Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

The Value of Taking, Not Avoiding, Risks​​

Comments Views

For the last few Fridays, I have been writing about a set of competencies that are critical for any internal auditor's success. However, this set of competencies comes from what might be considered an unlikely source — a blog post titled "7 Competencies That All Freelancers Need" from The Center for Creative Leadership.

Thus far, the competencies have included flexibility​, learning agility, relationship management, and r​esilience. Some may have been surprising; some rather obvious. But the next competency — risk-taking — may not go down as well with many internal auditors.

Tell internal auditors they need relationship management skills and you will most likely be greeted with "Thank you, Captain Obvious." However, tell them they need to be risk-takers and the sound of screeching brakes will almost drown out the reply, "Whoa, take 'er easy there, Pilgrim."

Risk is not something internal auditors do good. I don't mean understanding risk, identifying risk, or keeping risk under a metaphorical thumb. The work involved in those areas is part of our daily bread and butter and most of us have a decent handle on how it should all get done. No, what internal auditors do not do well is actually take risks.

Our risk aversion is so extreme it causes us to over-document every word that is said, re-re-re-rewrite every audit report we issue, and review the review of the review of the reviewer who reviewed the review of the workpapers. An internal auditor taking a risk is one who finds a report with a typo on page 24, recognizes it as a typo, and issues the report anyway.

I've written in the past about why I think internal auditors are so risk averse, so there is no need to go over all that again. (If you are interested, here's the most recent example.) ​Instead, let's talk about positive risk-taking in an internal audit environment.

Being a risk-taker is not about taking risks related to the work itself; it is not about taking the risk that errors will occur in our work. Instead, an internal auditor who explores and implements new ideas and approaches is one that is being a valuable risk-taker.

What do I mean by "valuable risk-taker"?

Maybe valuable risk-taking is doing more than just another petty cash audit, or another payables audit, or another finance audit, or another compliance audit, or another one of the audits that you have been doing since Neanderthal auditors roamed the earth. Maybe valuable risk-taking is stepping outside your comfort zone and completing a review of an area where the risks are high and the opportunities are astronomical, even though you may have to spend a large amount of time learning about this unfamiliar area. (One example: Marketing).

Maybe valuable risk-taking is exploring the way other departments do their work, looking for unexpected connections, and discovering solutions to problems that you never thought of before or never even realized were problems in the first place. (Here's a place to start. How is issuing a report like just-in-time manufacturing processes? I don't know either. But that is the exploration you get to make.)

Maybe valuable risk-taking is recognizing that the work being done by internal audit does not really belong in internal audit and proposing a whole new structure for the department, even though it isn't your responsibility. (Personal note: Been there, done that, almost cost me my job. Meet me at the bar later tonight and I'll regale you with a whale of a tale.)

Maybe valuable risk-taking is something you and I and everyone else cannot even imagine. (Hint: That is probably the right one.)

Or maybe valuable risk-taking is simply, as Tom Peters says, "At some point today (today!), despite 'overload'… just say 'What the hell' and go for it in some way or other." (Note that Peters then follows this with "Likewise, worry if it's been more than a week or so since you said to yourself 'what the hell'")

Risk-taking is about embracing risk rather than running the other way. It is about internal auditors recognizing that doing the same things, no matter how safe, warm, and comfortable, means, for all intents and purposes, doing nothing. It is about finding ways to scare ourselves with the audacity and creativity of new approaches in how and why we do the work we do.

It is about taking the risk that something better is out there, saying "What the hell," and going for it.​​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3