This is the second in my series on topics that are generally significant to the business, but are too often not addressed in the internal audit plan.
#2 – The adequacy of risk management
It is plain as day that many companies ran into unanticipated problems during the current recession. I am not talking only of financial services companies. Many others suffered from the tightening of credit, a failure of companies in their supply chain, and a general failure of demand.
These organizations were not prepared. They had not identified the risks and developed plans on how to respond.
Standards require internal audit to assess the adequacy of risk management processes, but too few internal audit functions do it. Observations:
It’s not OK to say that “the company doesn’t have a risk management program, so I can’t audit it.” IA has an obligation to inform the audit committee and top management that these essential activities are missing, and the risk to the organization and the achievement of its strategies and goals is therefore high. IA can act as a change agent through its consulting services to get effective risk management adopted.
While internal audit usually facilitates or performs an annual risk assessment process, that is not risk management. Risk management needs to be owned by management.
For some, risk management is something done on Fridays. All the organization really does is perform a periodic risk assessment and identify how those risks are managed. That is not sufficient in most cases. Risk is something that needs to be part of the culture, with a consideration of risk included in the setting and management of strategy, reporting on performance, and daily decision-making.
While training in risk management is always desirable, I know from my own experience that risk management processes are just as auditable as other business processes. Get some training, read some books (see this for suggestions), follow my blogs (!), and you can be on your way.
The pressure on organizations to have effective risk management processes and oversight is increasing — for example, there are now required disclosures in SEC filings relating to risk oversight by the board.
It’s time to act.
I welcome your comments.