Professional Scepticism for Risk Managers – What does it mean?
What is meant by professional scepticism? That was the question presenter Ramesh Pillai posed at the start of a recent online IERP Tea Talk. Clarifying that the session was actually a forum for discussion, intended primarily for professional scepticism from the point of view of Risk managers and those at management level, he invited the audience to share their individual opinions of what professional scepticism entailed. Shareholders and stakeholders place a lot of value on the independence, capability and professionalism of management teams; their confidence is enhanced by management which practises professional scepticism, he said.
“Research has shown that a feature of high-performing management teams includes the exercise of professional judgement by individual members of the management team – which includes a mindset of professional scepticism,” he said. Risk managers, who are an integral part of this team, and those who are in the strategy function are also included, he added. The concept of professional scepticism developed out of the accounting profession, and later from the audit profession.
“When I was doing my chartered accounting qualification in the 1980s, we did not have a topic called ethics,” he recalled. “But we talked a lot about professional scepticism. We didn’t use the (exact) phrase but everything we did entailed professional scepticism as we know it today. That’s how accountants are trained.” But while accountants may be trained to be conservative and risk-averse, and these are some of the characteristics of professional scepticism, it does not mean that exercising professional scepticism means being conservative and risk-averse. It depends, instead, on individual interpretations of the term.
Research on the topic of professional scepticism will turn up many things that are related to the accounting/auditing professions. “If you try to research it in relation to requirements of the business or how to conduct the business or directors’ responsibilities, you will find virtually nothing there,” he said.And that is where the problem – the challenge – with professional scepticism lies. There is not enough out there to guide people about professional scepticism.It is important because regulators are talking more about it locally and internationally as well. “People don’t really understand what professional skepticism is, and they do not think it applies to them,” he said.
But professional scepticism is critical; it really cannot be overemphasised. Defining it as essentially an attitude of mind that enhances the exerciser’s ability to identify and respond to conditions that may indicate possible disconnect, he said that it essentially meant being curious and not afraid to question what is being presented and information obtained from third parties. “It’s about looking for potential disconnects,” he explained further. “Professional scepticism is your attempt at connecting the dots to make sure that you can connect the dots, and if you cannot, then it’s telling you that there is inconsistency.”
He quoted examples such as when someone says“it doesn’t add up” or “my sense of smell tells me something is wrong ” as instances of exercising professional scepticism. Urging the audience to “question if you cannot connect the dots’ ‘ he said that this was what the general idea of professional scepticism was about. “In risk management, if you’re doing your job properly, you will be exercising professional scepticism,” he stressed. However, he warned that people may become defensive when it is exercised.It was important, nevertheless – particularly from the perspective of stakeholders – for everyone to exercise professional scepticism.
This is something essential to ethics and integrity. Critical assessment is necessary. But how does professional scepticism affect risk managers, business professionals and management? Conceding that there are issues with applying professional scepticism, he said critical assessment was necessary to enable the drawing of appropriate conclusions and to adequately and professionally discharge both day-to-day and oversight responsibilities.“The board makes decisions when it comes to oversight,” he said. “Management’s responsibility with oversight is to escalate issues to the board.” This makes critical assessment necessary.
Regulators, internationally, have begun to explicitly recognise the fundamental importance of professional scepticism but adopting and applying a sceptical mindset is ultimately a personal and professional responsibility. “It is an integral part of our skillset,” he continued. “It is closely related to the fundamental concept of independence and professional judgement, and contributes to management’s quality and effectiveness.” Professional scepticism is influenced by personal behavioural traits;motivation, attitudes and ethical values;all of which therefore emphasise the importance of the individual’s background, competencies, professional education and knowledge.
“Your professional education, training and experience is critical,” he stressed. “If you learn the wrong approaches, your professional scepticism will suffer, and your credibility will be affected. You will not be able to successfully raise issues.” It is also influenced by the actions of leadership such as the CEO and heads of department, and by the culture and environment within the company. Management needs to establish requirements and guidance designed to create an environment at both corporate and management level at which management and employees can cultivate appropriate professional scepticism – but this is easier said than done.
