As organizations look to stay the course amid unprecedented challenges, risk workshops can be the centerpiece of internal audit planning. An executive team looking to internal audit for reassurance will find an executive risk workshop exposes disproportionate risks and losses and significantly aids understanding of complex company business. Most importantly, risk workshops provide an assessment of business controls to ensure that a company is meeting its objectives with the right balance of opportunity and risk.
Workshops can pay off in multiple ways, sharpening company insights into organizational strategy, objective-setting, risk analysis, and prioritization, as well as pointing to appropriate follow-up through internal audits. Moreover, the exercise should help the executive management team develop a stronger risk management vision and strengthen relationships among team members and with the rest of the organization.
Workshops also help ensure key stakeholders establish a common understanding of organizational risks, resulting in a more focused and coordinated approach to risk management. Internal audit plays a key role in achieving these outcomes by planning and conducting the workshop, assessing the results, and communicating them to senior leadership.
Begin With Preworkshop Interviews
A good risk workshop facilitator conducts separate pre-interviews with each executive — approximately 90-minutes in duration — to learn what quantitative and qualitative risks they think may be obstructing the organization’s goals. During the interviews, internal auditors should try to view risks from the perspective of the executives to ensure buy-in and enable the group to effectively rank and prioritize risks. It’s important for all the executives to feel they have been “heard,” especially before they understand the other participants’ goals and risks. Moreover, internal auditors should keep in mind that, rather than dictating the risks, their role involves gathering risks from the executives and later working to establish consensus around those that threaten organizational objectives.
Once the interviews are complete, practitioners should prepare a list of the highest priority risks identified by the executives. Because workshop time is finite and passes quickly, internal audit can provide the most value by focusing executive attention on the risks from this list.
Appropriately grouped risks further optimize the time needed for executives to discuss them. And while they vary by company, categories often include:
Financial-results risks — for example, shrinking margins through insufficient return on investment, stemming from pandemic-related losses; or bloated materials costs due to overengineering on a complex product line.
Customer-related risks — such as an inadequate customer base or imbalance between development programs dedicated to partners and other customers, resulting in failure to achieve planned sales/turnover.
Process risks — for example, impractical and inefficient project management that prevents the organization’s processes from efficiently supporting its goals.
Competency-related risks — such as lacking interdisciplinary talent with project management skills.
After finalizing the categories, internal audit should send the executive team its summary of risks for validation, incorporate the executives’ input, and bring the aggregated list to the workshop. For example, if sales, operations, and finance executives all identify a receivables weakness, internal auditors should aggregate them into a single risk around receivables instead of listing them separately. Auditors should not send the aggregated list to executives for review in advance — instead, they will have an opportunity to review and comment on it during the workshop itself.
Plan and Set Goals
The internal auditor acts as a consultant in risk workshops, providing structure and process, sustaining group energy, and managing time. Workshop goals should include reaching a common understanding of the organization’s risks and the effectiveness of existing controls, and obtaining a group evaluation of the risks’ significance. Internal audit should seek to produce two deliverables from the discussion: a residual risk map and a risk management action plan. “Conducting the Workshop,” at right, further illustrates the workshop process.
Internal audit is both workshop coordinator and facilitator, scheduling the workshop itself, deciding who will lead the discussion, and determining who is tasked with writing the results of group consensus. Auditors can best prepare by making sure they will have a full, unencumbered day for the exercise and taking time to understand the organization’s goals.
The auditors should build on prior research and analysis, as applicable, including information from existing audit findings, enterprise risk management resources, and discussions with middle management. However, the primary emphasis of the risk workshop is to connect and communicate with the highest level of management so they develop their own list of highest priorities and risks.
Set Ground Rules, Establish Terminology
Because positional power can impact workshop results significantly, internal auditors should establish some ground rules at the outset of the workshop. Most importantly, the CEO must understand that he or she is part of the process, not running the show. Workshop results only support company success when the CEO believes in them. In this context, CEOs draw the most benefit from being team players, not just team captains, using the workshop to educate themselves on their team’s individual concerns and objectives without talking over or otherwise hijacking the proceedings.
Internal auditors also can help ensure productive dialogue by clarifying terms up front. To enhance discussions around risk, auditors should spend time making sure the executives understand these concepts:
Risk and control — whether residual risk (the “leftover” risk after controls have been implemented) is within the company’s “risk appetite” (the amount of risk the company sees as acceptable).
Significance — the potential magnitude of the damage if the risk actually occurs.
Likelihood — the chance that a given risk will take place during the planning horizon.
Criticality — the product of the significance of an event and the likelihood of occurrence. For example, a tsunami or earthquake may represent a catastrophic event that is very unlikely and therefore may not merit additional controls (executives accept the risk). Similarly, theft of petty cash may in isolated instances be considered immaterial, but collectively may drain organizational resources and therefore require additional controls.
Auditors should also explain how effective controls can reduce risk likelihood and significance. For example, they could point to social isolation and careful hand-washing as controls that reduce the likelihood of contracting a virus, and an effective vaccine as a control that reduces the significance of viral infection.
As a business example, auditors could explain that limiting the spending authority for any single transaction helps reduce the significance of fraud, requiring authorization for spending beyond the established threshold. And while this measure does not reduce the likelihood of fraud, it does limit the significance of risk for any single transaction. Conversely, auditors could cite the separation of electronic wire transfer preparation from the transfer authorization as a control that reduces the likelihood of fraud but not the significance of overriding internal controls through collusion.
