Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Risk, Controls, and Culture​​​

Comments Views

​This is a post in two parts.

First, I want to discuss the relationship betwee​n risk and controls.

The traditional view, which is not incorrect, is that you have controls to manage risk — to ensure that risk (both the positive and negative effects of uncertainty on objectives) is maintained at desired levels. Nothing wrong with that, except that it is an incomplete explanation of the relationship.

When the chief financial officer provides a report on the financial condition and results, perhaps with a forecast for the next period, we might be concerned about the completeness and accuracy of that information. We rely on the system of internal control to provide us with reasonable assurance that the report is complete, accurate, and up-to-date.

When the chief risk officer provides a report on the current level of risks and their potential to effect the achievement of objectives, we should similarly be concerned about the completeness, accuracy, and currency of the report.

Just as with the financial report, we should have internal controls over the risks that might affect the completeness, accuracy, and currency of the risk report. While we assess controls over financial reporting (internal as well as external), we may fail to consider and assess the controls over risk reporting. To do that, we must first understand the risks to reliable risk reporting — in fact, to effective risk management in decisions across the extended enterprise.

I discuss the many sources of risk in World-Class Risk Management and suggest we should only assess risk management as effective when we have reasonable assurance that risks to it are at acceptable levels. That is what internal audit should set as the criterion for their assessment of risk management.

One source of risk is an ineffective culture. The culture of the organization will affect the taking of risk.

And so to part two.

When most people talk about risk and culture, they are thinking about curbing behavior that involves taking more risk than desired. But how about when the culture leads people to be so risk averse that they don't take enough risk?

At the beginning of the 2008 Great Recession, according to my good English friend Richard Anderson, the banks in the U.K. were so risk averse that they stopped taking risk and were not making enough money to survive long term.

Banks, insurance companies, hedge funds and so on exist to take risk. They have to assess the situation, the potential for loss and for gain, and take the desired amount of risk to drive returns.

In fact, every organization needs to take risk to survive. The only way to eliminate risk for a business is to close the business.

Another example is the risk of disruptive technology.

It used to be that a company couldn't afford to be on the "bleeding edge." Now they can't afford to be the second company to disrupt the market with new technology. They have to take more risk than they did a decade or so ago if they want to retain or grow market share. If they are too risk averse, they will not survive.

But there is more to culture.

Do you want a culture that emphasizes compliance with laws and regulations?

Arguably, that was United Airlines. If you were one of its employees, you had to follow the rules or else. The ability to use your judgment was limited.

Now we are starting to appreciate that a relentless focus on a single aspect of culture, such as compliance or keeping risk below "risk appetite," can increase risks in other areas such as reputation, customer satisfaction, market share, and stock price.

So, where am I going?

You have controls to provide reasonable assurance that risk is at desired levels. You have controls to provide reasonable assurance that risk management is effective. You also have controls to ensure that the behavior of management and staff is as desired, some combination of taking the desired level of risk, complying with applicable laws and regulations, and being focused on delivering optimal performance.

If you emphasize one aspect of culture at the expense of others, it might reduce risk in one area and increase it in others. It's all interwoven and not as simple a model as some might portray.

What do you think?

Comments, as always, are very welcome.

Please subscribe to this post by clicking on the link below so you will be notified of comments.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Idea-September-2020-Blog-1
  • Galvanize-September-2020-Blog-2
  • CIA-September-2020-Blog-3