Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​​​​​What Is Holding the Company Back?

Comments Views

​Okay, the risk purists are going to be annoyed with me — again.

We like to focus on potential events or situations that could affect the achievement of objectives.

That's fine.

But they argue that if the event or situation is certain, then it's not something covered by risk management. It's no longer a possibility; it's a sure thing.


My thinking is that while it may be certain that the event or situation will happen, the effect may be uncertain [1]. Maybe there's something we can and should do about it to change the potential effect and/or its likelihood.

In an earlier post, The Real Risks: The Ones Not in the Typical List of Top Risks, I included a number of situations (the purists could argue, correctly, that they are sources of risk rather than a risk themselves).

Included in the list were:

  • Not having sufficient people.
  • Lack of teamwork.

Some of the comments I received said that these were very often conditions already in place, so they weren't really risks (or sources of risk).

I have to question whether that matters, even if correct (which I doubt)!

Both of these conditions create the possibility of harm to the organization.

There probably is harm now, but there is a possibility of harm continuing unless the conditions are changed.

Where I am going is this: Let's not get hung up over terminology! Words can get in our way.

Instead, let's focus on:

  • What might happen?
  • Is that okay?
  • What are we going to do about it?

Risk managers should include these conditions as sources of future risk as well as current harm.

Internal auditors should consider the value of auditing the controls to address these problems.

Management and the board should pay attention and fix the problems! Risk and audit practitioners can help by shining a light on the situation.

I still call auditing what matters "enterprise risk-based auditing." I don't care whether people want to call the topics covered by my audits risks, sources of risk, or gizmos.​

What do you think?

[1] Technically, risk is the effect of uncertainty on objectives, so the fact that the event or situation is certain is not the deciding factor.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3