Only a few decades ago, the onset of problematic risk events often was slow, and organizations handled the corresponding aftermath over a manageable time frame. Organizations armed with extensive public relations resources responded to most post-event crises after planning and analyzing thoughtful responses. Additionally, organizations carefully calculated their transparency with stakeholders regarding the event to manage its impact on the organization.
Fast forward to today, and the pace of information is almost instantaneous. For example, when a popular U.S. fast food restaurant chain experienced an outbreak of E. coli-infected lettuce, its stock price decreased 44 percent within 90 days amid intensive social media and news exposure. Recent privacy concerns directed at various social media companies caused stock valuations to drop within minutes and led to immediate calls for government investigations. Disclosure of inappropriate sales arrangements by a large U.S. financial institution caused a significant upheaval, including important personnel changes.
In today's environment, the timing between a catastrophic risk-driven crisis and the financial and reputational decline for an organization can be practically simultaneous. This new reality has forced senior executives and internal auditors to consider a new aspect of risk management — the velocity of risk.
The velocity of risk is the speed or ferocity with which events occur in today's business environment. Auditing within this "new normal" means changing, adapting, and understanding the imperative to respond to the speed of change with a strong sense of urgency. Supplemented by awareness of the velocity of risk, internal auditors can identify and address areas where organizations must take preemptive actions to reduce the possibility of a crisis caused by a catastrophic risk event.
Velocity and ERM
International Standards for the Professional Practice of Internal Auditing frames the execution, conduct, principles, and practices that also serve as "guardrails" for the profession. The standards relevant to the velocity of risk logically connect with internal audit competencies such as demonstrating competence and due professional care; aligning with the organization's strategies, objectives, and risks; providing risk-based assurance; being insightful, proactive, and future-focused; and promoting organizational improvement.
Internal auditors contribute in myriad ways to enterprise risk management (ERM) goals by:
- Helping management manage risk.
- Assessing and auditing risk assessment methods and approaches.
- Creating a responsive, nimble, and agile audit plan.
- Evaluating whether ERM programs are using the right metrics.
- Assessing whether management is prioritizing risk appropriately.
- Supporting and educating the board and senior management on recent advances in risk management thinking.
Often, internal audit will review how the organization is addressing the chief risk officer's enterprisewide risk assessment, providing assurance about the prioritization and adequacy of response strategies. These assessments will include internal audit's perspective of all the organization's operations directed toward risk considerations. That perspective should include risk areas that potentially are detrimental to the organization, as anticipated by assessments of probability, size, and speed of impact. Internal audit should target the corresponding areas within the scope of its work program.
In performing these duties, internal auditors should ensure the organization's ERM program matrix highlights how velocity of risk can impact the organization. Auditors should recommend making it one of the risk program's key metrics.
Auditing the velocity of risk can ensure risks are more appropriately prioritized and management is able to more effectively prevent, manage, and respond to risks. Internal auditors can help management and the board measure and address catastrophic risk by understanding the specific risks that could impact the business, measuring risk in an organized and systematic way, and documenting and communicating those quantitatively and qualitatively assessed risk perspectives.
Planning and Execution
Internal auditors must consider the velocity of risk when prioritizing and creating their annual audit plans. The audit plan should include a risk velocity measure that reflects the magnitude and speed of reaction internally and externally should a catastrophic risk event occur. The department should adjust its perspective on risk management by recognizing and addressing velocity's influence on likely events and impacts. Internal auditors must be aware of risk's current and ongoing impacts on the business in designing and executing audits, compiling results, documenting historical trends, and communicating how management, business processes, and embedded technology are addressing risk. Moreover, auditors should assist and influence management teams to better calibrate, anticipate needs, and frame the impact of velocity on risk-event preventive actions.
In performing their work, internal auditors must become familiar with the phrase "auditing at the speed of risk." Post-catastrophic risk event reactions tend to be much costlier and more detrimental to an organization. Auditors should anticipate risk-related events by using continuous monitoring tools and auditing through the systems via queries, specialized exception reporting, and similar techniques. These methods teamed with including "velocity of risk" as a parameter in risk-matrix discussions can highlight at-risk business processes and transactions, increase coverage, and add speed. For example, internal auditors can equip themselves with tools and techniques such as trended historical transaction reviews within supply chain operations.
These methods — supplemented by vendor-by-vendor analytics, internal control reviews, and interviewing techniques — can lead to earlier detection of fraudulent transactions, timing discrepancies, wasteful or nonoptimal spending, and product defects. Integrating velocity of risk into internal audit's environment, along with a sense of urgency, can add to overall effectiveness, improve organizational agility and resilience, and contribute value to management.
The Third Dimension of Risk
The velocity of risk is pushing the internal audit profession to grow and support its own and management's awareness of risk's speed of impact by accelerating and enhancing risk-based auditing. Connectedness to business risks and strategies now is even more imperative for internal audit to maintain its relevance. To keep pace, businesses need to embrace a three-dimensional risk management approach: probability, impact size, but most importantly, velocity — that sense of timing, speed, and mean-time-to-event mentality.
By adding the dimension of velocity, internal audit can facilitate deep-dive assessments of certain risk areas that could become catastrophic risk events. Identifying these areas can inspire a more robust dialogue with management and the board about how to remedy potential issues. Moreover, addressing the velocity of risk can enable internal audit to help management and the board anticipate and prevent these crisis events from occurring.