The guidance I provide most often to internal auditors is to "follow the risk." It's easy for internal auditors to go through our own process of assessing risk in an organization and auditing against those risks. But if we are focused on the wrong risks — that is, risks that are different from the ones senior management and the board are worried about — then I think we ought to ask ourselves why.
I'm not saying that you should take management's assessment of the right risks as gospel. I'm saying that if you've compiled a list of things that are keeping your stakeholders awake at night, and that's not what they say is keeping them awake at night, then you need to be able to speak to why. This is along the same lines of my recent post on alignment, Are You Auditing Up the Wrong Tree?
So what risks are on management's radar? Accenture recently surveyed C-level executives from 446 global companies in the banking & capital markets, insurance, energy & utilities, health, and public service industries. Detailed results of the annual survey aren't due out until later this month, but Accenture has been posting infographics on its website to whet our appetite.
Legal risks made the list for 62 percent of executives, followed by business risks (52 percent) and regulatory requirements (49 percent). Strategic risks, operational risks, credit risks, and market risks all ranked in the mid-40 percent range. Virtually all (97 percent) said risk management is a higher priority for them than it was two years ago, and more than 80 percent said risk managers discuss risk regularly with the board.
The risks that an organization faces are constantly ebbing, they're constantly flowing, and they're constantly evolving. You have to continuously recalibrate and realign as an internal auditor, because organizations' portfolios of risks are moving targets.
So what is keeping executives up at night? More than 90 percent of those in the Accenture poll said risk management was critical in areas such as compliance and reputation management.
An opportunity for those of us in the internal audit profession is presented by the fact that less than 30 percent of those executives claimed to be using their risk management capabilities effectively in those areas.
One reason for this may be that only 8 percent of the survey population considered themselves to be trained in risk management and mitigation. These are so-called "risk masters" who, though only a small percentage of the survey sample, tended to be more focused on strategic and emerging risks.
Accenture's survey suggests that executives are going to be looking for guidance when it comes to risk management assurance. I think that's a real opportunity for internal auditors skilled in risk management — such as, say, the more than 13,000 of you who have obtained your Certification in Risk Management Assurance (CRMA).
How do things look within your organization? Are you focused on the right risks? How do you calibrate that? Tell us what works for you.