It starts with the CEO and the management team understanding its importance, but they may be too busy to do what is required. However, from a risk perspective, this is critical. Like professional judgement, professional scepticism needs to be exercised constantly. Maintaining it helps reduce the risk of overlooking unusual circumstances, over-generalising when drawing conclusions from observations, or using inappropriate assumptions when determining the nature, extent and timing of decisions and procedures.It includes designing and implementing policies and procedures promoting an internal culture which recognises scepticism as essential in any high-performing organisation.
Urging caution when exercising professional scepticism, he said professionals should not look for disconnects, red flags or trouble, but keep their minds open to the possibility of these.“We run our enquiries and conduct our business in such a way that our enquiring mindset will help identify potential situations where disconnects may exist,” he clarified. “Don’t go around looking for the red flags; that would be wrong but when there are potential red flags, you need to be able to eliminate the possibility of it being a real disconnect.”Everything needs to be balanced; risk managers are not supposed to stop business but to safeguard, enhance and keep it safe.
Risk managers are actually an organisation’s safety net, he emphasised. Using random examples to illustrate the difficulty of applying professional scepticism, he said its proper application requires a great deal of background information. “When it comes to exercising professional scepticism, from a theoretical standpoint, it is easy,” he said. “But in order to exercise professional scepticism, you need a lot of information, and the proper access to information. This may not always be possible, and you therefore need to know what you don’t know. When you want to know what you don’t know, you have to ask a lot of questions – but you may find yourself hitting walls!”
Part of a risk professional’s skillset is people skills, and knowing how to frame questions. Get people on board, and try to make them understand what you are trying to do. If so much is expected, how then can the application of professional scepticism be evidenced? “Professional scepticism is often demonstrated in the various discussions held during the conduct of management or management committee meetings,” Ramesh pointed out. “For example, if your product development committee is having discussions on why it considers significant accounting practices to be applicable, but does not want to use them, you must ensure that you highlight your concerns and they are recorded.”
These concerns must be recorded so that there is evidence that professional scepticism was applied. If the concerns are not recorded in the minutes, he suggested sending emails referring to the matter, indicating concern, and other methods to ensure that dissent was properly documented, so as to indicate a robust process and that best practices, especially concerning minuting, were followed. “You could also allude to it in a report,” he added. “That way, it will always be documented somewhere. It shows that you have conducted yourself professionally, in accordance with any legal or regulatory requirements.”
He stressed that minutes should be prepared containing sufficient information so as to enable an experienced, competent management team member having no previous connection with the management team, to be able to understand, among other things, the significant decisions made regarding significant matters arising during the deliberations or discussions; the conclusions reached thereon; and the significant judgements made in reaching those conclusions. The disadvantage of having only physically written minutes is that these do not convey the actual atmosphere, line of questioning or urgency of the discussions.
Acknowledging that documentation can be painful and time-consuming, he pointed out nevertheless that it can help significantly improve the quality of risk management because it helps the risk management function, business professionals, the management and risk management team demonstrate how judgements and key issues are addressed, and how the management team has evaluated whether or not sufficient and appropriate evidence has been obtained. “It is not difficult to do but requires discipline and buy-in from senior management,” he said. “That is where the greatest challenge lies. It really needs to be driven by the tone from the top.”
The basis for management’s conclusion on the reasonableness of the areas of subjective judgements also needs to be properly documented because that is what professional scepticism is about. Given that professional scepticism is really a state of mind, it is not easy to fully document or capture how the management team has applied it. “You need to be totally aware of your environment and the situation. It is not simple. There is no single way to definitively document professional scepticism. Nevertheless, any form of documentation is better than nothing because it will provide some evidence of the management team’s exercise of professional scepticism.”
When it comes to risk management, he said that pragmatism takes priority. Concluding his presentation with two points, he said, “Demonstrating professional scepticism means having to observe clarity and purpose of role; leadership and proper tone from the top; consistency; an independent mind;and the wise employment of tools and techniques. To show professional scepticism, you need to have a questioning mind; be alert to anything that may indicate any misstatement due to error or fraud; and critically assess evidence. It’s also about documentation; there’s no such thing as too much documentation.”