In my last blog post ("Internal Audit's Risks") I was trying to make two points. The first was a very broad point that I like to make any chance I can. To wit, internal auditors do a wonderful job of telling people how to analyze their processes and establish excellent controls and gain an understanding of risks and, in general, make their processes, departments, and lives better. Yet, the auditors never seem to think about using those same techniques on their own processes, departments, and lives. (Think motes and beams and casting such from various individuals' eyes.)
But, in making that point, I was also trying to apply an additional pressure on internal audit professionals — the need to better understand the phrases and words they rather indiscriminately use when it comes to risk.
Before I go any further, it is important to note that, while I have what I believe to be a good understanding of the concepts around risk and risk management — at least good enough to get me through most of the twists and turns internal auditors experience — I am far from an expert. So, going forward, I may step beyond that expertise and misstate some of the related concepts. If that is the case, I expect my betters (and there is a whole mob of them out there) to step forward and correct me.
So back to the words we use when talking about risk. I know I've told you this one before, but it bears repeating. One of my favorite things to do in presentations is lay out the premise that an organization has the rather simple objective, "To act ethically." I then ask the participants if one of the risks related to this objective is to not act in an ethical manner. Generally, half the room will agree that this is a risk.
To save you the time necessary to check it out and the embarrassment of being wrong, let me tell you that the answer is no. It is not a risk. Putting it a little too simplistically, a risk is the result of an event that impacts the objectives; it is not the opposite of the objective.
I bring the story up now (and I bring it up in those presentations) to point out that, even with a word as simple as risk, we bandy it about without really knowing what it is we are saying.
And so it is, I would argue, with concepts such as risk appetite and risk tolerance. Auditors do not understand what they mean. And my opinion seems to be backed up by fellow blogger and risk expert, Norman Marks, based on his comments on Twitter. This included an additional comment to the effect that management and even risk officers do not seem to understand them, either. (Norman, if I misunderstood or misstate what you had to say — in the preceding and in what follows — feel free to let me know. [Like you would need such permission, anyway.] And that goes for anyone else whose points I may have missed.)
But what really caught my attention were some of the other responses. In particular, one person commented "Does it even matter? Internal auditors evaluate if risk defined by management is being managed as planned. And risk appetite is a vague incalculable idea that is good to know but doesn't go beyond that."
I am bothered on several levels by that one.
First, I agree that part of internal audit's responsibilities include evaluating if the risk defined by management is being managed as planned. But that is only part of the story. What if the way they manage that risk (being managed as planned) is inadequate to actually protect the organization from that risk? It is analogous to the way internal auditors should be evaluating controls. We do more than make sure the control is working as designed; we ensure that the control, as designed, is appropriate. Similarly, we do more than make sure the risk defined by management is being managed as planned; we ensure that management's plan is appropriate and that the appropriate risks have been identified.
How do we do that? One important part of the process is understanding and being able to apply the concepts of risk appetite and risk tolerance.
Second, I would argue that risk appetite is not a vague incalculable idea. It is not always easy to calculate, and it can be even harder to articulate. But that does not mean it should be relegated to "good to know but doesn't go beyond that." Risk appetite, whether articulated or not, is a primary driver of how a company acts and reacts. And management must understand it; risk officers must understand it; and the board, executives, and a whole plethora of the organization's employees must understand it.
And internal auditors must understand it if they are to properly evaluate how well the organization has responded to risks. Again, our work might begin with ensuring the response to risk decreed by management is being accomplished, but we have to do more — we have to make sure the response is appropriate and adequate.
In an additional comment, Norman Marks got to the heart of it. "Does it matter? That's the real question! Are they taking the right risks? Are there times where they are not taking enough risk?"
And that, as I understand it, is the role of such concepts as risk appetite, risk tolerance, and even the word "risk."
If internal auditors want to provide true value — if they want to be seen as a trusted advisor and partner to the business with a seat at the table (and you can continue to add your own internal audit clichés here, because, in spite of them becoming overused, they all still have merit) — then they must understand the concepts that drive good risk management, make sure management and executives understand them, make sure they are being applied, and, perhaps No. 1, make sure executives are using those concepts to ensure the organization continues to deliver on its promises.
And one other thing to those who may not feel these are important enough concepts to merit an investment of your time. How can we, in good conscience, reject them without understanding them. (Someday, remind me to tell you the story of how I rejected the concept of Emotional Intelligence (EQ) until I was asked to write an article on the subject for Internal Auditor magazine and finally understood what it was all about ... and just how wrong I had been.)
And, oh yeah, while we're at it, it wouldn't be a bad idea if internal audit were to apply a couple of these concepts to their own operations.