Most internal auditors have some experience identifying and assessing risks. They are taught to ask questions of management or themselves, such as “What can go wrong?” and “What keeps you up at night?” These are good questions to ask, but they do not get to the full spectrum of risks that affect an organization. As stakeholder expectations continue to rise, auditors who want to be seen as a strategic asset must start thinking like management and recognize that not all aspects of risk relate to negative events and outcomes.
ISO 31000: 2009, Risk Management — Principles and Guidelines defines risk simply as the “effect of uncertainty on objectives.” Enterprise Risk Management: Achieving and Sustaining Success, published by The IIA Research Foundation, expands on that definition by stating that risk is “the aggregate effect of uncertain events and outcomes on the achievement of objectives.” That means that an organization’s objectives are affected by uncertain events (which may be good or bad), with uncertain outcomes (which may be desirable or undesirable), causing uncertain effects on the objectives (which may be favorable or unfavorable).
Therefore, when thinking about risk, one needs to understand that risk can have both positive and negative effects. Positive and negative effects represent opposite sides of the same coin. Internal auditors should not limit themselves to focusing on only the negative side of the coin.
Internal Audit’s Mission
Each internal audit function has its own charter, and many functions have articulated a unique mission, as well. The International Professional Practices Framework (IPPF) currently is undergoing revisions, which will be released later this year. One key element of the updated IPPF will be the addition of a mission for internal auditing. While the wording of that mission has yet to be finalized, it is expected to emphasize that internal auditing should enhance and protect organizational value.
Protecting organizational value is consistent with most current assurance activities; that is, organizational value is protected when internal audit provides assurance that risks are managed to an acceptable level, controls are operating effectively, and the organization is complying with laws and regulations. Although this type of assurance will continue to be valuable, it focuses primarily on the negative consequences of risk.
However, as the mission implies, internal audit can do more than just provide assurance related to the downside of risk. The “enhance” part of the new IPPF mission indicates that internal auditors are in a position to provide assurance and advice that support the long-term value-creation process. This doesn’t mean internal auditors are making management decisions, such as approving the launch of a new product, changing product pricing, or expanding into new markets. Rather, internal audit can enhance organizational value by helping management feel confident in taking on more risk. This gets to the upside of risk embodied in ISO 3100’s definition of risk.
Taking on More Risk
In addition to asking the question, “What can go wrong that can stop us from achieving our objectives?” it’s important to ask, “What needs to go right to help us achieve our objectives?” There are many different ways internal auditors can support the key strategic decisions made by management. For example, assurance and advice can help give management confidence that:
- Processes can be expanded or modified to support the production of a new product.
- Market information is current and accurate to support pricing decisions.
- Understanding of anti-corruption and sovereign risks is sufficient, and compliance training and awareness are adequate to support market expansion into a new country.
- The upside and downside risks related to a potential acquisition are appropriately understood and considered in the go/no-go decision.
- Consumer data is adequate to identify shifting consumer patterns, thus supporting key marketing decisions.
- Digital marketing capabilities are sufficient to expand ways in which the organization reaches out to existing and new customers.
- Reports relied on to drive major plant outage and maintenance decisions are accurate, relevant, and timely.
The shift in risk mind-set to expand risk assessment and audit planning to include both upside and downside risks creates many new opportunities for internal audit projects, but also makes the project-prioritization process more complex. Instead of just focusing on projects designed to evaluate whether residual risk is reduced to an acceptable level, other value considerations must be examined, such as whether a project can increase earnings, enhance cash flow, improve the organization’s brand or reputation, enhance customer relations, and support the strategic direction of the organization or a particular business segment.
Granted, it is difficult to measure the potential value created — it’s more art than science. But the same can be said about measuring the residual risk remaining after the organization has applied controls or other risk mitigation activities.
When deciding which projects to execute, internal audit leaders must consider the “value bet” for each project. This bet should consider the possible ways the project can help protect existing value as well as enhance or enable future value creation. Striking the right balance between the two requires discussion and agreement with the audit committee and management. But a good approach to making value bets, and then assessing the value derived after the project is completed, should satisfy the needs and expectations of both the audit committee and management.
Accelerating Organizational Success
The famous race car driver Mario Andretti once remarked that brakes aren’t for slowing you down, but rather are for allowing you to go faster. That sentiment applies to internal auditing, as well. Assurance and advice designed to focus on mitigating the downside of risk is still important, but that only tells management it can tap the breaks when needed. By also helping management embrace the upside of risk, and understanding where it can go faster — and how much faster — organizational success can be accelerated.
Striking a healthy balance in the audit plan between upside and downside risks will help internal audit activities be seen as strategically important to the organization. As a key part of the organization’s pit crew, internal audit can help management know when to drive cautiously and when to make a bold move and go for the lead. Internal audit can contribute to effective management of both the downside and upside of risk, asking both “What can go wrong?” as well as “What must go right?”