The IIA Standards require that internal audit functions assess the adequacy of risk management programs (see here for a related post). But how do you do that?
In an earlier post, I provided some suggestions and recommended (and provided a link to) a risk assessment framework from the U.K. Treasury department. Some of my risk management expert friends have since looked at the tool and agree it is one of the best out there.
The ISO 31000: 2009 global standard for risk management advises that each organization should have a risk management program that meets its specific needs. That is good advice, because I don't think a manufacturing company that markets its products solely to the U.S. auto industry should have the same risk management program as a diversified global financial services company. Risk management at a non-profit or a government agency should be different, in terms of staffing, processes, and organization, from either the manufacturing or financial services company.
Is it sufficient to measure a risk management program against the standard or framework the organization has adopted (whether ISO, COSO, BIS, or other)? I don't think so.
I believe the auditor should first seek to understand how risk management at his organization can add value to its operations.
Questions might include:
- What are the risks that could cause the organization to fail — not just the ones that are "important," but the ones that are crucial? Is it realistic that they might occur?
- How critical is it to manage risks inherent in day-to-day transactions? Does the organization take on risks of massive size, and if so how often?
- How critical is it to consider risk in day-to-day decisions? How often does management make poor decisions because they were not thinking about what could go wrong, or what could go right?
- How often do potential events of significance arise? How much time does management have to respond? The shorter the time, the better prepared they should be!
- How often do management and the board have to assess risks? If they tend to change rarely and slowly, then monthly or quarterly assessments may be adequate. But, if management has to be ready to respond to instant changes in the economy, in the competitive environment, in costs or selling prices, in the supply chain and logistics, etc., then risk assessment should be very frequent — perhaps continuous. I like to say "manage risk at the speed of the business."
- How many risks should be managed? How many risks, if not managed properly, could cause damage of significance?
- Does management have a good track record of taking [corrective] actions to manage risks?
Once the auditor understands how risk management should add value, then the audit can start to assess whether it is effective in delivering that value.
Complying with somebody's white paper on risk management may be fine — on paper. The real test is whether it meets the needs of the organization.
I welcome your views, including how you would change the list of questions above.