What Should You Look For, When Auditing Risk Management?
IERP’s recent Tea Talk drew a sizeable online audience because it addressed an issue that is growing in importance in corporate circles: providing independent assurance. Speaker Ramesh Pillai, Group MD of Friday Concepts (International) shared thoughts and experiences on what risk professionals can do to add value to the risk management process, and put across the risk manager’s perspective more effectively. Independent assurance for risk management through appropriate auditing is a crucial component but many auditors were not performing the task, even though some corporate governance codes actually do require it.
Asserting that risk managers usually view things differently from internal auditors, Ramesh considered it a good thing as different perspectives and skillsets were required for the respective positions, but each could be effective in complementing the other. “Managing risk effectively benefits the whole organisation,” he said, adding that despite their titles, risk managers do not manage risks. People generally do not have a proper understanding of risk management, and tend to view it from limited perspectives. “Risk management is more than just the periodic review of a list of top risks,” he stressed. It is the effort to achieve the organisation’s objectives through appropriate risk policies and frameworks.
Because auditors and risk managers view risk management differently, auditors need to understand what risk management is about from a practical perspective. Internal audit, in its assurance role, contributes to the management of risk in a variety of ways. Companies need to determine strategy to be able to achieve objectives in the Next Normal; getting independent assurance is therefore critical. Since ERM is about achieving organisational objectives and improving the quality of decision-making, one of the things auditors should challenge is the decision-making process. This can be done if there is proper recording or documentation of processes, and identification of unsound or biased decision-taking.
Risk managers need to understand how to de-bias decision-making at management level, or they will not be able to improve the quality of decision-making of the organisation. This is especially difficult as people can make biased decisions without even realising it. There are many risks to consider, not just the ones which are confined to the risk registers. The emphasis should be on the formulation of risk management plans and their execution. These should be scrupulously tracked, executed, monitored and reported by auditors, making the role of internal audit a truly critical one. This is further complicated by the temporal and constantly changing nature of risk.
Due to this dynamism, the impact and probability of risk are apt to change as well, making it truly challenging to determine if risk is being appropriately mitigated. In this environment, the audit function provides objective assurance that risk management processes are working effectively. Assurance may also be given from different sources, such as management, external audit or independent subject matter specialists. These forms of assurance are what the board will rely on, when making decisions that affect the entire organisation. Ramesh cautioned, however, against auditors providing consultation, as this may turn out to be in conflict with providing assurance.
There are other reasons for auditing for compliance with corporate risk policies and procedures as well. One of these is assessing the organisation’s risk maturity levels. Existing standards such as ISO 31000:2018 may be used to assess these effectively. The auditor’s view should always be independent but the approach should always be risk-based, and objective-centric. It should also include the appropriate people, particularly where risks are being considered in decision-making. Making such decisions requires reliable, current information of good quality. The decisions taken should also address cognitive bias; different people have different views and biases, which can affect their assessments.
While proper documentation of all processes must be undertaken, organisations should also ensure that the desired attitude towards risk is developed in tandem. This means an appropriate organisational culture should be in place to influence the development of such attitudes. Ideally, buy-in from all key individuals should be obtained at all levels; there is a need to ensure that everyone is involved in the process. Risk professionals intending to further the risk management agenda in their respective organisations will have to equip themselves first with a comprehensive understanding of risk management and its principles.
It will also be helpful to understand and apply risk management standards such as ISO 31000 and COSO consistently. This understanding and application will have to be based on what the organisation requires from risk management, and must take into consideration how and where decisions are made, and what risks the organisation takes. Other factors to consider include what controls are in place, and if these are adequately designed. Control testing should be performed to determine if these are fit for purpose, and to obtain assurance that they are operating in the way they were intended. The organisation’s risk management maturity level can then be determined.
Results and the insights arising from them should be communicated to the relevant parties. In summary, when risk management is being audited, what is being sought is whether the organisation is applying it appropriately to its situation. This includes understanding its principles, the organisation’s needs and risks, its resources and control abilities, and whether these are operating as intended.