Every profession changes with time. Advances in technology, new information needs, and growing expectations drive improvement. Internal audit is no different. Over the last two decades, the assessment and use of risk information has improved the value we deliver. Yet as great analysts, internal auditors in many ways have gone too far with risk. We have become experts of activity risk analysis, while spending little time to better understand the few risk factors that increase overall exposure to any risk.
Most risk assessment technologies today focus on likelihood and impact, in accordance with our expertise at activity- and process-level risk analysis. Yet risk and the organization’s objectives “at risk” are much more complicated than a detailed analysis of a single event. The International Organization for Standardization’s ISO 31000: Risk Management defines risk as “the effect of uncertainty on objectives.” So while our process-level risk analysis skills may be sharp, they may also be irrelevant — until we understand where uncertainty begins to impact objectives. This is where risk factors come in.
Getting familiar with important risk factors primarily involves understanding the organizational objectives, structure, and mechanisms management has put in place to be successful. Uncertainty, or exposure to any risk, begins with poorly defined objectives, inadequate organizational design, and informal oversight. Imagine a battlefield where an army is preparing for war. What information would be of most value to the general? Will analysis about the velocity and impact potential of each weapon be most valuable? Or will the general’s interest focus more on how communications are working and whether objectives have been received, and strengths and weaknesses evaluated, in the areas of leadership, training, and technology? Understanding the latter, strengths and exposures, provides a grasp of the most important risk factors — those the general will care about most.
Mastering risk factor observations requires the auditor to have a big-picture perspective and to know how organizations grow and develop over time. How are objectives defined and communicated? What oversight is in place at each level of the organization? How effectively are people, processes, and technology aligned around a particular objective? When approaching risk this way, it can place us uncomfortably close to second-guessing management decisions. However, using risk factors is not about doing management’s job — it is about describing the strengths and exposures within the organization; it involves comparing structures, objectives, and progress against expectations, formality, and industry standards.
It is always more comfortable to keep things as they are. Yet everything is always changing. Tackling risk factors is an important strategic concern for internal audit functions — and a change in focus that all practitioners need to consider. It is a way to create and preserve the important value we bring to our organizations.