Facilitate, Capture, Communicate
The risk workshop should have morning and afternoon components, with the morning focused on discussing people’s individual risk concerns. Following these steps, with the facilitator’s help, should lead to the morning’s end goal and of an aggregated list of risks, followed by afternoon voting on these risks, a report on the results, and a post-workshop map depicting residual risks.
Assessing Internal auditors should use the first half of the workshop session to facilitate a thorough discussion about the risks executives defined during pre-interviews. Practitioners should help executives agree to the wording of the aggregated risks and ask them to verify that those risks are real.
Once risk verification is complete, internal audit should review items on the final list one by one, asking each executive, “How critical is this risk?” Many times executives will underestimate risks because they overestimate controls. In an effective risk workshop, internal audit instructs executives to focus on risk criticality, not residual risks.
Voting Auditors should facilitate the voting process by leveraging dedicated software that participants can use on their smartphones. Feedback can be captured automatically, enabling more accurate reporting and robust analysis of results.
When assessing risks, executives should express their opinions to the group about the criticality of each risk before voting with the software. Typically votes are cast on a 1 to 10 scale, with 1 being minor and 10 being critical. After discussion, the average of the executive’s votes will show what the group as a whole believes about critical company risks. The results often surprise executives, as their individual ideas of being “in control” frequently differ from the group collectively.
Next, each executive should discuss the controls that mitigate risks to companywide objectives. Many times, a fuller understanding of the risks will allow the executive team to acknowledge it does not have a plan to control them. After each executive has spoken, the group members should vote on how effective they expect each control to be, validating their assessment of residual risks. This process also highlights where the company might be allocating too many resources, and where noncritical risks are overcontrolled.
Reporting Internal auditors should finish the workshop session with an agreed-upon, numerically ranked list of risks identified by the executive team. The workshop report should include the five to 10 most critical residual risks or risk areas that are undercontrolled as well as less critical risks — whether of a direct or nondirect financial nature. Auditors should clearly define follow-up action plans, including future operational audits, as indicated by the findings.
After the workshop concludes, internal audit should create a risk map that graphs results and offers a clear overview of what the executives see as areas of risk and overcontrol. Internal auditors can then review the map to define and verify executives’ expectations and assure controls are adequate for critical risks that could prevent the organization from accomplishing its objectives.
In the “Residual Risk Map” example at right, areas of control (in blue) need to be verified: Are they controlled the way the executives believe? Labor relations, contract terms, and performance incentives appear to be areas of executive concern, whereas IT integrity and availability and environmental concerns may be overcontrolled.
During its subsequent audits, internal audit can leverage the map to confirm that operations follow the organization’s risk appetite. Even though the map comprises executive perceptions of risk, it does not necessarily reflect the reality of the organization. Auditors can use the map to educate operations management about executives’ risk appetite, as well as to inform executives when their knowledge of on-the-ground facts appears inaccurate.
Perform Ongoing Work
As internal audit coordinates the agreed-upon action plan to help control discovered risks, practitioners should identify an “action holder” responsible for the remediation and expected completion dates. The auditors should plan to review these issues and remediations during audit engagements. Moreover, they should include reviews of weaker control areas in the audit plan to assure mitigation agreed upon during the workshop was performed and worked as planned.
Removing redundant and ineffective controls that do not support the success of company objectives may provide some cost-savings, particularly if internal audit partners with affected management to remove costly controls to overcontrolled processes. However, auditors should ensure key controls are not removed simply because executives do not understand the details of company operations.
A Productive, Meaningful Exercise
Preparation and follow-through ensures internal audit impresses the executive team. Some executives may want to repeat the workshop process in their departments, but auditors should first determine whether the company will derive enough benefit to be worth the effort and cost of repeating it at the department level.
When done well, risk workshops are a win-win for all involved. They provide essential insight into organizational workings — and give internal audit an opportunity to shine in front of executive management.
Keys to Success
Running a successful executive risk workshop takes planning: scheduling interviews with executives, scheduling and conducting the workshop, coordinating the voting process, reporting results, and following up. To be effective, internal audit needs to:
- Obtain buy-in from a high-level champion — ideally the CEO — to justify the workshop time expenditure. Typically, risk workshops take about six hours to complete.
- Assign workshop planning, scheduling, and execution to a member of the audit team.
- Develop a balanced scorecard or list of objectives and key results that link the organization’s long-term vision, mission, and strategy with specific actions.
- Establish a series of specific, quantifiable metrics to gauge organizational performance in financial, customer, process, and competency areas.
- Report and audit the information yielded from the workshop.
- Tie into the company’s operational metrics and balanced scorecard, ensuring it has a better chance of meeting objectives by asking for evidence that individual actions support long-term, mid-term (three-year), and short-term (one-year) business goals.
The results from this effort can be used to inform and validate the audit plan, folding in compliance and middle-management stakeholder concerns to address during auditing — if not during the risk workshop — and assure all organizational risks are considered. The process offers internal audit invaluable insight into the organization’s risk appetite. It also allows the audit department to be seen as a partner to management, resulting in cross-pollination that adds value and expands the executives’ perception of what internal audit can deliver.