March 01, 2014
Deloitte and the Risk-intelligent Chief Audit Executive
latest addition to the excellent Risk Intelligent series from Deloitte talks about how the head of the internal audit function (chief audit executive or CAE) can be a driver of risk excellence within an organization.
Deloitte reinforces the notion, embraced by many CAEs, that they have a key role not only in driving risk management practices within the organization, but providing assurance on their effectiveness. (Deloitte confuses the issue by talking about management providing assurance — which they don't and can't, because you can't provide assurance on what you are responsible for — and internal audit providing "reassurance." I suggest ignoring the change and substituting "assurance" every time they say "reassurance.")
The authors also correctly point out that internal audit can only facilitate management decisions, not make them themselves. Management owns the determination not only of risk levels but desired levels of risk.
Here are some quotes:
"In today's environment, as a CAE, you have a unique opportunity to help make significant improvements in enterprise risk management effectiveness and efficiency. Your mission — should you choose to accept it — is to fight complacency and denial by enabling the organization to acknowledge, understand, and address relevant risks and thereby seek to reduce costs."
"We believe that companies that focus solely on risk avoidance may survive but rarely thrive; only those that intelligently manage risk-taking as a means to value preservation and value creation will excel in today's perilous yet opportunity-rich business environment."
"While remaining aware that management and the board 'own' risk, internal audit can provide guidance and [re]assurance that risk is being properly and efficiently managed within the company's defined appetites for various risks."
My favorite is the role of the CAE in fighting complacency and denial. It is easy to say "we have completed our quarterly review of the top risks" and believe that you have effectively managed risks. That is like the ostrich sticking his head in the sand while the battle rages around him and saying "I looked up an hour ago."
I welcome your comments.