years since I had last performed an internal audit. Risk management was one area in which I notice very little had changed. Even though risk management had been part of the IIA Common Body of Knowledge for decades, what I saw in consulting on Sarbanes-Oxley implementation was internal audit departments in which risk management was almost completely limited to traditional audit planning risk assessment focused on auditable control risk.
Although internal audit's enterprise risk management capability has improved substantially over the last 15 years, annual state-of-the-profession studies find that corporate management’s perception of the improvement has not kept pace with the increased expectations of board members and corporate executives regarding the risk management contribution they would like to see from internal audit.
Reading professional publications, I frequently see comments from auditors stating that they should have a “seat at the table” on risk management issues and questions on why they have not been invited to participate. Based on the surveys, it appears there is still a perception that internal audit does not have the risk management skills and is not contributing to risk management in the audit activities undertaken. In some quarters, there also appears to be the perception that internal audit knows controls and compliance, but does not really understand the business.
Except for a few industries that have complex, highly technical risk management challenges, the perception that internal audit lacks risk knowledge should not exist. It is true that in some specialized environments more extensive risk management knowledge is required to audit and assess the effectiveness of risk management systems. Even in specialized, complex organizations, however, the foundational concepts of risk management are not complex. An internal audit organization that is properly applying strategic, objectives-focused, risk-based audit planning and audits should already have skills in overall risk management concepts.
Two areas of risk management that demand more attention are improving the linkage of risk responses and control activities to operational management processes and improving communication to corporate management about actual operational effectiveness of risk management. Those are areas in which internal audit should have strong skills, especially for operational audit groups. Functional executives may know more about their specific function. However, no other functional executive should know more about and better understand the interaction of risks and the linkage of risk responses to controls and management practices throughout the organization as a whole than internal audit. That qualifies internal audit for a seat at the table. If that qualification isn’t being recognized, the internal audit group has its work cut out for itself: Step up and do some selling on the contribution internal audit can make.
A recent article by Gerry Gaffney of Fractional Risk Management has some excellent insights in linking risk management and business process management (BPM): Implement Your Enterprise Risk Management (ERM) Framework Through a Business Process Management (BPM) Discipline.
Chris Corless, Senior Manager Risk and Governance at Orica, recently posted three excellent articles linking the creation of an effective risk culture and learning company concepts:
- What the heck is risk culture?
- Turning Around Risk Culture – Lessons from a Submarine Captain - Part 1
- Turning Around Risk Culture – Lessons from a Submarine Captain - Part 2
Note: This is the first in a series on changes to risk management frameworks and how companies use the frameworks to manage risk. The second article of the series will cover proposed changes in COSO ERM as they affect operational risk management and focus areas where internal audit can add value to the organization.