Why is it that internal auditors are always so happy to
explain how departments can improve operations, but so seldom apply those same
techniques to their own processes? I thoroughly enjoy doing just that, turning
the tables on internal audit departments. In fact, it is a part of the sessions
I lead on process improvement — applying process mapping and customer mapping
techniques to internal audit processes.
Well, it seems there is another opportunity for all you internal
audit shops out there.
In April, I’ll be facilitating The IIA’s
“Fundamentals of Risk-based Auditing” seminar in New York, and I’ve started going over
the materials. Within those materials is an exercise related to how
organizations develop risk appetite statements.
Now, I believe internal auditors struggle with
the concepts of risk appetite and tolerance. (Actually, I think most
organizations, while giving lip service to it, don’t really know how to
effectively articulate it. Actually, I’m not sure many give lip-service to it. But
I promised myself that, since this is a Friday post, I’d make this short, so I’ll
stop this sidetrack in its tracks.)
Anything internal auditors can do to enhance their
understanding on this subject is a good thing. So, here’s a fun little task for
you — an exercise that, through a set of relatively simple questions, allows
each of us to not only enhance our understanding of risk appetite, but actually
experience real-world application of the concepts and techniques.
First, do you even understand what the risks are to the
internal audit department achieving its objectives? (I find very few
departments have actually thought in terms of risks to achieving internal audit’s
objectives. That’s assuming they have either articulated or can even state their
objectives.)
Second, does the department understand how it will take on
or avoid risks to achieve the desired objectives? (Again, few internal
audit departments think in terms of the way their department responds to risks
and what the actual controls within the department are.)
Next, is that acceptance of risk measurable? Does the
department know when it is taking on additional risk — let alone whether it can
handle it — and how much it is willing to accept?
Finally, can the department articulate its appetite for risk
to the point where everyone in the department understands and can state it? And
from that, do they understand how to react as situations change and the type
and impact of risks change?
If you have actually gone through this exercise, or decide
to do so now, I would be very interested in the results. Feel free to share
them.
But for everyone else, take the time. As with so many other
areas, how can we begin to expect people to accept what we have to say about a
subject when we haven’t even subjected ourselves to that scrutiny. The best way
to understand what we are preaching and then forcing down everyone’s throat is
to do some force-feeding to ourselves.